Office365 Exchange Online Module5 Client Access

Microsoft Online Services Exchange Online

Module 5: Client Access

ii

Terms of Use © 2011 Microsoft Corporation. All rights reserved.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

For more information, see Microsoft Copyright Permissions at http://www.microsoft.com/permission

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, ActiveSync, Hotmail, Internet Explorer, Lync, MSDN, Outlook, Windows, Windows Live, Windows PowerShell, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

This document reflects current views and assumptions as of the date of development and is subject to change. Actual and future results and trends may differ materially from any forward-looking statements. Microsoft assumes no responsibility for errors or omissions in the materials.

THIS DOCUMENT IS FOR INFORMATIONAL AND TRAINING PURPOSES ONLY AND IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

Note this content is in beta format and is subject to change without notice.

iii

CONTENTS Module Overview ..............................................................................................................................1

What You Will Learn ................................................................................................................................. 1

Client Access Overview ......................................................................................................................2

Comparison of Features in Supported Programs ...................................................................................... 2

Outlook Web App .................................................................................................................................. 4

Outlook 2007, Outlook 2010, and Outlook 2011 for Mac .................................................................... 5

Entourage 2008, Web Services Edition ................................................................................................. 5

Mobile Phone Access ............................................................................................................................ 6

Other Email Programs ........................................................................................................................... 8

Email Setup Wizard ................................................................................................................................... 8

Using Outlook Web App ................................................................................................................... 10

Account ................................................................................................................................................... 10

My Account ......................................................................................................................................... 11

Connected Accounts ........................................................................................................................... 13

Organize Email ........................................................................................................................................ 15

Inbox Rules .......................................................................................................................................... 15

Automatic Replies ............................................................................................................................... 16

Delivery Reports .................................................................................................................................. 17

Retention Policies ............................................................................................................................... 25

Groups ..................................................................................................................................................... 45

Try This: Create a Distribution Group ................................................................................................. 46

Try This: Designate a Distribution Group for Moderation .................................................................. 47

Joining a Distribution Group ............................................................................................................... 49

Leaving a Distribution Group .............................................................................................................. 52

Settings.................................................................................................................................................... 54

Phone ...................................................................................................................................................... 58

Voice Mail ........................................................................................................................................... 58

Voicemail Preview ............................................................................................................................... 65

Mobile Phones .................................................................................................................................... 70

Text Messaging ................................................................................................................................... 71

Block or Allow ......................................................................................................................................... 72

Learn About Junk E-Mail Messages .................................................................................................... 73

iv

Conversation View .................................................................................................................................. 74

View Email Messages by Conversation ............................................................................................... 75

Applying a Tag on a Conversation ....................................................................................................... 78

Shared Nickname Cache Across Outlook and OWA ................................................................................ 78

Device Sending a New Cache Item to Server ...................................................................................... 79

Displayed List ...................................................................................................................................... 79

New Calendar Features ........................................................................................................................... 80

OWA Calendar Sharing and Side-by-side View ................................................................................... 80

Troubleshooting Calendars ................................................................................................................. 88

IM and Presence in OWA ........................................................................................................................ 90

User Experience .................................................................................................................................. 90

Configure Instant Messaging in Outlook Web App ............................................................................. 97

Outlook Web App (OWA) for Cross-Premises Environments ................................................................. 98

The Solution ........................................................................................................................................ 99

Scenario: User Logs on to OWA Using the On-premises URL to Access an Office 365 Mailbox ......... 99

Scenario: Unspecified TargetOWAURL ............................................................................................. 101

How to Set the TargetOWAURL Setting ............................................................................................ 102

Realm Discovery ................................................................................................................................ 102

Troubleshooting TargetOWAURL ...................................................................................................... 110

Troubleshooting Outlook and OWA ...................................................................................................... 116

Troubleshooting the Outlook Offline Address Book ......................................................................... 116

Recovering Missing Items from Your Mailbox .................................................................................. 116

New Outlook Mobile Features ........................................................................................................ 120

Mobile Free/Busy Lookup ..................................................................................................................... 120

Viewing Free Busy ............................................................................................................................. 120

Reply Forward Status and Conversation View ...................................................................................... 124

Mail Message Actions and Conversation View ................................................................................. 124

Conversation View ............................................................................................................................ 126

Mobile Short Message Service (SMS) Sync ........................................................................................... 128

Sending SMS Messages from Outlook Web App .............................................................................. 130

Receiving SMS Messages .................................................................................................................. 135

Deleting SMS Messages .................................................................................................................... 137

SMS Synchronization Limitations ...................................................................................................... 137

Over-the-air Update for Outlook Mobile .............................................................................................. 137

Distribution of the Mobile Update .................................................................................................... 137

v

Customizing the Over The Air (OTA) Administrator Message .......................................................... 138

RMS and OWA Mailbox Policies...................................................................................................... 148

Importing On-premises Templates to Exchange Online ....................................................................... 148

Trusted Publishing Domain ................................................................................................................... 148

Distributed Key Management Storage .............................................................................................. 149

Operations that Need To Be Performed for RMS Cross-Premises ........................................................ 150

Import the RMS Template................................................................................................................. 152

View and Enable the RMS Templates ............................................................................................... 154

Enable the Use of RMS for Web-based Clients ................................................................................. 155

Extending RMS to Office 365 ................................................................................................................ 156

Step 1: Export TPDs from AD RMS Clusters ...................................................................................... 156

Step 2: Import TPDs to Exchange Online .......................................................................................... 156

Step 3: Distribute RMS Templates .................................................................................................... 157

Step 4: Enable IRM in Exchange Online ............................................................................................ 158

Step 5: Change the Default TPD (Optional) ...................................................................................... 158

Updating Exchange Online with New Templates .................................................................................. 158

Disable IRM in Exchange Online ........................................................................................................... 158

Using Outlook Protection Rules in Exchange Online ............................................................................ 159

Change/Update the RMS Configuration ........................................................................................... 161

Other Tasks ....................................................................................................................................... 163

References ..................................................................................................................................... 166

Module Review .............................................................................................................................. 167

Knowledge Check Questions ................................................................................................................. 167

Knowledge Check Answers ................................................................................................................... 169

1

MODULE OVERVIEW This module covers topics relating to client features and accessing Microsoft® Office 365 Exchange Online, including Microsoft Outlook®, Microsoft Outlook Web App, and Microsoft Outlook Mobile. It also covers Microsoft Active Directory® Rights Management Services (RMS) and Information Rights Management (IRM).

What You Will Learn After completing this module, you will be able to:

Summarize which applications and mobile operating systems are supported for accessing Exchange Online in Office 365

Share free/busy information cross-premises

Access your Outlook Web App (OWA) account and configure your user settings

Preview voicemail messages through OWA

Toggle conversation view on and off

List new calendar features

List new Outlook Mobile features

Understand IRM in Exchange Online and extend RMS to Office 365

2

CLIENT ACCESS OVERVIEW There are many ways to access your email account. The most common ways are by using Outlook Web App or an installed version of Microsoft Office Outlook, or Microsoft Entourage. These programs provide email access and many other collaboration features. In addition to these programs, you can connect to your email account using Outlook Voice Access, a variety of other email programs, and your mobile phone.

The following figure shows some ways you can connect to your email account.

The following list offers more information about each method of connecting.

Web browser Use Outlook Web App and the light version of Outlook Web App with browsers like Windows® Internet Explorer®, Firefox, and Safari.

Internet e-mail programs Use any program that supports IMAP4 or POP3, like Outlook Express or Windows Live® Mail.

Outlook/Entourage Connect using Outlook or Entourage through an Exchange account (Outlook 2007, Outlook 2010, Outlook 2011 for Mac, or Entourage).

Mobile phones with an Internet connection You can connect using your Windows Mobile phone, Apple iPhone, or other Internet-capable mobile phone.

Any phone Use Outlook Voice Access with any phone to access your email, calendar, and contacts.

Comparison of Features in Supported Programs The following table summarizes some differences you might want to consider before you choose the email program you'll use to connect to your email account.

3

E-mail program

Edit and view contacts, calendar items, tasks, and email messages

Edit and view email folders in addition to the Inbox

Listen to your voice mail

Access your information offline

Automatic setup

Accessibility for users who are blind or have low vision

Outlook Web App

Yes Yes Yes No Not applicable

No

The light version of Outlook Web App

Yes Yes Yes No Not applicable

Yes

Outlook 2007 or Outlook 2010

Yes Yes Yes Yes Yes Yes

Outlook 2003*

(Not supported)

Outlook 2011 for Mac


Entourage 2008, Web Services Edition


Programs that use Exchange ActiveSync®

Yes Yes Yes Yes Yes Some programs may support accessibility features.

Programs that use POP3

No No No Yes No Some programs may support accessibility features.

Programs that use IMAP4

No Yes No Yes No Some programs may support accessibility features.

4

Important

*Outlook 2003 is not a supported email client for Office 365. Customers running Outlook 2003 must upgrade to a newer version of the software in order to connect to their Exchange Online mailboxes.

Outlook Web App

You can access your email account through several different web browsers. You can use any computer that's connected to the Internet or to a local Intranet, whether you're at home, in the office, or on the road. You can view and edit email messages, appointments and meetings, contacts, and tasks. You can also listen to your voice messages and read text messages. Some other things you can do with Outlook Web App include:

Check your spelling

Use a variety of fonts, colors, and sizes in your email messages

Group your email messages in a variety of ways

Be reminded of upcoming events

The light version of Outlook Web App contains some of the same features as Outlook Web App. The light version provides a blind and low-vision experience, and will run with any web browser. Several features aren't available in the light version, including:

Reminders

Viewing your calendar one week at a time

Changing your voice mail options

Changing the color scheme

Browser Versions to Use with Outlook Web App

You can use Outlook Web App and the Exchange Control Panel with almost any web browser. This includes Internet Explorer, Mozilla Firefox, Apple Safari, Chrome, and most other web browsers on computers running UNIX, Apple Macintosh, or Windows.

To use the complete set of features available in Outlook Web App and the Exchange Control Panel, you can use the following browsers on a computer running Windows XP, Windows 2003, Windows Vista®, or Windows 7:

Internet Explorer 7, Internet Explorer 8, or Internet Explorer 9

Firefox 3.x and later versions.

Chrome 3.0.195.27 and later versions.

On a computer running Mac OS X, you can use:

5

Safari 5 and later versions.


On a computer running Linux, you can use:


If you use a web browser that doesn't support the full feature set, Outlook Web App will open in the light version.

Outlook 2007, Outlook 2010, and Outlook 2011 for Mac

If you're using Outlook 2007, Outlook 2010, or Outlook 2011 for Mac, you can set up a connection to your email account through an Exchange server or by using IMAP4 or POP3. Connecting Outlook 2007, Outlook 2010, or Outlook 2011 for Mac through an Exchange account provides more features than IMAP4 or POP3, including:

Access to your email, contacts, and calendar when you aren't connected to the Internet.

The ability to propose new times for meeting requests you receive.

The ability to import, export, and archive your contacts and other information stored in Outlook.

Entourage 2008, Web Services Edition

You can connect Microsoft Entourage 2008 for Mac OS X to your account using Entourage 2008, Web Services Edition. To do this, you first need to install Entourage 2008, Web Services Edition. This version of Entourage is available as an update to Microsoft Office 2008 for Mac.

To download this update and learn more about the Web Services Edition, see the Entourage. Meet Exchange Web Services, http://go.microsoft.com/fwlink/?LinkID=141905 webpage.

Although you can also connect Entourage for Mac OS X to your account (either Entourage 2004 or Entourage 2008) using POP3 or IMAP4, doing this doesn't provide all the features that are available when you use an Exchange account to connect. For example, if you connect using Entourage 2008, Web Services Edition, you'll be able to synchronize Notes, Tasks, Calendar items, and Categories between Outlook Web App and Entourage 2008.

Note

This is a web service that is hosted on the Client Access Servers (CAS) for Exchange Online. It allows programmatic access to Exchange mailboxes by Outlook 2007, 2010, 2011, Entourage 2008 EWS, and

surfaced using Exchange Autodiscover.

6

Mobile Phone Access

Many mobile phones can be set up to access your email account. If you have a mobile phone with Windows Mobile or an Apple iPhone, you can use Exchange ActiveSync to access email messages, your calendar, contacts, and tasks on your phone. Other mobile phones support both the IMAP4 and POP3 protocols, which let you send and receive email messages on your phone.

The following table lists the different supported mobile operating systems and their respective versions for both BPOS and Office 365 connectivity.

Mobile OS BPOS Office 365

Windows Phone 6.5 and Windows Phone 7 X X

Windows Mobile 6.1 X X

BlackBerry 4.5 (using BIS) X X

Apple iOS 4.x X X

Symbian X X

BlackBerry Requirements

BlackBerry mobile device users need to configure the BlackBerry Internet Service (BIS) properly. The following procedure describes the process of configuration within OWA, but the concept is similar within Outlook as well.

Setting up Blackberry Internet Service (BIS) for use with Office 365

To integrate an Outlook Web App (OWA) account with your BlackBerry account, follow these steps:

1. Connect to the appropriate BlackBerry Internet Service website (for example, http://att.blackberry.com), and then log on to your BlackBerry account. The URL of the BlackBerry Internet Service website is based on your carrier.

2. On the navigation bar, click Profile.

3. Under Email Accounts, click Other.

4. Click Add Account.

5. Type the email address, user name, and password in the appropriate fields, and then click Submit.

6. Under Microsoft Outlook/Exchange, select I can access my mailbox using a Web browser (Outlook Web App).

7. Click Submit.

8. In the Outlook Web App URL field, type https://m.outlook.com.

9. In the Mailbox Name field, type the mailbox name for your OWA account. For example, type [email protected].

10. Verify that your email address, user name, and password are correct.

7

11. Click to select the Leave messages on mail server check box.

12. Click Submit.

If you receive the following message, the integration process was completed successfully:

Your email account has been successfully set up

The integrated account also displays a green check mark in the Status column. New email messages will appear on the handheld device from your integrated OWA account.

If you receive the following message, the integration process was not completed successfully:

We were unable to configure this mailbox

In this case, the integration likely failed for one of the following reasons:

You entered the wrong account information. Repeat the process.

There is a temporary connection problem between the BlackBerry Internet Service website and the Exchange server. Try integrating your account later.

Note

Mail is retrieved from your Exchange Server account and forwarded to your BlackBerry Wireless Handheld every 15 minutes.

Troubleshooting BIS

If a customer has a BIS issue, do not file a RIM support ticket with Research in Motion. Any BIS issue

Note

This restriction only applies to BIS. You can continue to file BlackBerry Enterprise Server (BES) support tickets with RIM.

The following list contains contact information for the main wireless carriers:

T-Mobile (800) T-MOBILE / *611 from the wireless device.

Verizon Wireless (800) 922-0204 / *611 from the phone

AT&T Wireless (800) 331-0500 / 611 from the phone

Sprint PCS (888) 211-4727 / *2 from the phone

8

Other Email Programs

If you have an email program that supports IMAP4 or POP3, you can set it up to send and receive your email. You can't use IMAP4 or POP3 to access your contacts, tasks, or calendar. Some programs you can use to access your email account with IMAP4 or POP3 include:

Microsoft Outlook Express

Windows Mail

Mac Mail for Mac OS X

Note

If you're running Mac OS 10.6 Snow Leopard, you don't connect to your email account using IMAP or POP. Connecting to your account with Mail for Mac OS 10.6 Snow Leopard requires less manual configuration. For more information, see Set Up Mail for Mac OS 10.6 Snow Leopard Access to Your E-Mail Account.

