Is “AuditBypassEnabled” active in your organization?

General Introduction

AuditBypassEnabled is a parameter present in the Get-MailboxAuditBypassAssociation and Set-MailboxAuditBypassAssociation, present in both Exchange and Exchange Online. When it’s set to true, it configures a mailbox logging to be bypassed, leaving no log of this user accessing its mailbox or any other mailbox it has access to.

While this might have made sense in some cases in an Exchange on-premises environment, in Exchange Online it’s mostly only a risk and I’m yet to see any real use case for it. Even if you log an application accessing its mailbox, this should not cause any issues to the system. While these types of logs might not be frequently accessed, it’s always better to have them.

How to audit

To check if any mailboxes in your environment are enabled for AuditBypassEnabled, you can use this script. Only issue is, it’ll output the name of the mailbox.

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName "YOUR UPN HERE"

# Get all mailboxes with AuditBypassEnabled set to true
Get-MailboxAuditBypassAssociation -ResultSize unlimited | where {$_.AuditBypassEnabled -eq $true} | Format-Table Name,AuditBypassEnabled

If you prefer to get the primary SMTP address for the mailboxes configured with AuditBypassEnabled set to true, you’ll have to cycle through all the mailboxes:

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName "YOUR UPN HERE"

# Get all mailboxes
$mailboxes = Get-Mailbox -ResultSize Unlimited

# Get all mailboxes with AuditBypassEnabled set to true
foreach ($mailbox in $mailboxes) {
    $auditBypass = Get-MailboxAuditBypassAssociation -Identity $mailbox.Identity	
     if ($auditBypass.AuditBypassEnabled -eq $true) {
        Write-Output ("Mailbox: " + $mailbox.PrimarySmtpAddress + ", AuditBypassEnabled: " + $auditBypass.AuditBypassEnabled)
    }
}

How to disable

To disable AuditBypassEnabled for all the mailboxes, you’ll have to set AuditBypassEnabled to false. This script will do just that.

# Get all mailboxes with AuditBypassEnabled set to true
$mailboxesWithAuditBypass = Get-MailboxAuditBypassAssociation -ResultSize unlimited | where {$_.AuditBypassEnabled -eq $true}

# Loop through each mailbox and disable AuditBypass
foreach ($mailbox in $mailboxesWithAuditBypass ) {
    Set-MailboxAuditBypassAssociation -Identity $mailbox.Identity -AuditBypassEnabled $false

}

https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide

September 2, 2022 Azvise

Online Mailbox cannot be created because an on-premise one already exists – Exchange Online

This issue is mainly present if you are trying to migrate from Exchange on-prem to Exchange Online and you’re not going with the hybrid route. The “double mailbox” way consists in having an online mailbox and a local one, and manually (or automatically using tools) migrating the content online.

The issue is that, if you are synchronizing your on-prem AD with Azure AD, you are most probably including your msExchMailboxGUID into the replicated fields. This attribute will tell Exchange Online not to create an online mailbox, as an on-prem one already exists.

Once you will have cleared this field from the online user, Exchange Online will be able to create another mailbox, populating the msExchMailboxGuid of the online user, leaving you with the possibility of exporting and importing data into your online mailbox.

Please note that this will also automatically clear the following attributes from the online user:

alias
legacyExchangeDN
msExchArchiveGuid
msExchArchiveName
msExchBlockedSendersHash
msExchElcMailboxFlags
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchSafeRecipientsHash
msExchSafeSendersHash
userCertificate

To proceed with the creation of the online mailbox, follow these steps:

Open your AD Connect server.
Stop the Sync with Powershell (launch it as admin and keep it open after this command): Set-ADSyncScheduler -SyncCycleEnabled $false
Open the Synchronization Rules Editor as an admin.

Select the In from AD – User Exchange rule, click Edit, then click on yes.

Under Precedence write 250 (or the first free one), then click Next until you arrive in the Transformations page. Here look for msExchMailboxGuid, then change the row’s settings to make them match with the image below:

Once you are done, click Save, then open the original rule. Note down the Precedence (usually it’s 108), then delete the rule. Go into your newly cloned rule and change the Precedence to the one you noted down.
Before you enable the scheduler and perform a full sync, you should test out the changes. This is the documentation link to test everything out without committing changes to Azure AD: Verify changes to AD Connect rules | MS Docs
Reenable the scheduler: Set-ADSyncScheduler -SyncCycleEnabled $true
Perform a full synchronization: Start-ADSyncSyncCycle -PolicyType Initial

You should now be able to create a second mailbox for your synchronized user by assigning a valid license.