Email Setup Wizard As shown in the following figure, configuration instructions for each of these supported applications, web browsers, and even mobile devices are available through the Online Help's Email Setup Wizard at http://help.outlook.com/en-US/beta/dd936216.aspx.

9

After selecting the appropriate items from the drop-down lists, the wizard provides step-by-step details on how to configure any supported application to connect with Exchange Online.

10

USING OUTLOOK WEB APP The following table lists the links available via the Exchange Control Panel and the options available under each link:

Link Description Options available

Account Displays account information for the user who is logged on to the ECP website.

Edit

Short cuts to other ECP functions

Organize E-mail Displays options that allow users to create inbox rules, out of office replies and track

Inbox Rules

Automatic Replies

Delivery Reports

Groups Displays a page where the user can join or leave public distribution groups that have been created on the system. If allowed, the user can also create their own public groups that others can join

Public Groups I Belong To

Public Groups I Own (optional)

Settings Provides user access to individual OWA settings. Users can access this page to change user functionality of OWA

Mail

Spelling

Calendar

General

Regional

Password

S/MIME

Phone Allows users to configure settings for mobile access to their mailbox

Mobile Phones

Text Messaging

Block or Allow Allows the user to configure their junk email settings. From here users can specify their list of allowed and blocked senders (safe senders and recipients)

Block or Allow

The features found in each of these main links are discussed in the following sections.

Account The Outlook Web App options page looks different than the old Outlook Web Access options page, but with the same options just rearranged and easier to find. However, because of the new ability to customize the available options based on your permissions in Office 365, you might see a few extra menu options.

11

In the Account screen, there are some useful shortcuts on the right, which will lead users to the most common areas accessed:

See email from all your accounts in one place = Account / Connected Accounts

= Organize E-Mail / Automatic Replies

Learn how to get Direct Push email on your mobile phone = Help article on email on a mobile phone

Connect Outlook to this account = Help article on accessing email using Outlook

Forward your email = Account / Connected Accounts

Import your contacts from an existing email account = Opens Import Contacts wizard

The tabs available by default in a normal user role are:

My Account Here you can review and change your personal account information.

Connected Accounts -- Here you can connect your Outlook Web App account to your other email accounts.

My Account

This default tab under the Account page displays your user account inform ation.

12

Clicking Edit opens the Account Information window, where you can update your contact information and other account details.

13

Connected Accounts

The Connected Accounts tab in the Account page is where you can keep track of email from other accounts by connecting to them from your Outlook Web App account. You can connect up to five other accounts, such as Hotmail®, Gmail, and Yahoo! Mail accounts. This lets you send, receive, and read mail from all the accounts in one place.

14

New Account Connection

Use the New AccountConnection dialog box to connect from your account in Outlook Web App to another email account, for example, a Yahoo! Mail, Hotmail, or Gmail account. After a connection is created, you can send email from the email address for the other account and get all your email from that account in Outlook Web App. If you're connecting to an account other than a Hotmail account, make sure you've turned on POP or IMAP access from the account before you create the connection. When connecting, your email will automatically try to log on to the other account to download messages. To connect from Outlook Web App, click Options > Account and then, under Connected Accounts, click New.

You need to provide the following information to get started.

Setting Description

E-mail address Enter the address of the other email account, for example, [email protected].

Password Enter the password you use when you log on to check email for your other account.

15

Turn on POP or IMAP Access to Connect to another Account

Before you connect to download mail from another email account, you may need to turn on POP or IMAP access from the other account. This topic provides information about which commonly-used email services require you to turn on POP or IMAP access. If you're connecting to an account that's not mentioned here, check that POP or IMAP access has been turned on before you try to connect.

Hotmail: folders in your Hotmail account, these folders are copied to your account in Outlook Web App along with the email downloaded from your Hotmail account.

Gmail: You need to allow POP access from your Gmail account to download mail from that account to Outlook Web App. To allow POP access from Gmail, see Turn on POP Access Before Connecting to Your Gmail Account, http://help.outlook.com/en-US/beta/dd181952.aspx?s=BPOS_S_E14_R5.

Yahoo! Mail Plus, Comcast, AOL: These services give you POP access automatically and they don't support IMAP access.

IMAP Access: Outlook Web App supports IMAP access for most services, except Gmail. With IMAP access, your folders and mail items within those folders are downloaded to Outlook Web App the same way you see them in your other account. If your other account allows IMAP access, check that IMAP access is turned on before you connect to the account.

Organize Email

Inbox Rules

Use the Inbox Rules tab to perform specific actions on messages automatically as they arrive, based on criteria you select. For example, you can create a rule to move automatically all mail sent to a group you're a member of to a specific folder.

16

Automatic Replies

Use automatic replies whenever you're unable to respond to email for an extended time. After

17

Delivery Reports

Delivery Reports is a message-tracking tool that you can use to search for delivery status on email messages sent to or from users in your organization's shared address book, with a certain subject. Delivery reports contain the following information:

What servers the message passed through. (message path)

Dates and time the message was sent and/or received.

Read recipients.

Queue error messages (Admin only)

18

Tip: Delivery Reports is a new feature and is discussed in detail in the Introduction to Exchange 2010 Transports class.

Try This: Create a Delivery Report

Use the following steps to create a delivery report:

1. Access your OWA account through the ECP.

2. Click the Options link in the upper right corner of the Outlook Web App webpage.

3. Click the Organize E-mail link, and then select the Delivery Reports tab.

19

4. Move your cursor to the field then click Select Users. This will display a list of users you can track.

5. Select a user and click OK.

6. Enter any other search criteria you wish, and then click the Search button. The matching messages will be displayed in the Search Results window.

7. Double-click the message whose delivery report you want to view to display the results. In the next figure, you can see when the message was submitted and delivered.

20

that the end user also has the option of emailing this report. This allows the user to send a message containing a link to the message tracking report.

Delivery Reports and Inbox Rules

Delivery reports can also show the results of any inbox rule processing on the message. The following figure shows a delivery report for a message that was processed by an inbox rule. notice in this example that the delivery report clearly shows the message was deleted by the rule.

Important: When a message has been tracked and it is processed by a rule only the recipient that received the message and administrator that receive message will be able see in message tracking that message was processed by a rule. If the sender tracked that message, it will just show that the recipient received the message.

21

Delivery Report Event Information

The information displayed in a Delivery Report is different depending on whether the user viewing the report is an end user, Administrator or assigned the Helpdesk RBAC role. The table below describes what events that a User (both sender and recipient), Administrator, and Helpdesk can see when a message is tracked. The table does not list every event but gives an idea of what can be expected to see when a message is tracked in Exchange 2010.

Event Who Sees it What do they see

Email Submission from the Senders Mailbox

Users, Administrators, Helpdesk Users will just see message was submitted.

Administrators and Helpdesk will see the same, plus server information.

Group Expansion Users, Administrators, Helpdesk Users will see the group is expanding and the delivery status of the messages to

.

Administrator and Helpdesk see the same expansion, just with more information about the servers to which the message was delivered.

22


Delivery Success Users, Administrators, Helpdesk Users will see successful delivery of message.

Administrators will see successful delivery and server information.

Delivery Failures Users, Administrators, Helpdesk Users will see if message delivery was failure. They will also see if the message is pending state.

Administrators depending on the failure will see more information including NDR, server information, and queue error information. What they see will depend on what has occurred on message path.

Inbox Rules Recipients, Administrators, Helpdesk

Recipients and Administrators will see rule fired on the message and the action of the rule.

Transport Rules Administrators, Helpdesk Administrators and Helpdesk will see transport rule that fired. (For more information see rules module)

Message was read (If enabled)

Users, Administrators, Helpdesk

Hub Transfers Administrators, Helpdesk Administrators and Helpdesk will see what server the message was transferred to

Transfer to External Servers

Users, Administrators, Helpdesk Users will see message was transferred to external server.

Administrators will see message was transferred to external and they will see path message took along with possible queue information and Response code

Transfer to legacy version of Exchange in org

Users, Administrators, Helpdesk Users, Administrators, and Helpdesk will see message was transferred to legacy server.

Administrators and Helpdesk will see to which server the message was transferred.

23


Moderation Users Administrators, Helpdesk Users will see message is in moderation and they may see who the moderator is.

Administrators and Helpdesk will see the entire moderation path. (See Moderation module for more information)

Delivery Reports from any Mail Folder

In Exchange 2010, the end user has the option to obtain a delivery report of a message from any mail folder. An end user can get delivery reports for both messages that they have sent and received.

You will only be able to obtain delivery reports from Outlook Web App and Outlook 2010.

You will not be able to access a delivery report from calendar, task contacts folder

When a user requests a delivery report for a message it opens Internet explorer windows to Exchange Control Panel and displays the delivery request. The user will have to log into Outlook Web App if they are doing this from Outlook 2010. Accessing delivery reports using Outlook 2010 is discussed in more detail later in this section.

Outlook Web App Delivery Reports

To access Delivery Reports in a mail folder in Outlook Web App, right-click Message and select Open Delivery Report. In the figure below is the option that you see when opening a delivery report in Outlook Web App.

24

In the figure below, we have the delivery report.

Outlook 2010 Delivery Reports

In Outlook 2010, you can also access delivery reports in a mail folder. Just like Outlook Web App, you cannot access a delivery report from the calendar, contacts, or tasks folder. Delivery Reports are only available if you are using Exchange Service in the Outlook profile. Also, it does not matter if you are in cached or non-cached mode.

25

Here are the steps to access delivery reports in Outlook 2010:

1. In an Outlook 2010 mail folder, open the mail message.

2. Click the File tab.

3. Click Open Delivery Report.

4. Type in user credentials at the OWA login page.

The following figure shows the delivery report that we got when we tracked the message. In this figure have already been entered.

Retention Policies

Exchange Online makes it possible for users to manage retention tags that have been made optionally available to them for self-provisioning. This Opt-In process allows them to select personal tags to which they have been given access, and then apply them to their mailbox.

26

Once the user selects these optional personal tags, they appear in the client and can be used to tag items and user-created mailbox folders in the same way as personal tags that have been assigned to the user via policy.

In addition to this functionality, the administrator can Opt-In optional folders on behalf of a user, making the optional tags appear in the client in the same way as if the user had provisioned the tags themselves.

At any time, the user can use the Opt-Out process to remove any optional tags, including tags that may have been Opt-In on behalf of the user by the administrator.

There are several requirements for self-management of personal tags.

The mailbox user must have been granted access rights by assignment of the MyRetentionPolicies management role; this can be accomplished by assigning the role to a role assignment policy that applies to the targeted mailbox users.

A retention policy must be applied to the mailbox.

Personal tags must be available for the user to select, that are not already assigned to the user via policy.

The user cannot remove personal tags that are assigned via retention policy using the Opt-Out process. These tags are considered Required and cannot be changed by the end user.

Try This: Use the ECP to Access the Retention Policies Interface

1. Using an account that has the required level of access as granted by assignment of the MyRetentionPolicies role, log into Outlook Web App (OWA). From the OWA menu as shown in the following figure, locate and click Options, and then click See All Options. This opens the ECP.

2. From the primary navigation tabs on the left side of the page, click Organize E-Mail. From the secondary navigation tabs at the top of the page, click Retention Policies. This displays the Retention Policies menus, options, and controls, as shown in the following figure. It is from this page you can self-manage retention tags.

27

Important: The Retention Policies controls are not available to mailbox users to which the MyRetentionPolicies role has not been properly assigned, and/or a retention policy has not been applied. Add a Role to an Assignment Policy for more information.

Use the ECP to manage Retention Policies

Retention Policies is divided into two main sections: the Result pane on the left, and the Detail pane on the right.

28

Personal retention tags applied by policy or for which the user has already gone through the Opt-In process are displayed in list form in the Result pane. There are three columns of information about each tag in the list.

The Name column displays the friendly name of the tag as it also appears in the client interface.

The Retention Period column displays the age limit for retention that is applied by the tag.

The Type column indicates the type of personal tag; Required tags are assigned by policy and Optional tags have been selected via the Opt-In process.

When a tag is selected from the list in the Result pane, the details about that tag are displayed in the Details pane. The information in the Details pane includes the following:

The friendly name of the tag

Duration: indicates the age limit for retention set on the tag

Applies to: indicates the message items the tag applies to

The results pane includes a menu for managing personal tags. The menu is contextual and only makes menu items selectable for valid usage.

The buttons as described left-to-right are as follow:

The Add button is used to add available personal tags (Opt-In) at any time.

29

The Remove button is used to remove optional personal tags (Opt-Out) and is only available when tags of type Optional are selected from the list.

The Refresh button is used to refresh the view in the Result pane at any time.

Opt-In

When you click the Add button, the Select Retention Policy picker shown in the following figure appears. From this control, you can select one or more personal tags to add to the mailbox. Once tags are selected, click Save to commit the changes.

Note: The availability of personal retention tags added to the mailbox via the Opt-In process is immediate.

Opt-Out

Select the Optional personal tag to remove from the list in the Result pane. Click the Remove button. A prompt appears asking the user to confirm the operation as shown in the following figure. Click Yes to confirm the operation and remove the tag.

30

Troubleshooting Messaging Records Management

This section discusses the resources available for troubleshooting MRM issues.

Dependencies

The MRM feature depends on the following Exchange components for trouble-free operation. Failure of any of these dependencies affects the operation of the MRM feature:

Information Store and High Availability features Maintains availability of mailboxes where MRM is implemented.

Exchange Management Interfaces Management of mailbox searches from Exchange Management Console (EMC), Exchange Management Shell (EMS) and Exchange Control Panel (ECP).

Active Directory Used to store configuration objects for MRM feature components.

Managed Folder Assistant Provisions retention policy settings and enforces expiration actions on mailboxes.

Mailbox Clients Outlook 2010 and OWA exposes the MRM feature to mailbox user.

When troubleshooting MRM failures it is important to understand the relationships between these dependencies and MRM. It may sometimes be necessary to troubleshoot and resolve issues not directly related to the MRM feature in order to restore functionality.

Performance

Microsoft Windows Server 2008 provides some general performance troubleshooting tools including the Performance Monitor. Exchange Online includes performance counters for the MRM feature.

The counters are located in the MSExchange Managed Folder Assistant category of performance counters. There are no instances to select to gather performance information; the category collects information across all mailboxes on the server.

Table 1 describes each of the counters for MRM available for the MSExchange Managed Folder Assistant category.

Table 1: Performance Counters for Managed Folder Assistant

31

Counter Name Display Name Description

TotalItemsMoved Items Moved The total number of items moved by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsSoftDeleted Items Deleted but Recoverable

The total number of items deleted but recoverable through the dumpster by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsPermanentlyDeleted Items Permanently Deleted

The total number of items permanently deleted by the Managed Folder Assistant since the beginning of the most recent schedule interval. Reset to zero at the beginning of each schedule interval. Type is NumberOfItems64.

TotalItemsTagged Items Marked as Past Retention Date

The total number of items marked as past their retention date by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsExpired Items Subject to Retention Policy

The total number of items subject to retention policy by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsAutoCopied Items Journaled The total number of items journaled by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalSkippedDumpsters Mailbox Dumpsters Skipped

The total number of mailboxes for which the dumpster cleanup was skipped by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

32


TotalDumpsterItems Mailbox Dumpsters Items

The total number of items found in the dumpsters by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalSkippedDumpsterItems Mailbox Dumpsters Skipped Items

The total number of items found in the dumpsters of skipped mailboxes by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalExpiredDumpsterItems Mailbox Dumpsters Expired Items

The total number of items expired from the dumpsters by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalExpiredSystemDataItems System Data Expired Items

Tthe total number of system data items expired by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalOverQuotaDumpsters Total Over Quota Dumpsters

The total number of mailboxes for which the dumpster was over quota and was processed by Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalOverQuotaDumpsterItems Total Over Quota Dumpster Items

The total number of items found in the dumpster of the over quota mailboxes by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

33


TotalOverQuotaDumpsterItems

Deleted

Total Over Quota Dumpster Items Deleted

The total number of items deleted due to mailbox over dumpster quota by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalSizeItemsExpired Size of Items subject to Retention Policy (In Bytes)

The total size of items subject to retention policy by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalSizeItemsSoftDeleted Size of Items Deleted but Recoverable (In Bytes)

The total size of items deleted but recoverable through the dumpster by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalSizeItemsPermanently

Deleted

Size of Items Permanently Deleted (In Bytes)

The total size of items permanently deleted by the Managed Folder Assistant since the beginning of the most recent schedule interval. Reset to zero at the beginning of each schedule interval. Type is NumberOfItems64.

TotalSizeItemsExpired Size of Items subject to Retention Policy (In Bytes)

The total size of items subject to retention policy by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalSizeItemsMoved Size of Items Moved due to an Archive policy tag (In Bytes)

The total size of items subject to Move retention policy by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsWithPersonalTag Items stamped with Personal Tag (Expiry or Archive)

The total number of items that are stamped explicitly with a personal tag (Expiry or Archive) by the user. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

34


TotalItemsWithDefaultTag Items stamped with Default Tag (Expiry or Archive)

The total number of items that are stamped implicitly with a default tag (Expiry or Archive) by the Managed Folder Assistant. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsWithSystemCleanup

Tag

Items stamped with System Cleanup Tag

The total number of items that are stamped with a system Cleanup tag by Managed Folder Assistant. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsExpiredByDefault

ExpiryTag

Items expired due to a default Expiry Tag

The total number of items that are expired by Managed Folder Assistant due to a presence of a default expiry tag. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsExpiredByPersonal ExpiryTag

Items expired due to a personal Expiry Tag

The total number of items that are expired by Managed Folder Assistant due to the presence of a personal expiry tag. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsMovedByDefault ArchiveTag

Items moved due to a default Archive Tag

The total number of items that are moved by Managed Folder Assistant due to the presence of a default Archive tag. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalItemsMovedByPersonal ArchiveTag

Items Moved due to an Archive Tag

The total number of items that are moved by Managed Folder Assistant due to a presence of a personal Archive tag. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

TotalMovedDumpsterItems

Mailbox Dumpsters Moved Items

The total number of items moved from the dumpsters by the Managed Folder Assistant since the start of the most recent schedule interval. Reset to zero at the start of each schedule interval. Type is NumberOfItems64.

35

Client Experience: Outlook 2010

Outlook 2010 fully supports MRM 2.0, providing interfaces for managing tags at the item and folder levels, and for determining pending retention actions.

Assign Policy at the Item Level

Retention tags are applied by the user on selected items via options from the Assign Policy menu. Assign Policy is only available in Outlook when the mailbox has a retention policy applied and the Managed Folder assistant has processed the mailbox at least once since the policy was applied.

The Assign Policy menu selection appears on the ribbon in the Tag section of the Home tab as shown in the following figure.

Assign Policy is also available as an option by right-clicking a selected item from the message list as shown in the following figure.

Assign Policy is also available from the Tags menu of the Message tab when the selected item is opened, as shown in the following figure.

The Assign Policy menu is contextual and displays options according to certain factors as determined by the retention tags that are applied to the mailbox. The menu is divided into three sections as shown in the following figure and as described in the paragraphs that follow.

36

Archive Policy Displays personal retention tags that have a retention action of Move To Archive.

Retention Policy Displays personal retention tags that have any retention action other than Move To Archive.

Additional Options The Archive Policy menu provides additional options that do not correspond to the Archive Policy and Retention Policy sections.

o More Retention Policies Makes it possible to display a list view of all available retention policies.

o Set Folder Policy Makes it possible to open the Policy property page for the folder where the item is located. This option is discussed in more detail in section Assign Policy at the Folder Level later in this section.

o View Items Expiring Soon Users can get a list of all messages that will expire within 30 days, making it possible to search the mailbox for items that will soon expire.

Archive Policy

The Archive Policy section is only displayed when an archive retention tag is assigned to the mailbox and the user also has an Archive mailbox enabled; both must be true for the Archive Policy section to be displayed.

The friendly name for archive retention tags are not displayed in the Archive Policy section. Instead, the retention age limit as interpreted by Outlook is used to display the tag for selection by the user.

The ways in which the Archive Policy section appears and other parts of the Apply Policy menu are displayed depend on certain conditions.

37

When the Default Archive Policy is applied to the mailbox, the Archive Policy section is the only section that appears in the Apply Policy menu as shown in the following figure. This is the only instance where the Assign Policy menu does not display any other sections.

When any other policy that also only applies archive tags is assigned to the mailbox, the additional option menu items also appear as shown in the following figure.

In all other instances where there is a mixture of personal tags and archive tags, the Archive Policy section appears as shown in the following figure.

It is important to recognize that in this case, a retention tag that has an action of Move to Archive, and a retention age limit that is null (never). The tag is not displayed in the Archive Policy section; instead it is displayed in the Retention Policy section, and the friendly name of the tag is displayed instead of the derived retention age limit.

Retention Policy

The Retention Policy section is only displayed when a personal retention tag, with a retention action of anything other than Move To Archive, is assigned to the mailbox.

The friendly name for a personal retention tag is used to display the tag for selection by the user.

When the retention policy applied to a mailbox includes only retention tags with a retention action of anything other than Move To Archive, only the Retention Policy and additional options sections are shown in the Apply Policy menu, as shown in the following figure:

38

Additional Options

The additional options list of the Retention Policy section lists task selections common to the Assign Policy menu.

More Retention Policies

The Retention Policy section can display up to 10 retention tags. When there are more than 10 retention tags available to the user, the user can select the More Retention Policies option to display a list view of all available retention tags as shown in the following figure.

the section below the list. This helps the user in discovering the purpose for each tag if the comment provides additional information.

The selected tag is applied to the item by clicking the Apply button; else, the user can apply the tag from the folder where the item is located by clicking the Use Folder Policy button. The Cancel button aborts the operation without changing the tag currently set on the item.

39

The Add or Remove Retention Policies link launches the default web browser of the client machine using a URL that opens the Exchange Control Panel (ECP) directly to the Retention Policies menus, options, and controls for self-managing optional personal tags.

Set Folder Policy

The Set Folder Policy option opens the Policy property page for the folder where the item is located. This option is discussed in more detail later in this section as part of the discussion on Assign Policy at the Folder Level. The Set Folder Policy option is not available when the Assign Policy menu is selected from an opened message.

View Items Expiring Soon

The View Items Expiring Soon option creates an Outlook mailbox search on the current folder where the item is located as shown in the following figure. All items in the folder that match the search criteria are returned by the search. The user can then review items to determine if action is required to prevent an undesirable retention action.

The search string generated by this option uses the AQS syntax to create a search string to return items that are set to expire in the next 30 days. The search string uses the following syntax:

expires:<=<current date + 30 days>

The expires property is indexed by Exchange Search and Windows Desktop Search so that results are quickly rendered by the client.

The View Items Expiring Soon option is not available when the Assign Policy menu is selected from an opened message.

Applying Tags with Apply Policy

Only tags of type Personal can be assigned by the user at the item level (explicit); all other tags are applied to items implicitly from the tag that is applied on the folder where the item is located (a retention tag) or from a tag that applies to all other folders in the mailbox (a default tag).

Personal tags are applied to an item by first selecting the item, and then selecting the personal tag to apply from the Apply Policy menu.

To revert to the explicitly applied tag from the folder level, the user must select the item and then select the Use Folder Policy option. To the user, the default tag at the mailbox level, and retention tags at the folder level, never appear by name, and can only be selected by the Use Folder Policy option.

40

For example, suppose that a policy applies a retention tag of type Deleted Items to the Deleted Items folder, as well as making available one or more personal tags. If the user assigns one of the personal tags to an item in the Deleted Items folder, it overrides the Deleted Items retention tag that is applied at the folder level. If the user later selects the Use Folder Policy option for the same item, it applies the Deleted Items retention tag because it is the default tag for the folder.

In the case where a default folder does not have a retention tag applied, the default tag is applied, because it applies to all other folders in the mailbox.

When the user has applied a tag explicitly, a checkmark appears in the Assign Policy menu beside the selected tag as shown in the following figure. When the user has not explicitly assigned a tag, no checkmark appears, even though a tag is implicitly applied to the item from the mailbox or folder level.

If the user selects the Use Folder Policy option, the checkmark then appears by the option to designate that the option has been explicitly set.

Applying a tag on a Conversation

Outlook 2010 supports Conversation View, where all messages for a given thread are grouped and displayed under a single header labeled with the subject of the thread as shown in the following figure. The threads are sorted by date, and then the messages within each thread are sorted based on who replied to whom. Conversations include messages from multiple folders. For example, messages that are sent are saved in the Sent Items folder, but appear within the conversation with replies to the message that were received.

In conversation view, you can select the conversation header and apply a tag to all messages in the thread at the same time. Note that the tag is only applied to messages in the thread that are located in the same folder as the thread.

Because this action affects multiple messages in the thread, a warning is generated to prompt the user to confirm the action before proceeding as shown in the following figure. The user can override this behavior by selecting the check box shown the first time the message is generated.

41

Assign Policy at the Folder Level

A user can assign a retention tag to a mailbox folder using the Policy property page of the folder. The property pages for a given mailbox folder can be opened using one of three methods:

Select and right-click the folder, then select Properties from the menu options.

Use the Set Folder Policy option from the Assign Policy menu.

o When an item is selected, the Set Folder Policy option opens the property pages for the folder where the item is located.

o When a folder is selected, the Set Folder Policy option opens the property pages for the folder.

From the ribbon, click the Folder tab and select Policy from the Properties menu.

The following figure shows the Assign Policy menu when a folder is selected. Note that the Archive Policy and Retention Policy sections are not displayed because they do not apply in this instance. A retent

The following figure shows the Properties menu options from the Folder tab. Select Policy to open Policy tab. You can also click Folder Properties to

Policy tab.

The following figure shows the Policy Policy tab is only available when a retention policy has been applied to the mailbox, and the Managed Folder assistant has processed the mailbox at least once since the policy was applied.

42

The Policy tab includes options for setting the Folder Policy settings, the Online Archive settings, and a link to the ECP for self-management of optional personal tags as described earlier.

The Policy property tab is only available for the following mailbox folders:

Inbox and all user created folders Junk E-Mail

Drafts Outbox

Sent Items RSS Feeds

Deleted Items Sync Issues

Folder Policy

The Folder Policy option provides a combo-box drop-down control as shown in the following figure. This control makes it possible to select a personal retention tag to apply to the folder or to apply the tag that is applied to the parent of the folder instead by selecting Use Parent Folder Policy.

Retention tags can only be set by the user on mailbox folders that they have created. The Folder Policy option is not active for use when a default folder is selected. The name of the retention tag

43

that is applied to the default folder is displayed in the Folder Policy field unless the default retention tag applies to the folder. In this case, only Use Parent Folder Policy is displayed.

Online Archive

The Online Archive option provides a combo-box drop-down control that makes it possible to select an archive action personal retention tag to apply to the folder, or to apply the archive action tag that applies to the parent of the folder as shown in the following figure.

The Online Archive option is available for default folders and user created folders alike.

Observing the Effects of Tag Application in Outlook

Outlook provides indicators to users so they are able to understand the effect of retention tags that have been applied to their messages.

Important: Retention tags can be applied to other mailbox items besides messages. However, the indicators described in this section only apply to messages. Outlook does not provide an indication method for other mailbox item types.

Retention Policy

Retention Policy information is displayed as part of message header information when viewing the message in the Reading Pane as shown in the following figure. The information displayed in the message header includes:

44

The friendly name of the retention tag.

The calculated date of expiration based on the delivery date of the message and the retention age limit of the retention tag.

When the item is within 30 days of expiration, a message is shown to inform the user that the item is nearing expiration, and that they should take action to apply a different retention tag if they wish to keep the item from expiring.

When the item is opened, the way in which the retention information is displayed changes as shown in the following figure. The friendly name and expiration date are moved to the footer of the message, while the expiration informational message remains at the top of the header.

Archive Policy

Archive Policy information is not as comprehensive as Retention Policy information. There is no information displayed in the message header. The only information displayed appears in the footer when the message is opened, as shown in the following figure. The information simply displays the date when the item will be moved to the archive mailbox.

45

Client Experience: Outlook Web App

The retention policy interfaces provided by OWA are not as comprehensive as Outlook, but do provide some of the same functionality with some key differences:

There is no Assign Policy menu for message items or folders.

Retention Policy and Archive Policy information is not displayed on message headers or footers.

There are no additional options for viewing items expiring soon.

Observing the Effects of Tag Application in OWA

OWA is not as comprehensive as Outlook when indicating pending expiration actions. The message shown in the following figure is displayed in the message header when the message is set to expire in the next 30 days.

Groups -

them to enable and configure basic moderation for distribution groups only. Configuring moderation for other recipient types is accomplished using the Exchange Command Shell. The Exchange Control Panel does not allow users to create or designate specific arbitration mailboxes for use with moderation.

46

In order to use the Exchange Control Panel, to create and manage distribution groups the users need to be assigned the following RBAC Roles in order to be able to create the distribution group:

MyDistributionGroups Users assigned this role can modify any of the properties of the group if they are the group owner. These properties include group membership, membership approval settings, email address settings, delivery restrictions, group owners, and group moderation settings. Can also delete groups if they are the group owner.

MyDistributionGroupMembership Users assigned this role can add or remove themselves as members of a public group. Users who are assigned this role can't create, delete, or modify any other properties of public groups in the global address book.

Try This: Create a Distribution Group

1. From the Outlook Web App Mailbox page, click the Options link in the upper right corner of the page. If prompted, enter the username and password to access the Exchange Control Panel.

2. Click the Groups link on the left side of the Exchange Control Panel.

Note: If you are logged on using the Administrator account,

-down list in the upper left corner of the screen. Otherwise, the groups tab will only list distribution groups owned by the administrator.

3. Under Public Groups I Own, click New to create a new distribution group.

4. Enter a Display name, and Alias for the new distribution group

47

5. Expand the Membership portion of the screen, and use the Add button to add users to the distribution group.

6. Verify that the Add group owners as members check box is selected if you wish to receive a copy of the message.

7. Click the Save button when finished. This will create the distribution group with the current logged on user as the owner of the Distribution group.

Try This: Designate a Distribution Group for Moderation

1. Access OWA through the ECP.

2. From the Outlook Web App Mailbox page, click the Options link in the upper right corner of the page. This will bring you to the Exchange Control Panel.

3. Click the Group link on the left side of the Exchange Control Panel.

4. Under Groups I Own, select the group you want to configure as a moderated distribution group and choose Details.

5. Expand the Message Approval portion of the screen.

48

6. Click the check box next to Messages sent to this group have to be approved by a moderator.

7. Use the Add button under Group Moderators to select a moderator email account. This account will receive email messages destined for the distribution group and will be responsible for approving or disapproving messages before they are received by the distribution group.