August 23, 2022August 23, 2022 Azvise

Enable Modern Authentication for Outlook 2013

Since Microsoft will soon start to turn off Basic Authentication for Exchange Online, you’ll have to enable Modern Authentication client-side if you still have some machines running Outlook 2013 and want them to connect to Office 365. This is quickly done by adding some registry keys. Modern authentication is already enabled by default in Office 2016 and later versions.

This process will activate the Modern Authentication workflow for all the apps included in Office 2013 (Outlook 2013, Excel 2013, Word 2013, OneNote, etc.), not just Outlook.

While this procedure will allow you (for now) to connect to Office 365, it is critical to remember that connection to Office 365 and Exchange Online via Office 2013 is not supported anymore. You should update to a newer and supported version soon, as things might stop working without notice.

To enable the feature, either open an elevated CMD and paste these commands in or add the entries manually via Registry Editor.

CMD:

reg add HKEY_CURRENT_USER\Software\Microsoft\Exchange /v "AlwaysUseMSOAuthForAutoDiscover" /t REG_DWORD /d 1 /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity /v "EnableADAL" /t REG_DWORD /d 1 /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity /v "Version" /t REG_DWORD /d 1 /f

REGISTRY EDITOR:

Path	Value	Type	Value
HKEY_CURRENT_USER\Software\Microsoft\Exchange	AlwaysUseMSOAuthForAutoDiscover	REG_DWORD	1
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity	EnableADAL	REG_DWORD	1
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity	Version	REG_DWORD	1

March 14, 2022March 14, 2022 Azvise

Outlook requires app password for connecting to Exchange Online

Even if most people use modern authentication for connecting with Exchange Online, some users still have to use app passwords to enable connections from Outlook.

For tenants created after August 2017, modern authentication is enabled by default, but some admins have it turned off.

To enable modern authentication for Exchange Online, follow these steps:

Click on Modern authentication | Microsoft.com or go to admin.microsoft.com, then Settings, Org Settings, Modern authentication.
Select “Turn on modern authentication for ‎Outlook 2013 for Windows‎ and later (recommended)“.

Let all the basic authentication protocols selected.

Click “Save“.

You should aim to disable all the basic authentication protocols as soon as possible.

To enable modern authentication on Outlook 2013, click on the following guide:

Enable Modern Authentication for Office 2013 on Windows devices

December 23, 2021August 23, 2022 Azvise

Apple Mail not working after disabling Legacy Authentication – Exchange Online

If just enabled a Conditional Access Policy blocking legacy authentication to Exchange Online, enabled Security Defaults, or Microsoft disabled it for your tenant, you might see some Apple Mail clients not connecting anymore.

This issue is happening because the profile might be still configured to use Exchange ActiveSync to connect to Exchange Online, and EAS (along with other legacy protocols) will be retired in October 2022.

Apple supports an automatic switch to modern authentication for its profiles, but only if it was freshly configured after iOS 12.

Unfortunately, it seems that backing up and restoring profiles does not trigger the switch to modern auth, so if you moved to a new iPhone and didn’t reconfigure the profile manually, you’ll need to remove and recreate it.

UPDATE 16.06.2022:

Apple will add support for the automatic migration to modern auth in iOS 15.6. Once you update your Apple device, the Mail app will use the saved credentials to establish a new authentication flow. From that moment onward, you’ll authenticate to Azure AD (Microsoft online Identity Provider) and get a new OAuth access token. The “old” stored credentials will then be removed. The process is fully transparent to users.

Read the full announcement here: Microsoft and Apple Working Together to Improve Exchange Online Security

May 5, 2021October 12, 2022 Azvise

Force Outlook to connect to Office 365

If you have an internal Exchange server powered on, and you have migrated to Office 365, you might see some Outlook clients (2016/365) having issues.

To try to fix the issue and force the connection to Office 365 instead of the internal server, you can try adding this registry key:

Path: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\AutoDiscover

Value: ExcludeScpLookup

Type: DWORD

Data: 1

This way, the domain-joined clients will not be able to ask Active Directory an SCP entry and directly query the AutoDiscover (which should be fine, if you migrated to Office 365, as it’s one of the requirements).