8. Use the Add button under to select the accounts you want to allow to bypass message moderation.

9. Under the Select moderation notifications portion of the screen select if users should receive notification when messages are not approved:

Rejection notification messages are sent to recipients that are either internal or external to your organization. This is the default setting.

Notify senders in your organization only when their message is not approvedRejection notifications are only sent to users within your organization.

tify anyone when a message is not approved Rejection notification messages are not sent.

10. Click Save when finished.

49

Note: If the Owner of the group is also the moderator for the group, the owner will not receive approval requests for their own messages. Messages from group owners or moderators bypass moderation.

Any message that is sent to the moderated distribution group will now generate a message similar to the following to the designated moderator:

Joining a Distribution Group

self-selectthese actions via Remote PowerShell.

Important

Remember that in order to use the Exchange Control Panel to join or leave a group, the user must have the MyDistributionGroupMembership RBAC role assigned to their account. By default, this role is assigned to all users through the Default Role Assignment Policy.

Using the Exchange Control Panel to join a group initiates the approval process only when the group is configured to require approval before allowing members to join the group. You can

50

identify if a group contains member join restrictions by issuing the following command from the Exchange Management Shell:

Get-DistributionGroup <Distribution Group Name> | Fl *join* MemberJoinRestriction : ApprovalRequired

Important: Using the Exchange Management Console or the Exchange Management Shell to add group members does not initiate the approval process even when the group is configured to require approval when members join the group.

When a user joins a group that requires membership approval, the Exchange Control Panel application handler for auto group calls the Approval Framework API and submits an initiation message that begins the approval request process. (See workflow earlier in this section for details.)

Try This: Join a Distribution Group

The following steps outline how to use the ECP to join a distribution group:

1. Access OWA through the ECP.


3. Click the Groups link on the left side of the Exchange Control Panel.

4. Under Public Groups I Belong to of. Click Join to see a list of distribution groups available.

51

You can use the search bar . You can also use the Details button to see more information about the group.

The Details dialog box also contains a Membership Requests field, which will let you know if the group requires approval to join. Below are the possible entries for this field:

Requests to join require approval

Requests are automatically approved

52

Requests to join are automatically rejected (default, as shown in the screen shot above)

5. Select the group and click the Join button. If the request requires an approval, you will receive the following warning:

will receive the following warning:

6. following informational message:

Leaving a Distribution Group

Users can also use the Exchange Control Panel to remove their account from membership in a distribution group. Using the Exchange Control Panel to leave a group initiates the approval process only when the group is configured to require approval before allowing members to leave the group. You can identify if a group contains member depart restrictions by issuing the following command from the Exchange Management Shell:

53

Get-DistributionGroup <Distribution Group Name> | Fl *depart* MemberDepartRestriction : ApprovalRequired

Important: Using the Exchange Management Shell to remove group members does not initiate the approval process even when the group is configured to require approval when members leave the group.

Try This: Leave a Distribution Group

The following steps outline the procedure for using the ECP to leave a group:

1. Logon to Exchange Online using Outlook Web App interface.


3. Click the Groups link on the left side of the Exchange Control Panel

4. Under Public Groups I Belong to . Select the group you wish to depart and click Leave. If the distribution group you are

following caution message:

54

Otherwise, , you will receive the following warning message:

5. Click Yes to leave the group. You will receive a confirmation once you have left the group successfully:

Settings The Settings selection provides selections used for the modification of settings related to Mail, Spelling, Calendar, General, and Regional. A quick snapshot of each is below:

55

There is one new item on the Mail tab. It is the Conversations settings. These are related to the new Conversation view now available in Outlook Web App. This feature is described in greater detail later in this module.

56

The calendar settings available are Appearance, Reminders, Automatic Processing, and Text Messaging Notifications. The Text Messaging Notifications section is new to this version of Exchange 2010 and is covered in detail in the "Mobility" section of this training.

57

58

Phone

Voice Mail

Outlook Voice Access - Order of Preference

Based on feedback provided by customers, the biggest complaint with previous configurations of Outlook Voice Access (OVA) is that users could only listen to unread voice messages from newest to oldest. Most customers preferred to play voice messages in the order they are received, from oldest to newest. Configuration within OVA now makes it possible for the user to select an order within their personal preferences. From Options in ECP, you will notice the change to select order of preference. You can also configure this setting in OVA, personal options.

Important: One important note here, this is only for UNREAD messages. Once they have been read and saved, they are still played from newest to oldest. Also, if a message is marked as important, it will still be played first.

Play Back Caller Name

Another frustrating issue is that when UM could not resolve the caller from AD/personal contacts, the message summary would say, "message received from unrecognized caller In order to get the caller's number, you had to select options and go to envelope information to hear the number.

59

Now, UM will read the phone number as part of the message summary. Now, you will hear "message received from 4255550123 You can still get the number from envelope information.

If caller ID is resolved, then UM will say, "message received from walter harper" just as before. However, if caller id is not resolved, but display-name is present, UM should play the message summary using this name, based on the CND support described earlier in this module.

Secondary Dial Plan Support - OVA

Beginning with 2007, it was possible to have two or more extensions associated with a UM enabled user. These extensions could be in the same dial plan or in different dial plans. This was very useful with call answering where UM would take voice messages on all extensions.

The first extension assigned to a user when they were UM-enabled or re-enabled is called the primary extension. The UM dial plan that was specified when the user was UM-enabled is the primary dial plan. Each user will have only one UM mailbox policy, which is "linked" to the primary dial plan. All policy decisions for configuration are based off the primary UM mailbox policy for each um-enabled user. Subsequent extensions added to a UM-enabled user are called secondary extensions. A UM dial plan other than the primary dial plan in which one or more secondary extensions reside is called the secondary dial plan. Both the primary and secondary dial plans will have a pilot number associated for the user to log into OVA.

Many customers rely on secondary extensions and works well for call answering scenarios such as:

User splits time between an office in Seattle, and an office in Dallas. The user would have separate extensions for each location, and in two dial plans (primary/secondary). Voice mail and missed call notifications to either extension would go to the user's single mailbox.

User has two phones on their desk, each with its own extension (primary/secondary). Both extensions would be on same primary dial plan, same PBX. Voice mail and missed call notifications to either extension would go to the user's single mailbox.

Again, call answering was the main purpose and supported scenario for multiple extensions/dial plans. However, most customers wanted to be able to log into OVA from any extension. This did not always provide a seamless user experience. Depending on which extension the user called from, some scenarios would not work the same. The user would encounter different and unexpected results. Some of the common issues experienced with secondary dial plans/extensions were inconsistencies with logging into OVA, directory searches not finding users, and with features that require out dialing. This was the result of known issues/limitations with the current design. E12 and E14 limitations consisted of:

No support for multiple locations due to UM mailbox policy's "In Country and Region groups" configuration. This is based on the primary dial plan to transform a number and authorize the caller. It was not always possible to configure dialing rules across dial plans identically.

MWI is sent only to the user's primary extension

60

Play on Phone uses the primary dial plan/policy to allow outbound calling

The email for reset pin only has info related to primary extension/access numbers

Certain scenarios where the prompt to Call the sender (email/voice mail) will not be provided if the senders business/office number is not populated in AD, or the call may fail due to dialing rules or sender's primary extension is from a different dial plan.

Call Answering Rules

One of the main functions of Exchange Unified Messaging is to answer incoming calls, take voice mail messages, and send them to your Inbox. Call Answering Rules let you tell the voice mail system how to handle your incoming calls. You can set the voice mail system to just answer your incoming calls and record a voice message, or you can set up conditions and actions so that incoming calls will be handled in a different way.

If your mailbox is enabled for Exchange Server 2010 Unified Messaging, you can set up to nine call answering rules. These rules are different from the Inbox rules that you set up. By default, no call answering rules have been created for you. All callers will be prompted to leave you a voice message until you set up call answering rules. If you're satisfied with having the voice mail system just answer your incoming calls and record a voice message, you don't have to create any call answering rules. However, if you decide that you want to set up conditions or actions, you can set them up by using the Call Answering Rules section on the Voice Mail tab in Outlook Web App. Use the Call Answering Rules section, shown below, to create, edit, and delete call answering rules.

To create a new call answering rule, click .

Parts of a Call Answering Rule

61

Each call answering rule that you create contains two key parts:

Conditions The criteria that must be met before the rule can be applied to an incoming call.

Actions The options that should be presented to the caller when all the conditions are met. These actions will be read to the caller over the phone, and the caller can then choose what they want to do using the keypad on their phone.

The following figure shows the form for creating a call answering rule. The form is divided into two columns. The right column displays the list of available conditions and actions you can use to build the rule. The left column displays the list of conditions and actions that have been added to the rule.

Conditions

Conditions are rules that you can apply to call answering rules. By using a combination of conditions, you can create multiple call answering rules that will trigger when the conditions are met. To create a default rule that will be applied to every call, you create a rule that doesn't contain any conditions.

There are four conditions that can be used when you set up call answering rules, including:

Caller ID

62

Time-of-the-day

Free/busy status

Automatic email reply is enabled/disabled

Use one of the following options to add a condition for a call answering rule.

Actions

Actions are used to define what you want to happen when a condition is met. The three kinds of actions are:

Find-Me

Call Transfer

Leave a Voice Mail

Use one of the following options to add an action for a call answering rule.

Adding a Find-Me Action

When a caller selects Find-Me, the voice mail system will attempt to locate you at up to two different phone numbers, and then connect the caller to you if you're available at one of the phone numbers. To add Find-Me to your list of actions, click .

In the Find Me dialog box, specify the phone numbers and other settings. The settings that are available are listed below.

63

inform your callers that they should only select this action if they have important things to discuss with you, the voice mail system will say, "For Urgent Matters, press the 1 key."

You have to associate the Find-Me action with the number on the telephone keypad that the caller will have to press to select this action. In the example above, the 1 telephone key is the number callers will press to reach you at one of the phone numbers you specify.

Next, you have to specify the one or two phone numbers that the voice mail system will dial. If you specify two telephone numbers, the second number will be dialed if you're not available at the first. Each phone number that you specify has an associated duration. The duration is the time period during which the voice mail system will try to dial the phone number before it moves on to the next number. Or, if you can't be contacted, the voice mail system will go back to the options menu.

After you've entered this information, click Apply to save the Find-Me settings.

Adding Call Transfer Options

By setting a Call Transfer action, you provide callers with the option to be transferred to another person's phone number. To add Call Transfer to your list of actions, click .

The Transfer the Caller dialog box is shown below.

64

Several options are available when you want to transfer an incoming call to another phone or Contact, as follows:

have an

important matter to discuss and need to speak to someone.

You have to associate the Call Transfer action with the number on the telephone keypad that the caller will have to press to select this action.

When you choose the Call Transfer action, you have to specify a person or phone number for the caller to be transferred to. You can choose a phone number or select a Contact to be called when the caller presses the correct key on the telephone keypad. If you specify a contact within your company directory, the voice mail system will try to transfer the call to the extension number of that contact.

In addition to specifying a person or number for the caller to be transferred to, you also need to specify the number on the telephone keypad that the caller will have to press to select the Call Transfer action.

After you've entered this information, click Apply to save the Call Transfer settings.

Adding and Removing the Leave a Voice Mail Action

By default, the voice mail option is automatically added to each call answering rule. If you don't want to offer this option, you can remove it by clicking . Press the # key to record a voice message. If you've removed the option for receiving a voice message, you can add it back by clicking the option.

Recording a Personalized Voice Mail Greeting

You can record a custom greeting for each call answering rule you create. By default, Unified Messaging will generate a default greeting based on the actions you've configured.

To record a custom greeting, you can click the

in the Call Answering

65

Rule window, and the voice mail system will call you so you can record a greeting. In your recording, you should include any actions you've configured on the rule itself. The voice mail system won't list the actions if you've recorded a custom greeting.

You can also allow callers to interrupt your voice mail greeting while it's being played for callers, or prevent them from doing so, by selecting or clearing the

check box.

Saving Call Answering Rules

Before you save your rule, you have to give it a meaningful name. After you do this, click Save and Close to create the rule. Next, you should test to make sure the call answering rule is working you want it to by trying to call your phone extension and waiting for the call to be answered by Unified Messaging.

Voicemail Preview

Traditional voice m ail is convenient, but a phone or other audio-enabled device is required to play back the m essage. �� r�� r �dd �� r�� r� on the

Exchange Online ��d M�� r� ��r�� r�d�� d�� new feature called Voice Mail Preview . This feature offers speech-to-text transcription for voice m ail m essages. Upon receiving a voice m ail call, a UM enabled user w ill receive a m essage that contains not just an audio attachm ent, but also text that has been derived from the audio attachm ent. This w ill further d��r �� M��r�� d � �� be accessible at a glance, they w ill im m ediately becom e searchable, and new rule-��d �� . These enhancem ents w ill change the w ay that custom ers think of voice m ail, and revolutionize the w ays that they use it.

Although the Voice Mail Preview feature offers transcription of new voice m ail m essages, its functionality is not w ithout lim itations:

Exchange Online UM is not intended as an over-the-phone dictation engine. W ith the lim ited recording tim e, and the m ajor CPU consum ption for the speech recognition process, this is not a scalable dictation engine.

engine.

The subject line of the voice m essage cannot be controlled via voice recognition. The caller cannot custom ize the Voice m ail subject line using the voice recognition engine.

�� r�� d ��r ��r �d�� r��

The engine has no ability for autom atic language detection. That m eans each user can only select a single language for speech recognition for the phone num ber.

User Experience

The expected behavior is that if Voice Mail Preview is enabled, the user will see the transcription of the audio recording in the body of the voice message text. However, depending on the client used to access a voice mail with transcribed content, the end user experience can vary significantly.

66

Telephony/Voice User Interface

The Voice Mail Preview feature is not exposed to UM subscribers who access the system using either the Telephony User Interface (TUI) or Voice User Interface (VUI). When a UM subscriber logs on to the Unified Messaging server via a phone connection, the server will simply play the recording as-is to the user. There is no option to access Voice Mail Preview content from the audio connection.

Outlook Web App (Outlook Web Access)

The Voice Mail Preview feature is available for UM subscribers who access the system using the new Exchange Server 2010 Outlook Web Access user interface, known as Outlook Web App. The transcribed content from the audio recording of a voice mail call can be found under the Voice Mail Preview section of the voice mail message. The transcription will be presented as plain text and no hyperlink or smart tag will be provided in the preview section.

67

For more information about the features and functionality of the Outlook Web App, see Understanding Outlook Web App

Microsoft Office Outlook

Outlook 2007

On Outlook 2007, the display of Voice Mail Preview content in the user interface is similar to that of OWA. However, there is a subtle difference in the way that the Voice Mail Preview content is rendered in Outlook 2007.

Uniform Resource Locators (URLs), such as www.microsoft.com, will be automatically enabled with hyperlinks. Smart tags, such as [email protected], will not be enabled with hyperlinks. This behavior is by design.

Outlook 2010

68

The Office Outlook 2010 client will fully utilize all information found in the Voice Mail Preview content from a voice mail call. All instances of URLs or Smart Tags will be enabled with hyperlinks. If the originator of the voice mail message is enabled for Office Communications Server, Outlook will

caller.

Other than just displaying content of the voice message, the text from the Voice Mail Preview can be used to jump to a specific point during the audio playback of the voice mail message. For example, if the UM server failed to properly transcribe a certain part of the voice mail message, the user can simply click the confusing text to listen to the actual audio from the voice mail attachment.

69

Speech Recognition Failure Scenarios

The speech recognition process can fail under different scenarios.

Speech Recognition not Attempted

When the system is running low on resources and skips Speech Recognition, the voice message will be sent to the user containing the following text:

In addition, it will be followed by a short piece of diagnostic text, such as:

Failure to Recognize Content

There are occasions where even speech recognition is running normally, but voice recognition still fails to process any recognizable content that can be displayed to the end user. For example, the system may not be able to hear or understand the caller due to volume or line quality issues.

will insert the following into the body of the Voice Mail Preview text:

Messages Over 1 Minute 15 Seconds

Voice Mail Preview is not designed to be a dictation engine. High CPU utilization is a common performance problem associated with the Voice Mail Preview feature. As such, the feature was designed with a maximum processing time limit of two minutes for a given voice mail message. For any voice mail that is greater than 1minute 15 seconds in length, it is estimated that the Unified Messaging server will spend more than two minutes transcribing the content of the audio attachment. Rather, the Unified Messaging role will simply skip the Voice Mail Preview process and put an error text on the message instead.

70

Mobile Phones

This area is where you can see the phones you are synchronizing to your mailbox and configure text messaging.

The Mobile Phones tab lets you view all the mobile phones that you are currently using to synchronize with your mailbox. There are several tasks you can perform if you have at least one mobile phone configured to synchronize with your mailbox. This topic provides an overview of each task.

View Mobile Phones

The list of mobile phones contains an entry for each mobile phone that is currently synchronizing with your mailbox, in addition to an entry for each phone that has previously synchronized with your mailbox. Mobile phones remain in this list until you remove them.

View Details

Select a mobile phone from the list, and then click View Details. This will display details about the mobile phone, including the phone name, phone type, and the last time that the phone connected to your mailbox.

Display Recovery Password

If your mobile phone is running Windows Mobile 5.0 with the Messaging Security and Feature Pack (MSFP) or Windows Mobile 6.0 or a later version, your administrator can configure your phone to send a recovery password to the Microsoft Exchange Online server. You can enter the recovery password if you forget the password that you have set to unlock your phone. To display your recovery password, select the mobile phone from the list, and then click Display Recovery Password. A dialog box will appear that includes the recovery password. Enter this password on your phone to unlock it. You will then have to choose a new password for your phone.

Retrieve Log

If your phone can't synchronize or is not synchronizing correctly, your administrator may ask for the phone's log. This log file contains technical details related to synchronization. To retrieve the log for your mobile phone, select the mobile phone from the list, and then click Retrieve Log. You will

71

receive an email message in your Inbox with the log file attached. The log file is a very small text file. You should forward this log to your administrator for help.

Remote Device Wipe

If you lose your mobile phone or want to remove all personal data from your phone, you can use a process known as remote device wipe. This process removes all personal data from your phone.

Note

After a remote device wipe has occurred, data recovery will be very difficult. However, no data removal process leaves a phone as free from residual data as it is when it's new. Recovery of data from a phone may still be possible by using sophisticated tools.

To perform a remote device wipe, select the phone from the list. Click Remote Wipe. You will receive a confirmation message that asks you if you are sure that you want to perform this action. If you decide to perform the remote device wipe, the data on your mobile phone and any installed storage cards will be deleted the next time that the mobile phone tries to connect to the Exchange server. As soon as a remote device wipe has been initiated, the status of your phone will be Pending Wipe. When the wipe is complete, the status of the mobile phone will change to Wipe Completed.

Delete

After you perform a remote wipe on your phone, it remains on the list of mobile phones. To remove it from the list, select the phone, and then click Delete. If you perform a remote device wipe on a mobile phone and then have to synchronize the phone with your mailbox later, you must delete the phone from the list before you try to configure it to synchronize again. If you don't do this, the phone will perform a remote device wipe again.

Refresh

Click Refresh to update the list of mobile phones that are synchronizing with your mailbox. The list will update automatically. However, if you have configured a new phone and can't see that phone on the list, click the Refresh button. If the phone still doesn't appear, check the ActiveSync settings on the phone.

Text Messaging

Use this tab to view and change the settings your account needs to send and receive text messages for you.

72

Text Messaging Status

You can turn text messaging on or off for your account. If text messaging has been turned on, you'll see the account you're using to send text messages listed.

Configuring Text Messaging

If text messaging is turned on for your account, the following settings are displayed.

Setting Description

Country/Region This line shows the country or region you selected for your location.

Mobile service provider This is your mobile phone carrier.

Text messaging ID This is the ID assigned by your service provider.

To turn on Text Messaging for your account, click Configure Settings.

To change the Text Messaging settings for your account, click Edit Settings.

To turn off Text Messaging for your account, click Clear Settings.

Block or Allow Block or Allow allows users to add email addresses to lists of Safe Senders or Blocked Senders. All related to what kinds of mail will go to the Junk E-mail folder.

73

Learn About Junk E-Mail Messages

Mail identified as possible junk email is automatically moved to the Junk E-Mail folder, and any potentially dangerous content within the message, for example, links or executable code, is disabled.

Try This: Mark a Message in the Junk Email Folder as Safe

1. If the Reading Pane is on, click the message to highlight it, or double-click the message to open it.

2. Click Not Junk on the toolbar.

3. The message will be moved to the Inbox.

If the sender is available and isn't in the shared address book, the Always trust messages from<the sender> check box will appear in the Mark as Not Junk message box. If you select the check box, the sender's address will be added to your Safe Senders and Recipients list.

Try This: Manage Messages in My Junk Email Folder

Right-click a message and click one of these options:

Add Sender to Blocked Senders List blocks all future messages from that sender.

74

Add Sender to Safe Senders List keeps future messages from that sender from being marked as junk email.

Add Sender's Domain to Safe Senders List keeps future messages from that sender's domain from being marked as junk email.

Mark as Not Junk works just like the Not Junk button on the toolbar. It gives you the option always to trust messages from that sender.

Junk Email Features

You can also use the junk email settings in Options > Block or Allow to manage junk email.

On the Block or Allow tab, you can add entire email addresses, such as [email protected]. Or you can add just the domain portion to trust all email from that domain. For example, to trust all email from someone who has a contoso.com address, add contoso.com to the Safe Senders and Recipients list.

You can also move a message from the Junk E-Mail folder to another folder by dragging it from the Junk Email folder to any other folder. This doesn't add the sender to the Safe Senders and Recipients list.

If you right-click the Junk E-Mail folder and click Empty Junk E-mail, the contents of the Junk E-Mail folder are moved to the Deleted Items folder.

Phishing messages are a specific type of junk email designed to steal your valuable personal data. Phishing messages are identified on the information bar, regardless of which folder they're located in. You should be careful with a message that's identified as a possible phishing message.

Conversation View Conversations are identified in the message list by an icon showing multiple items. The messages within each Conversation are sorted with the newest message on top. When a new message is received, the entire Conversation moves to the top of your message list. When you click a Conversation header in the message list, the Conversation shows in the Reading Pane, with the newest message on top.

75

Any Conversation that includes unread messages has a bold subject and the count of the unread messages appears adjacent to the subject. When you click to expand the Conversation, any unread message has a bold heading. Expanded Conversations provide a visual relationship between messages, including any responses and related messages from other folders.

When a message gets two or more responses, the Conversation can split into multiple related but separate Conversations. The latest message in each split appears when you click the Conversation. Click one of the split Conversations to show the messages from that split in the Reading Pane, with the latest message on top.

View Email Messages by Conversation

Email messages in your Microsoft Outlook 2010 Inbox and other mail folders can be organized by date and arranged by Conversation. When Conversations is turned on, messages that share the same subject appear as Conversations that can be viewed expanded or collapsed. You can quickly review and act on messages or complete Conversations.

The Conversation view provides a threaded view of email messages in a Microsoft Outlook folder. To access the Conversation view in Outlook 2010, click View, and then select the Show as Conversations check box.

The settings that you can configure for Conversation view in Group Policy and the OCT are shown in the following table. In Group Policy, the settings are found under User Configuration\Administrative Templates\Microsoft Outlook 2010\Outlook Options\Preferences\E-mail Options. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

76

Option Description

Configure Cross Folder Content in Conversation view

Enable and select the email folder content to include in Conversation view.

On and cross-store Email displayed is from all connected Outlook data files whether they are cached on the local computer or online.

Off Email displayed in Conversation view is only from the current folder (such as the Inbox).

On and current Email displayed in Conversation view is only from the current Outlook data file being viewed.

On and local Email displayed is only from the current Outlook data file being viewed and any other local Outlook data file (such as a personal data file (.pst)).

Do not use Conversational arrangement in Views

There is a known issue with the explanatory text for this setting, which will be corrected in a later release of the Administrative Templates.

If you do not configure this setting, the Outlook 2010 views will display Date view as the default. Enable to turn off Conversation view to prevent users from using Conversation View in Outlook 2010. Disable to turn on Conversation View as the default Outlook 2010 view.

Try This: Turn On or Off Conversations

1. On the View tab, in the Conversations group, select or clear the Show as Conversations check box.

2. Click All Folders or This folder.

View Messages within a Conversation

In this example, the upper header indicates a single message. The lower header indicates a Conversation with two splits.

77

To expand or open the Conversation, click on the message header. When you click a message in the expanded Conversation, it becomes the top message in the Reading Pane.

Note

Conversations include messages from multiple folders. For example, by default, messages you send are saved in the Sent Items folder, but appear within the Conversation with messages you received when you expand the Conversation.

The expanded Conversation includes visual threads that connect each message with those that preceded it in the Conversation. This helps you follow Conversations that have split.

Take Action on a Conversation

You can take action on Conversations, or messages within a Conversation, in the same ways as you can with single messages. Click the Conversation header, or click the message that you want from the Conversation, and then do any of the following:

Reply or Reply All Replying to a message in a Conversation sends a response to that message, which is the top message shown in the Reading Pane. If the Conversation has split, click the part of the Conversation that you want to reply to, and the response is sent to the latest message in that split. You can reply to any message in the Conversation.

Forward Clicking Forward creates a new message with the Conversation as the message body, as it appears in the Reading Pane.

Categorize You can categorize a Conversation or individual messages within a Conversation. If you categorize one or more individual messages, the category colors show in the header when the Conversation is compressed or closed. Marking a Conversation header with a category sets an ongoing action that will categorize any new messages of that Conversation.

Ignore You can keep Conversations that are unimportant to you out of your Inbox. On the Home tab, in the Delete group, click Ignore. All previous and future email messages of the selected Conversation are moved directly to the Deleted Items folder.

Clean Up You can reduce the size of a Conversation with Clean Up. On the Home tab, in the Delete group, click Clean Up and then click Clean Up Conversation. Any redundant messages, which means messages that are not unread, flagged, categorized or the newest message in a branch of the Conversation, are moved to the Deleted Items folder.

78

Applying a Tag on a Conversation

Outlook 2010 supports Conversation View, where all messages for a given thread are grouped and displayed under a single header labeled with the subject of the thread, as shown in the following figure. The threads are sorted by date, and then the messages within each thread are sorted based on who replied to whom. Conversations include messages from multiple folders. For example, messages that are sent are saved in the Sent Items folder, but appear within the conversation with replies to the message that were received.

In conversation view, you can select the conversation header and apply a tag to all messages in the thread at the same time. Note that the tag is only applied to messages in the thread that are located in the same folder as the thread.

Because this action affects multiple messages in the thread, a warning is generated to prompt the user to confirm the action before proceeding as shown in the following figure. The user can override this behavior by selecting the check box shown the first time the message is generated.

Shared Nickname Cache Across Outlook and OWA A Microsoft Windows Mobile phone with the Mobile Update for 6.1 and Windows Mobile 6.5 now have a nickname cache with Outlook Web App. When entries are added to any of the caches, they are synchronized with Outlook Web App. Entries are added by sending messages to internal or external recipients. When the names are resolved and the mail sent, the recipients are added to the nickname cache, also known as the AutoComplete cache in Outlook Web App.

79

WM 6.5

E14 CAS(hosting OWA and EAS)

`

Airport Kiosk(Logged into OWA)

Internet

OWA Nickname cache

John Smith

John Smith

MailboxServer

EAS

Emails sent out via OWA getadded to the OWA Nickname

cached (Stored w/in the)

Emails sent out via WM 6.5get added to the OWA

Nickname cached (Stored w/)

Updates to the OWA

down via EASLocal Nickname cache

- OWA Nickname cache- Locally stored contacts-

The Outlook Web App autocomplete cache is the same as it was in Exchange 2007.

Device Sending a New Cache Item to Server

When a user sends a message, the message might contain recipients that have not yet been added to the AutoComplete cache. The message may be a new message, a reply, or a forward. When the message arrives at the server after a sync, the recipient message is processed on the server to check whether it contains recipients that need to be placed in the Outlook Web App AutoComplete cache. The device does not really know it has a new item for the cache because the server, not the device, will parse the recipients on a sent message and determine if it should go in the cache or not. When the device syncs later, it receives a cache update from the server, and the new entry is included in the list of cache entries. XSO code accomplishes all of this so the device does not have to.

Displayed List

When the user opens a new blank message and enters the first character of a recipient, the device shows up to three suggested recipients based on the cache and the option to search the Company Directory.

80

Sometimes Windows Mobile will try to find names even though they are not part of the cache obtained from the server. These entries could come from contacts or possible messages received previously. However, the priority is to first show what is from the cache and any other guesses second.

New Calendar Features

OWA Calendar Sharing and Side-by-side View

Side-by-Side View

A very long awaited feature is the side-by-

81

Calendar Sharing

Outlook Web App now gives you the ability to share your calendar and view shared calendars side by side. This has been a much-desired feature for Outlook Web App for some time.

For previous versions of Exchange, you have to use Microsoft Outlook to share your calendar out for others to view. Now, in Exchange Onlineother users in a similar way. There are some limitations but the feature set certainly meets the need of most areas of need.

In Exchange OnlineThis also has been a much-desired feature.

In this lesson, we will discuss how calendars are shared and how they can be viewed side-by-side in an Outlook Web App session.

Sharing your Calendar with Other Users

There are multiple ways you can share your calendar with another user. You can share your calendar by selecting your calendar in the UI, and give another user permission, or you can share your calendar after you receive a request from another user to share your calendar to them.

82

Giving permissions to others

If you want to initiate the process of giving someone permissions to your calendar you can do so by selecting Share This Calendar from the right-click menu on your calendar.

Or use the Share menu above the calendar to select Share a Calendar.

After selecting the Share This Calendar action from the menu, you are presented with a new mail message with a choice of permission levels. This is different from Outlook where, by default, you are presented with a dialog box to set the permission level of the calendar folder. In Outlook Web

83

App, the new mail message lets you set the permission level but also immediately sent the message as a Sharing Invitation.

By default, everyone has Free/Busy view rights on all calendars. The definitions of the three levels of share permissions are:

1. Free/Busy information This only shows the time slots, no subject or anything else.

2. Free/Busy information including subject and location This only includes those two.

3. All information This includes Subject, location, description, attendees, and so on. This is the equivalent of Reviewer rights in Outlook. This is the highest permission level youcan set from within Outlook Web App. If you wish to set any higher permission level, use the Microsoft Outlook client.

You have to send the message for the permission setting to occur. When the message is sent, the permissions are changed for the recipients on the To line: this message has a new message type of IPM.Sharing.

After clicking the Add This Calendar option, Outlook Web App uses an API call again to add the calendar to their list of available calendars:

84

The recipient can then select the check mark next to the name just added to take advantage of the new side-by-side calendar view.

Up to five calendars can be added to the view and all calendar views are available. Those are Day, Work Week, Week, and Month.

Note: If you need more room in the calendar view, you can turn off the Reading Pane by using the View menu in the toolbar strip.

85

After permissions have been set

After the message is sent and the permissions are set, the Initiator (person who gave another user the permission to see their calendar), can check who has permissions on their calendar by selecting Change Sharing Permissions from the right-click menu of the Calendar folder.

Unfortunately, the permissions granted cannot be changed. They can only be removed. However, even if you remove a Free/Busy time permission, the user can still see just your Free/Busy schedule. Free/Busy time is an organizational default setting. The only way to change the permission to None is by using an Outlook client. The None permission is the only permission that denies any times from being seen and turning off ALL permissions to the calendar.

Being asked to share your calendar

There is one automated way you might be requested to give someone permissions to your calendar. Anyone who grants permissions to their calendar via message as described in the section above can also select a check box where they can request permission Calendar folder.

When that option is selected and sent, the invitation is sent to the recipient with an XML file attached like in the previous scenario above but there is an extra section in the file. It contains an extra XML tag section called <Request>. The Request section tells the recipient mailbox that the

86

message, the message contains extra information telling the recipient that they have been requested permission to their calendar:

The Add This Calendar option is the same as discussed before, but the Share My Calendar option is new, and allows the recipient to grant access quickly to his or her own calendar. When the user clicks on the Share My Calendar button, a new message is opened with the To line pre-populated, with Free/busy information as the default permissions.

Note also that the Subject line is pre-pended with Allowed, which tells the recipient that his or her request was accepted and allowed.

When the user sends the reply, the original requestor receives the reply confirming their request. The reply also has the Add This Calendar button just like in all previous examples. Clicking the button adds the calendar to the list of available calendars and lets the user display the calendar as needed in the side-by-side calendar view.

87

Opening Another U Calendar

select a user:

The user dialog box has a Name option where you can select a user from that GAL.

Exchange, changes that can be performed within ano will vary.

If the calendar you are opening is from an Exchange Online mailbox, you can manipulate/view that

Web App.

Note: Reminder: The highest permissions level Outlook Web App can set for a calendar is Reviewer. If you wish to grant higher levels of permissions, use Microsoft Outlook to accomplish. There can grant all permissions from None to Owner:

88

Troubleshooting Calendars

Verifying Free/Busy issues from Various Clients

Is Outlook the Only Broken Client?

Another good troubleshooting step is to verify if you have Free/Busy issues from various clients. If you are having an issue from an Outlook 2007 or Outlook 2010 client than try to access Free/Busy data from Outlook Web App. This will help verify if the issue is only affecting a specific type of client. If the issue was only on Outlook and not Outlook Web App, then we can be confident that the Availability service is actually working, and the issue is more than likely an issue with the URL to which the Outlook Clients are connecting.

Autodiscover and Exchange Web Services Issues from Outlook

You can use Outlook 2007 or Outlook 2010 to test the AutoConfiguration information that is provided by the Autodiscover service. To use the Outlook 2007 or Outlook 2010 client to test AutoConfiguration, log on to the mailbox of the user for whom you want to test the AutoConfiguration, and then do the following:

1. While Outlook is running, hold down the CTRL key, right-click the Outlook icon in the notification area, and then select Test E-mail AutoConfiguration.

2. Verify that the correct email address is in the box next to E-mail Address.

3. Clear the check boxes next to Use Guessmart and Secure Guessmart Authentication.

4. On the Test E-mail AutoConfiguration page, verify that the check box next to Use AutoDiscover is selected, and then click the Test button.

You can see the highlighted UR depicted below, this URL is used to retrieve the Free/Busy data.

89

Since Exchange Web Services is used to retrieve the availability information, we can use Internet Explorer to verify that we have access to the Highlighted URL from the preceding. If you are using a generic MAPI connection that you would use the URL information in the "Exchange RPC section" if you are using Outlook Anywhere you would use the URL information in the "Exchange HTTP" section. When you browse to that URL, you should see a screen similar what is shown below.

Web Services webpage

90

IM and Presence in OWA

User Experience

The implementation of Instant Messenger has limitations but functions perfectly as a quick tool to communicate with anyone in your organization who also uses Office Communication Server in your environment. The features available to you are immediately noticeable after logging on. Immediately you can see the Contact List and the Presence indicator.

Access is available from anywhere you have the ability to log on to Outlook Web App for Exchange Server 2010. A local installation of an instant message client is not required because the Client Access Server completes all communication operations for you.

91

The functionality available in various forms and locations are:

Start a chat.

See presence information (whether they are available, away, offline, and so on).

Set your personal presence status (change whether or not you are available, away, offline, and so on).

Maintain the Contact List (add or remove from list).

Chat

Single Chat

This is most likely the feature used the most and the one with which everyone is most familiar. This is what you would use to type instant messages to the person with whom you want to communicate, and is not much different from a typical chat session in our products today.

or as a social networking tool as entertainment to keep in touch with friends or family. Therefore, the usability of this feature is very simple and does not need much introduction. However, we will discuss how the feature is implemented within OWA.

Multi-Participant Chat

One limitation is the chat window only offers a single conversation with one other user as shown above. Note there is not a button to add other users into the conversation. However, you can be

92

brought into a conversation with multiple users if the conversation is initiated from Microsoft Lync ine.

Also, the participants are listed and any text you send or receive, involves all participants.

When a chat session becomes inactive because you or the other person have logged out (intentionally or after a time out) you will see the following warning to alert you to that fact:

Multiple Conversation Chat Sessions

You can have multiple chat conversations at once in the Outlook Web App interface. The maximum number of conversations you can have is 20.

93

You can double-click any of the listed chats to force focus to that chat and then start typing.

If you navigate the Outlook Web App window to another location within the Outlook Web App page such as the Options page, you are warned that the chat sessions will be disconnected if you continue:

However, if you sign out by clicking the Log off button, there is no warning and all chat sessions are automatically disconnected.

Collaboration Session

The collaboration session is the name of the session created when the servers communicate with each other for chat sessions.

Presence

Presence is the status of users in your contact list and in a chat window. The available status depends on what your contacts are currently doing on their system. The presence status changes by inactivity on the computer they are using or if they manually change their personal status. The list of available presence status types is similar to Lync. The one status type not available is the Appear Offline option:

94

The selection drop-down is next to your name in the Outlook Web App interface and allows the user to set a Personal Status (discussed below).

Personal Status

When logged into Outlook Web App you can set your status to a state of your choosing. Other users then see your status you selected. The user cannot tell if the status was set manually or automatically possibly due to inactivity, and so on.

To set the status, use the Status drop-down next to your name. After clicking the drop-down, you display the Status Selection drop-down.

If you set your presence to Do Not Disturb any instant messages sent to you are blocked and will not be delivered.

Contact List

Just like a regular Instant Message client, you have the ability to add contacts to your Contact list.

One easy way to add the user to your IM contact list is to click the Add to IM Contact List when viewing names from the Address List:

95

After clearing this dialog box, you see the newly added contact in your list.

Groups

The contact list has the ability to broken up in to groups in the same manner as in the Communicator client.

Creating the Group

You can create new groups in your list by right-clicking the list and selecting New / New Group. This allows you to enter a name for the group.

The name of the group is entered into the box.

96

After you create the group, you can drag and drop any of your contacts into the group just as you would in the regular Lync client.

After you move the contacts into the new group and later log in to Lync, you immediately see the group you created from within Outlook Web App.

When you use Lync to create and populate groups, access to the created groups and members will be immediately available in the current Outlook Web App session.

Limitations

File Transfers

It is not possible to send or receive files of any kind within a chat session. If you are in a regular Lync client and try to send a file to a user using Outlook Web App in Exchange Online, an error message is displayed. The Outlook Web App user does not see any message or indication of any kind that an attempt to send a file was made.

97

The recipient expecting the file only sees the last text message sent.

Voice or Webcam Communication

There is not a way to have voice or webcam communication sessions using Instant Messenger from within Outlook Web App. You would need a full Lync client on both sides of the communication to complete a voice or webcam session.

Multiple Participants

As stated earlier it is not possible to initiate multiple participants in a single chat window. However, the Outlook Web App Instant Message user can be brought into a multiple participant chat if brought into the conversation using a regular Lync client.

Configure Instant Messaging in Outlook Web App

The instant messaging feature in Outlook Web App is enabled by default. However, you can use Windows PowerShell® to disable instant messaging. For example, you might want to turn off instant messaging if it's distracting to students or conflicts with a desktop instant messaging client.

View the Outlook Web App Policies Available to Your Organization

Run the following command:

Get-OwaMailboxPolicy | Format-Table Identity

In this example, we've used the Format-Table option to display only the identity of each available policy. The command returns a list of the Outlook Web App policies that you can change. In the list of results, notice that each mailbox plan has an associated Outlook Web App policy. This means that users who are assigned different mailbox plans can also have different Outlook Web App

98

settings. For example, you can disable instant messaging for users assigned the GalDisabledMailboxPlan, and enable instant messaging for the default mailbox plan. For more information, see Mailbox Plans.

View or Verify Instant Messaging Settings


Get-OwaMailboxPolicy OwaMailboxPolicy-DefaultMailboxPlan | Format-List *instant*

In this example, we've used the Format-List option to display only the settings for instant messaging. Using the wildcard character * returns all settings that contain the term "instant

Disable Instant Messaging


Set-OwaMailboxPolicy OwaMailboxPolicy-<mailbox plan> -InstantMessagingEnabled $false

For example, to disable instant messaging for all users who are assigned the default mailbox plan, run the following command:

Set-OwaMailboxPolicy OwaMailboxPolicy-DefaultMailboxPlan -InstantMessagingEnabled $false

Enable Instant Messaging

To turn instant messaging back on, run the following command:

Set-OwaMailboxPolicy OwaMailboxPolicy-<mailbox plan> -InstantMessagingEnabled $true

For example, to enable instant messaging for all users who are assigned the default mailbox plan, run the following command:

Set-OwaMailboxPolicy OwaMailboxPolicy-DefaultMailboxPlan -InstantMessagingEnabled $true

Outlook Web App (OWA) for Cross-Premises Environments One of the main goals of a cross-premises environment is to make the mailbox move between Exchange Online and on-premises as seamless as possible for the users and administrators. When dealing with OWA , if a user mailbox was moved from the on-premises to Exchange Online you would want to ensure that there was not a lot of user education involved and that the user could use the same URL for accessing OWA regardless of where there mailbox resides.

Currently when accessing OWA there is a different URL used depending on the premise the mailbox resides on.

For those employees who have on-premises Exchange mailbox, they will use URL such as https://mail.contoso.com/owa to access OWA.

99

For those employees who have Exchange mailbox in Exchange Online, they will use URL such as https://www.Outlook.com/owa/contoso.com to access OWA.

Using different URLs would be a major pain point for our customer and administrators.

For the Administrators, they will have to explain to their users why their old URL suddenly stops working and have to persuade them to use the new URL.

For end user, they will complain why the moving of mailbox is not transparent to them

bookmarks and create new ones.

Based on this background, we now have a way to implement a single URL feature when using a cross-premise setup to give users' a uniform experience regardless of where there mailbox resides.

There are two types of cross-premise users who might need the URL redirection:

on-premises and it is now moved to Exchange Online.

a. Creating a mail user in on-premise.

b. Using dirsync to sync on-premises information to the cloud.

c. Activating the remote mailbox in Exchange Online with a license.

The Solution

The solution to this issue is to perform OWA redirection for the user. This is very similar to doing redirection for the OWA URL; for example, when the users are in a different on-premises site for Exchange 2007 or Exchange 2010. The users will be told to hit a different URL and will then have access to OWA directly without providing their credentials again, as long as identity federation is in place. To facilitate this, you can use the TargetOwaURL parameter in the Set/New-OrganizationRelationship cmdlet to specify the URL to redirect the user when the user mailbox is in Exchange Online.

Scenario: User Logs on to OWA Using the On-premises URL to Access an Office 365 Mailbox

The following is an overview of what happens when a user logs on to OWA using the on-premises URL to access an Office 365 mailbox.

1. User accesses the URL Https://mail.contoso.com/owa and authenticates to the on-premises Exchange 2010 SP1 CAS server.

2. The CAS queries Active Directory to see if the user has a TargetAddress value specified. If there is no TargetAddress specified, Exchange will treat the logon attempt as a local attempt to access OWA and authenticate the user. As shown in the following figure, the TargetAddress can be viewed in ADSI edit on the properties of the user under the domain naming context.

100

3. If the TargetAddress attribute is specified Exchange will attempt to match the domain portion of the TargetAddress to a domain name that is specified in an Organization Relationship.

4. When the Organization Relationship match is found, Exchange will see if the TargetOWAURL value is specified for the Organization Relationship. The process to specify the TargetOWAURL will be covered later in this lesson.

5. The user will then see a clickable link similar to the following figure:

101

This feature works very differently than many Organization Relationship features. Most of the Organization Relationship features such as MailTips and Free/Busy generate a token request on the users' behalf. This will not happen for the OWA redirection. Instead, we simply look to see if there is a domain match for the Target Address value, then we redirect the user to that URL without any request for a delegation token. This does not mean that when the user accesses OWA they will not have to get a token to access the services; rather, the redirection piece introduced in the Organization Relationship does not play a part in the retrieval of the token.

When the user is redirected, the on-premises CAS no longer is involved with the rest of the OWA traffic. The user will access the Office 365 Identity Provider and request access directly (usually this is when ADFS Identity Federation would be used, since the user is accessing the application directly at this point).

Scenario: Unspecified TargetOWAURL

If a user were to type the URL for the OWA that is pointing to the on-premises CAS and the user mailbox was in Office 365, and the TargetOWAURL was not specified in the Organization Relationship, the user experience will be a negative one. The screen shot depicted below shows the error that is generated.

No TargetOWAURL specified

102

How to Set the TargetOWAURL Setting

This TargetOWAUrl setting cannot be modified from the Exchange Management Console and needs to be set or modified from the Exchange Management Shell. The set/new-OrganizationRelationship cmdlets can be used to set the value. The TargetOWAUrl value should be set to https://outlook.com/owa/bpos.Exchcloud.com (assuming that BPOS.Exchcloud.com is the federated domain name for the on-premises environment).

Following is the parameter related to the OWA redirection for the set/new-OrganizationRelationship cmdlet.

Parameter Description

TargetOwaURL The TargetOwaURL parameter specifies the Microsoft Office Outlook Web App URL of the external organization defined in the organization relationship. It is used for Outlook Web App redirection in a cross-premise Exchange scenario. Configuring this attribute enables users in the organization to use their current Outlook Web App URL to access Outlook Web App in the external organization.

The following is a sample of the Syntax used to configure the URL value for an Organization Relationship that is already in place, in this example the relationship is called "Cloud

Set-OrganizationRelationship -Identity "Cloud" -TargetOWAURL Https://www.outlook.com/owa/bpos.Exchcloud.com

When this is set and a user that has a TargetAddress that has a domain name that matches the value in the Organization Relationship, the user will be redirected accordingly. You may notice that the domain is appended to the URL; this will be explained in the next section of the training.

Important: Before setting the TargetOWAURL value it is a good idea to test the URL manually to ensure it is valid and working. There is no error prevention in place to prevent a typo when configuring the value.

In order for this OWA redirection to work, we need to have the Federation Trust and the Organization Relationship in place with the proper domain names just as we do for all of the Organization Relationship features.

Realm Discovery

You will notice that when you set the Organization Relationship with the TargetOWAUrl the URL has the domain name specified Https://www.outlook.com/owa/contoso.com. The reason for the Domain name being specified is to allow for realm discovery to happen when the request is redirected. The Domain specified will allow for realm discovery to redirect the client to business instance of the Microsoft Online Identity (MSOL ID) service. Previously (live, wave 12 and Live@edu), all of the online services were directed to the consumer instance. Now we have the new business instance that is used for Office 365. The domain portion appended to the OWA URL

103

allows us to connect the clients to the proper Identity Provider (instance of the Microsoft Federation Gateway) for the Online services.

The URL values that can be used for Exchange Online users to login to OWA are as follows:

Https://www.outlook.com/owa/contoso.com

Customer can set a vanity URL that will redirect to the following usually via a CName record Https://www.outlook.com/owa/contoso.com

With the Vanity URL, you can create an address such as webmail.contoso.com and have that redirect via a CName record to the OWA URL to redirect to the https://outlook.com/owa/contoso.com. The vanity URL cannot be the same as the on-premises URL that is currently being used if you are configured for rich coexistence because there can only be one DNS entry for that URL.

For instance, if you have cross-premise environment and your on-premises URL for Outlook Web App is mail.company.com, you would have to use something different for the vanity domain name such as OWA.Company.com. This is because there is already a host record published for mail.company.com that resolves to the on-premises environment.

Workflow for TargetOWAURL Process

The following is a flow chart that explains the redirection actions for the connections described above. When we go to Outlook.com without the domain name appended, this is known as the Realm Discovery process. You will see that we go to outlook.com, which resolves to an Exchange Online CAS, and we are then redirected to the Login.MicrosoftOnline.com page silently, we are redirected there because that is the Identity Provider for the online Services.

We then are prompted for authentication information, and based on the provided information, the realm discovery occurs. The Realm Discovery actually occurs when you put in your username, and we do a check to see which instance of the Federation Gateway that domain is "homed" on. After the Realm is validated (business, in this case) we submit our credentials to the proper instance of the MSOL ID provider, and get an authentication cookie (this could actually occur via Identity Federation as well). In this case the since there is no Identity Federation in place you will get prompted for the MSOL identity credentials, if you have Identity Federation you would log in via AD FS.

104

Browser CAS (outlook.com) Login.live.comLogin.mso.com

GET www.union.com

302 redirect to login.mso

GET login.mso.com

200 Login Page

POST creds

200 set cookies + script/POST to union.com

POST

302 outlook.com POD URL

200 + realm state

POST getUserRealm

Login Process with Identity Federation

If the user was to browse to outlook.com/owa/contoso.com, or if you were to specify the TargetOWAURL, or if you had a vanity URL that pointed to outlook.com/owa/contoso.com, then you would experience the federation logon experience as long as you had Identity Federation configured. This would allow for the best user experience. The user would still be prompted by the STS login page that would authenticate against the on-premises AD FS server. The following in the flow for how this would work in the background:

Outlook.com/owa/contoso.com

105

Browser CAS (outlook.com) On Prem STSLogin.mso.com

GET www.outlook.com/contoso.com

302 redirect tooutlook.com/owa/contoso.com

GET login.mso.com + domain = contoso.com

200 Login Page

POST *creds

200 token + script/POST to login.mso.com

POST ticket

200 set cookies + script/POST to outlook.com

POST

302 outlook.com POD URL

UserSees...

302 redirect to on prem STS

GET logon page

STS Logon Page

STS Logon Page(cred entry)

GET www.outlook.com/owa/contoso.com

302 redirect to login.mso w/domain = contoso.com

The objective is to set the URL value for the users with the TargetOWAUrl with a value that will allow for a single sign-on experience. With Identity Federation in place the users experience will be seamless. The recommended value should include the domain name and the URL that points to the proper outlook.com with the realm identified in the URL address to ensure the best possible experience.

HTTP Watch Trace View of Login Process (along with the Client Experience)

The following is the output from the Http Watch trace when the user uses the On-premises URL (https://mail.bpos.exchcloud.com/owa)to access their Exchange Online mailbox. You will basically see the same results described in the flowchart above, hopefully the Http Watch view with the expected user experience will help in illustrating what happens in a more clear way.

1. The user enters https://mail.bpos.exchcloud.com/owa into Internet Explorer.

HTTP Watch experience:

106

2. The user enters his or her on-premises credentials, and selects sign-in.

Users Experience:

From HTTP Watch trace we see the authentication request go to the on-premises CAS:

3. The Target Address is specified for this user and there is a corresponding Organization Relationship for that domain. This will cause the clients request to be redirected to the outlook.com URL specified in the organization relationship. Notice that in this case we have the federated domain name appended.

User Experience:

107

HTTP Watch experience: shows that we are redirected to the outlook URL (not silent), then we are redirected silently to the login.microsoftonline.com, then we are redirected to the STS endpoint for authentication since we are using a domain enabled for identity federation.

The redirect to the Login.MicrosoftOnline.com occurs as a result of the Identity Provider setting for the Online services. The client is then redirected to the on-premises STS (AD FS endpoint) because the appended domain is federated with Identity Federation. If Identity Federation were not in place, the Login.MicrosoftOnline.com connection would allow us to provide the credentials for the user and fulfill the authentication request.

4. We are then prompted for authentication from the STS endpoint, unless we already had an authentication token in which case we would not have to authenticate again. Also this is from an external client. If the client was internal, they would not get this prompt.

User Experience from External client:

108

Note: The above Sign In screen is the AD FS Proxy screen FBA login screen. The user may see a different more traditional login screen if you used an AD FS Only server without an AD FS Proxy(that is not an issue)

HTTP Watch experience: trace view of the STS Authentication request:

5. We then retrieve the token from the AD FS server and we submit the token to the Login.MicrosoftOnline.Com server. This is also a silent process and the user does not get a prompt for this.

HTTP Watch Experience:

6. The Login.MicrosoftOnline.com endpoint will validate the token and create a token that the requested service will accept and send that token to the client, the client will be redirected back to the service to submit the token to the service and gain access. This is also a silent process and the user will not be aware of this transaction. The user will see the OWA displayed after this step. If you watch the browser address bar, you can watch the redirects as they occur.

User Experience:

109

HTTP Watch experience:

There is also a lot of great information within the trace that can help with troubleshooting issues with the login process. The great thing about the HTTP Watch trace is that you can see at which point the communication has failed. If there were any issues with the OWA or even the MOP login process since they use similar channels, the HTTP Watch trace is great for finding were the breakdown is. The following is a sample of the entire HTTP Watch trace so you can see the details of each step. You will need to install the HTTP Watch utility to have the ability to open the file.

TAR.hwl

Recording of the OWA Redirect

The following Video is a recording of the OWA redirect configuration and the user experience. Also, we will see the redirect behavior through HTTP watch as it was described above.

Add Recording Link

OWA Redirect

There is one additional feature pointed out in the above flow chart. You may have noticed that in the first step when the user went to the URL, they typed the domain name but without the OWA virtual directory being specified. The URL that was entered was Https://outlook.com/contoso.com. The OWA was not needed and the client still successfully made it to the proper endpoint, the reason this redirect occurred was because there is a redirection set on the Office 365 Client Access

110

Servers within IIS. The CAS's have the redirect settings set to redirect to /OWA. There is nothing that the Tenant or the on-premises Administrator will need to do as this is a default setting for Office 365 environment. This was done to ensure that the users will not have to type OWA in the URL explicitly since many customers do not have this requirement in there on-premises deployments.

This is not a new setting by any stretch but it is important to point out so we can fully understand the reason we are able to connect correctly.

Troubleshooting TargetOWAURL

There is not really all that much to this value so the troubleshooting steps are pretty straightforward. If the user accounts are setup with the correct TargetAddress and the proper domains have been added to the Federation Trust, then as long as the TargetOWAURL value is set there should be no issues. Below is a list of troubleshooting steps:

1. Verify that there are no issues accessing OWA.

2. Issues accessing ECP.

3. Exchange Troubleshooting Assistant (ExTRA).

4. IIS Logs.

5. Verify the TargetAddress and Domain names.

Verify there are no Issues Accessing OWA

The first step should be to take the redirection out of the equation and see if the user can access OWA directly to the Office 365 URL such as https://www.outlook.com/owa/contoso.com. If the

111

user cannot access OWA directly then the redirection is not your issue, if the user can access OWA directly than we know the issue is with may be with the redirection configuration.

It is important to make this the first troubleshooting step, since there is really not all that much to the OWA redirection. This will ensure that you are actually troubleshooting the correct component. If the OWA URL does not work directly, this can indicate an issue with the Identity Federation configuration. It may be best to log into MOP as the user and see if the Identity Federation is working for that portal. This will ensure the issue is not related to Identity Federation.

BPOS URL for an On-premises Mailbox

What if you use the Office 365 URL (https://outlook.com/owa/contoso.com), and then provide the on-premises credentials (assuming there is Identity Federation in place) and your mailbox is on-premises? At this point, the URL will not work and the user will get the following error message. If you plan to have a unified URL that all users' will hit for a cross-premise environment, you should use the on-premises OWA URL. There is no redirection from the Office 365 environment back to the on-premises environment.

The error is not the best, but it is accurate; the mailbox cannot be found since the mailbox does not exist in the Office 365 environment. Even if the user logs into MOP and selects the Outlook link, which is a link to OWA, the user will get the above error message. There are talks of removing the Outlook link from MOP for users that do not have an Office 365 mailbox to prevent this issue.

What About ECP?

The Exchange Control Panel (ECP) does not have a redirection URL and there are no current plans to add this functionality. The assumption is that the users will more than likely access OWA and the click the Options within OWA to access their ECP. This of course will still work because at this point you have already been redirected to the correct premise. Most people that access the ECP directly would be administrators, and they will more than likely know to which URL they need to connect. If

112

the Administrator were to attempt to manage the Office 365 environment via ECP, he or she would more than likely just go to MOP to access the ECP link, which will of course work as expected.

The following is the error that a user would get if his or her mailbox were in the cloud and he or she hit the on-premises URL for ECP directly such as https://mail.contoso.com/ecp:

This is not the best of error messages, but the solution is being presented to educate the user or Administrator on how to access using the proper URL or portal. There are no plans to address this at this time.

Exchange Troubleshooting Assistant (ExTRA)

The Microsoft Exchange Troubleshooting assistant is another tool that can be useful for tracking down issues related to OWA redirection. This will provide insights to the issues that may be component or configuration related. The tracing will show everything from the Active Directory account lookup up to the redirection page that is displayed. After that, the on-premises Exchange server no longer handles the client request.

The following is a screen capture of the EXTRA components to trace:

113

The following is the list of components and tags that need to be traced:

On the Client Access Servers

Trace Types: All

Components to Trace Trace Tags OWA All Trace Tags ADProvider All Trace Tags

The output from the above trace tags would be the following, you can see that the request is redirected to the redirect logon page and them there is not much else since the rest of the traffic is not handled on the exchange server. The below is an indication of a successful TargetOWAURL redirection.

114

IIS Logs

Just like with any web related request we can get a lot of useful information from the IIS logs on the CAS. The IIS logs can be useful in determining authentication issues as well as many other IIS issues. Below is a snippet from the IIS logs for the redirection request. This is taken from the on-premises CAS when the Office 365 user accessed the on-premises OWA URL, you will see that the user was first authenticated and then redirected to the CAS redirect page.

2010-11-22 20:05:45 192.168.1.107 POST /owa/auth.owa - 443 exchcloud\adrian 192.168.1.110 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+MS-RTC+EA+2;+.NET+CLR+1.1.4322;+.NET4.0C;+.NET4.0E;+MS-RTC+LM+8;+InfoPath.3) 302 0 0 515 2010-11-22 20:05:45 192.168.1.107 GET /owa/casredirect.aspx - 443 exchcloud\adrian 192.168.1.110 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+MS-RTC+EA+2;+.NET+CLR+1.1.4322;+.NET4.0C;+.NET4.0E;+MS-RTC+LM+8;+InfoPath.3) 200 0 0 218

After the redirect, there is no useful information in the IIS log files since there is no further communication with the on-premises CAS. This can be useful if you are not able to get past the initial FBA logon page for OWA, or if there is no redirect page being displayed to the user. The troubleshooting would be the same as it would for any IIS log troubleshooting. You would be looking for the 40x and 50x errors in the logs.

Verify the TargetAddress and Domain Names

When we are logging into the cross-premise environment there is a Mail Enabled User (MEU) for the account in the on-premises side. This MEU has a TargetAddress specified which is the address for which mail should be sent to for this user. The address will be the address for the current location of the mailbox, which is in this case the cloud. This information should be kept up to date via the DirSync process so there should be no manual intervention for this. However, if there is an issue with the redirection, there may be a need to verify this value, and then compare the domain name portion of this TargetAddress to the Domain Names that are specified on the Organization Relationship. This is because we use the TargetAddress not only for mail flow but also for OWA redirection.

115

To verify the Target address on the users object you can open ADSIEDIT and view the TargetAddress attribute in the properties of the user account. This can be found on the properties of the user in the domain naming context connection to the ADSIEDIT utility.

Logging in as the Wrong User

There are many times when more than one person shares a machine. With Identity Federation in place, this can cause some issues. We have had many issues were a user will try to access OWA from this shared machine while a different user is already logged on. This will cause the user to see the logged in users inbox. This issue occurs because of the way Identity Federation works. It is more like an integrated authentication in the fact that it takes the logged in credentials and silently authenticates the user when it is domain joined.

There are only a few ways to resolve this issue and they are not ideal.

Log on as the correct user: This will be one course of action that can be taken, when the user logs on using his or her authentication to access OWA.

Use Run AS: users can use the run-ad option to run the internet explorer as a different user. In order to run Internet Explorer as a different user from the Start menu, locate the Internet Explorer and CTRL+SHIFT+right-click it. Then, select the option to run as a different user and provide the appropriate credentials.

116

These are not ideal solutions, but they will resolve the issue. At the time of this writing, there is no fix or workaround for this issue since it is AD FS-specific.

Troubleshooting Outlook and OWA

Troubleshooting the Outlook Offline Address Book

This section describes how to troubleshoot the following Offline Address Book issues in Microsoft Outlook by using the Outlook Web Access client:

Users cannot download the Offline Address Book.

Synchronization errors occur in the Offline Address Book.

The Offline Address Book is not updated correctly within a 36-hour period.

You receive non-delivery report (NDR) messages when you use the Offline Address Book to send email messages to users.

Before you can successfully troubleshoot Outlook Address Book issues, you must make sure that the Autodiscover process is functioning correctly.

Recovering Missing Items from Your Mailbox

Symptoms

When you use Microsoft Outlook 2010 or Microsoft Office Outlook 2007 to connect to Microsoft Exchange Online, you notice that some messages are missing from the mailbox.

Cause

Typically, this issue may occur if one or more of the following conditions are true:

The message was deleted.

The message was archived.

The Outlook client is configured to use a custom view that may be filtering the missing message.

The POP3 settings are configured incorrectly.

Resolution

117

Important

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: , http://support.microsoft.com/kb/322756 How to back up and restore the registry in Window.

To resolve this issue, you can use one or more of the following methods.

Scenario: Search for the Missing Items

Open Outlook, and then use the Outlook Search feature to check manually the following locations for any indication of the deleted items:

Inbox

Deleted Items

A folder where the message previously existed

A specific folder

Or, perform a Mailbox-level search.

Scenario: The Message Was Deleted

Recover a Message that was Deleted from the Deleted Items Folder

1. In Outlook, click the folder that contained the missing message, such as the Inbox folder, the Deleted Items folder, or a specific folder in which the message previously existed.

2. On the menu bar, click Tools, and then click Recover Deleted Items.

3. In the Recover Deleted Items from dialog box, select the missing message from the list, and then click the Recover Deleted Item icon.

Recover a Message after a Hard-delete or when the Deleted Items Folder is Empty

1. On the client computer that you are using to perform the deleted items recovery operation, click Start, click Run, type regedit, and then click OK.

2. Expand the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Client\Options

118

Note

If part of this registry subkey does not exist, it must be created manually.

3. Right-click Options, point to New, and then click DWORD Value.

4. Type DumpsterAlwaysOn, and then press ENTER to name the new value.

5. Double-click DumpsterAlwaysOn.

6. Type 1 in the Value data box, click Decimal in the Base area, and then click OK.

7. Close Registry Editor.

8. Restart Office Outlook.

9. Select the folder from which the message was deleted, or select the folder in which the message existed before the message disappeared.

10. Do one of the following:

a. In Outlook 2007: On the menu bar, click Tools, and then click Recover Deleted Items.

b. In Outlook 2010: Click the Folder tab, and then click Recover Deleted Items.

11. In the Recover Deleted Items from dialog box, select the missing message from the list, and then click the Recover Deleted Item icon.

Scenario: The Message Is Archived

1. In Outlook, click Go, click the Folder List, and then click Archive Folders or the name that you used for the archive location.

2. Click the folder that contains the message that you want to move.

3. Select the message that you want to move, and then drag the message into the original folder in the Folder List or into another folder.

Scenario: The Outlook Client Is Configured to Use a Custom View that Uses a Filter

Use Microsoft Office Outlook Web Access to log on to Exchange Online. If you can see the message when you use Outlook Web Access, the Outlook client may be using a custom view and filter. To remove the filter, follow these steps:

If you are running Outlook 2007, follow these steps:

1. Click View, select Current View, and then click Customize Current View.

2. In the Customize Current View dialog box, click Filter.

3. In the Filter dialog box, click Clear All to remove the current filter, and then click OK.

119

If you are running Outlook 2010, click View on the Office Ribbon, and then click Reset View under the Current View group.

Scenario: The POP3 Settings are Configured Incorrectly

1. In Outlook 2007, click Tools, and then click Account Settings. In Outlook 2010, on the File tab, click Account Settings.

2. In the E-mail Accounts dialog box, select your ISP POP3 account, and then click Change. Make sure that the POP3 settings are correct.

3. Click More Settings.

4. Click the Advanced tab, and under Delivery, make sure that the Leave a copy of messages on the server check box is selected.

5. Clear the Remove from Server after # days check box.

Note

Also, verify other clients or mobile devices that are synchronized with the Exchange Online mailbox for POP3 settings.

120

NEW OUTLOOK MOBILE FEATURES

Mobile Free/Busy Lookup Until now, users have not been able to see free busy (availability) on devices without some other third-party solution. They always had to use Outlook or Outlook Web Access to view free busy and book meetings with others.

To make the experience better now, the Outlook Mobile Update for 6.1 now lets you look up and view free busy for any user or distribution list in the organization.

Although the view is very simple, it is effective and gets the job done.

Viewing Free Busy

The Free Busy view is accessible when creating a meeting request and clicking the Required Attendees entry. This takes you to the Required and Optional Attendees dialog box. You can look up your attendee in the Required Attendees section of the dialog box:

his or her name. In this example, we are viewing Mod4 User6

121

After clicking, you have a few things you can do with that name.

You can View Free/Busy, send mail or go into the Company Directory from here.

When you click View free/busy, the server makes the request, provides the result to the device for display.

In this dialog box, you can click the right or left arrows around the Free/Busy time strip to look at availability in the past or in the future.

122

There is no way to select a time slot you wish to use for the meeting request you are currently configuring. You must note the availability time to enter into the meeting request screen.

The only clickable items in the time scale are the arrows on the left and right side to move the date forward or back.

Click OK to accept and return to the list of required and optional attendees.

From there, you can add more attendees or click Done to return to the meeting request and enter the time slot you saw as available.

123

Like in any meeting request, you enter your Subject and Location and any other information and click OK to send the request.

Design

The Free Busy retrieval mechanism is already built into Exchange with the Availability service, so it became easy to implement this solution for Windows Mobile 6.1 + update or higher users. Some changes were made to the server side to accommodate client request calls. More work was done on the client side to have the UI and request mechanism in place.

Availability Merged View

Some may already be familiar with how the availability service represents free busy time slots in a string of numbers. More information can be found on MSDN® at http://msdn.microsoft.com/en-us/library/aa566048(EXCHG.80).aspx.

Troubleshooting

As discussed in the lesson, there are tools and steps to use to troubleshoot free/busy on a Windows Mobile 6.1 + Update or 6.5 device.

1. Use another mechanism first, such as Outlook Web App or Outlook.

2. Logs from phone device.

Use Another Mechanism First

To narrow down an issue it is sometimes a good idea to try to use another method to see if Free/Busy works. Because most applications use the same Availability service, try Outlook Web App

124

layer of Autodiscover for you to worry about. Mobility Free/Busy is the closest to Outlook Web

Logs From Device

The logs from the phone itself can be a great resource with the availability status codes, and so on. The logs can be found in the \Windows\ActiveSync folder on the device.

It is best to complete the operation you are testing and then immediately copy the logs from the device to a desktop machine or another location on the device if you want to read them on the device itself. If you leave them in the original location, they could be overwritten the next time the phone performs a sync or other ActiveSync command.

Reply Forward Status and Conversation View Conversation View is one of the most useful features of the new 6.1 Mobile Update. This feature is

Although not quite as extensive in nature and has a few limitations, it still fills a need to better help users triage their email while away from their main computer and a full Outlook Web App or Outlook client. The view is on by default, after the mailbox has synchronized completely.

Mail Message Actions and Conversation View

Very little has changed in message management and Conversation View in the update. A few button configuration changes are the only changes.

Message Actions

when you click it.

125

The button bank expands to all available actions that can be performed on the message currently being viewed.

They contain the following options:

Reply

Reply All

Forward

126

Keep Unread

Delete Flag

View Original Message

In previous versions of Outlook Mobile (including previous updates), you had to use the menu button and dig deeper into the menus to find those options.

The only two new options are the Keep Unread and View original message options.

The Keep Unread option simply ensures the message is kept as unread so that when you later view the message in Outlook Web App or Microsoft Outlook, the message is still unread and allows you to make sure you see the message again when returning to the office.

The View original message option is used in conversation view, which is discussed below.

Conversation View

You will still see a number of unread messages and the multiple message icons. This helps indicate that the entry is a multiple message conversation.

When you open the conversation, just like before you see the entire thread. However, now that the message managis not needed on the bottom of the display.

127

Instead of the menu, you now have a Collapse all and an Expand all button on the bottom. The default is Expanded mode, as shown above. When you press the Collapse all option, you are able to see only the quick previews of all messages in the conversation.

You can still select any message for which you are interested in seeing more detail. It will open and give you all usual management options to reply, and so on.

128

Mobile Short Message Service (SMS) Sync A new feature of the Windows Mobile Update 6.1 is the ability to synchronize SMS messages between Exchange Online and your phone. This feature allows you to enter, send, and reply to SMS messages while working in Outlook Web App or Outlook 2010.

129

By default, the option of synchronizing SMS messages is turned off. To enable the option launch the ActiveSync application on the Windows Mobile phone and select Text Messaging on the Options page.

At the next sync when the device issues a Settings command, the SMS enable option is sent to the

130

An Email message is sent to the owner of the mailbox almost immediately after the server detects that SMS has been enabled for the mailbox. The property used to detect this on the mailbox is the EasEnabled property, which Account settings. Every user has a group of Text Message related settings. When the message from the phone comes to the server, the Text Message Account setting is modified.

To view the setting, run the following cmdlet:

Get-TextMessagingAccount <user>

The output will look something like below but not the EasEnabled property:

Once confirmed that EasEnabled is True, the mail is sent. The mail is a congratulatory mail to explain the availability of the feature and reads as follows:

The link takes you to some generic information regarding text messages (to be changed). The link is: http://go.microsoft.com/fwlink/?LinkId=151599

After you sign back in to Outlook Web App, or close and reopen Microsoft Outlook 2010, both types of Outlook clients can now send, view, and reply to SMS messages.

Sending SMS Messages from Outlook Web App

To create a new text message from within Outlook Web App, select the New menu, and then choose Text Message.

131

This opens a new message window where you can type in the recipient (or use any number from your contacts list or company GAL), and a message:

While editing the message there is a large character counter (104 in this example) that tells you how many characters you have left in the text message. By standard, a text message is limited to 160 characters. If the message exceeds the standard 160 characters, the message is split into multiple messages. The user is informed of this as they type.

The message type created for this is new and is IPM.Note.Mobile.SMS.

After clicking Send, the message is sent to the Outbox on the server. The server then initiates a Sync command to the phone.

132

The phone receives the message and places it in the SMS messaging system outbox for transmission. The phones SMS system is used to send all SMS messages. This means it is important that the phone is turned on when wanting to use this feature and that your delivery schedule is set to As items arrive. The server initiates the Sync whenever needed.

If your phone is set to retrieve mail at a timed interval, the SMS message will NOT be delivered until the scheduled timed interval has passed and the phone initiates a request for sync.

To ensure the correct setting is set, check the Schedule dialog box in the ActiveSync application to make sure Sync during is set to As items arrive.

133

After the message is placed on the device, the message is then also placed in your Sent Items folder on the mailbox server.

Important: If there are two or more phones that have synchronized with the mailbox, then the latest one that

MailTip

A few conveniences have been added to SMS Sync when sending messages. One is in the form of a MailTip when composing a new Text Message. When using Outlook Web App to send an SMS message and your phone is not synchronizing on a regular basis, you receive a MailTip indicating this:

134

There is a help link (http://help.outlook.com/en-us/beta/910552b1-c99c-4046-8bbc-9d2e8dbcbfda.aspx) which provides general information about SMS Sync in an Exchange 2010 environment. It discusses the following two topics:

Enabling Text Message Synchronization

Sending Text Messages from Your Account

Why the Message Indicates the P Syncing

The help does not explain how to make sure that you do not see the MailTip indicating your phone is not syncing and that your message does not go out immediately when you click Send.

The reason the message displays is because your ActiveSync schedule is not set to As Items Arrive and is only connecting periodically. If you set your schedule to that setting the MailTip is not shown and the message is sent immediately.

Note: Regardless what your schedule is set to, if you click Send and attempt to send the message, you see the following MailTip on the top of your sent message in Sent Items indicating the message has not been sent yet.

After the message is sent out through your phone, the mailtip disappears and the message in Sent Items looks like a normal message.

135

Message Flow Sending through ActiveSync

The following steps summarize the flow of a sent SMS message:

1. An OWA user creates a new SMS message and presses Send.

2. .

3. Transport picks up the message from the Outbox.

4. Transport sees that the message is an SMS message (IPM.Note.Mobile.SMS) and posts the message back in the Outbox .

5. Exchange Online CAS gets a change notification for a message in the Outbox.

a. Exchange Online CAS ignores items that are meant for Transport to avoid endless repeats.

6. Exchange Online .

7. The device sends the SMS message.

Receiving SMS Messages

In the Outlook Mobile Update 2.0, the most significant change is the location you may now direct your received SMS messages. In the previous update, if you enabled SMS sync, all of your messages would synchronize and be placed in your Inbox. This was a problem for most users to quickly see the messages and be able to respond to them.

Now in the 2.0 update, you can direct the messages to a folder called Text Messages. To do this, follow the following steps:

1. Go to the Text Message inbox in Outlook Mobile.

2. Select Menu.

3. Select Tools / Options / Manage SMS Sync.

136

4. There you are presented with three options.

5. The new option on this menu selection is the Text Messages option. When you choose this option, a new folder called Text Messages is created for you if it does not exist. From that point on, all new Text Messages are placed into that folder. Like before, you can still choose to keep the messages in your Inbox (Default) or choose to disable the feature by selecting the Disable SMS Sync option.

137

6. Click OK.

Text Messages Folder

When the folder is created, it is created at the same folder level as the Inbox folder. It is not created inside the Inbox folder. This makes it easy to find with a single click.

Deleting SMS Messages

If you use Outlook or Outlook Web App to delete an SMS message that has been synchronized to your device and present on both the device and your mailbox, the SMS message will be deleted the next time a sync operation occurs.

SMS Synchronization Limitations

Number of Messages

Only up to three of SMS messages are synchronized. This value cannot be customized. The reason for this is due to performance. In testing, when too many of SMS messages were being synchronized, this caused performance issues.

Deletes on Server

If you choose to delete SMS messages that have been synchronized to your Inbox on the server, they are only deleted on the server. The delete action does not synchronize back to the device. You must manually delete the SMS message off the device if needed.

Over-the-air Update for Outlook Mobile

Distribution of the Mobile Update

The new update can be loaded and installed by a m obile phone user in the Exchange organization. The distribution point is a Microsoft Corporation public server. The user can follow a URL that the adm inistrator can share by using an ActiveSync policy to allow the update to occur.

W hen the user goes to the URL (https://update.outlook.com /cabs/OutlookLiveSetup.cab), they are able to dow nload and install the OutlookLiveSetup.CAB �� r�� d to distribute the 6.1 W indow s Mobile Update. This �irst w hat kind of phone the user has so it can then determ ine w hich second �� d�� d� �� rr�� d �� d�� d �� r�� d��

138

Customizing the Over The Air (OTA) Administrator Message

Administrator can customize the message a user sees when the update is available for them to install. To accomplish this, use the Set-ActiveSyncOrganizationSettings OtaNotificationMailInsert parameter:

Set-ActiveSyncOrganizationSettings

To verify your setting, use Get-ActiveSyncOrganizationSettings:

Get-ActiveSyncOrganizationSettings | fl *ota*

Results:

Steps to Ensure the Device Gets the Correct Update Bits

1. If the following conditions are true, the boot

Online.

Policy setting AllowMobileOTAUpdate is $True.

Windows Mobile OS version is 6.1

Windows CE 5.2 19202 to 21142

Device talks to the server in Airsync Protocol version 12.1

139

User device sends Settings command. (This is the command used to get information about protocols, and so on.)

Detailed table to determine if the bootstrap mail will be sent to the user depending on their specific version and what the AllowMobileOTAUpdate setting is:

Airsync Protocol Version

Windows CE OS version

AllowMobileOTAUpdate

Send bootstrap mail

12.0 and below Windows CE 5.2.19202 to 5.2.2114

True/False No

12.1 Windows CE 5.2.19202 to 5.2.2114

True Yes

12.1 Windows CE 5.2.19202 to 5.2.2114

False No

12.1 Windows CE <5.2.19202 or >5.2.2114

True No

12.1 Windows CE 5.2.19202 to 5.2.2114

True No

14.0 Windows CE 5.2.19202 to 5.2.2114

True/False No

To check all the above settings Exchange gathers the following information from the Settings command:

a. Device Type

b. EAS Protocol Version

c. Device Model

d. IMEI International Mobile Equipment Identity (device electronic serial number)

e. Friendly Name

f. OS with build number

g. OS Language

h. Phone Number

140

When it is determined that the email is to be sent, the email is received on the device for the user to see. The email contains a hyperlink for the user to go to the web and obtain the Bootstrap CAB. All links are secure using SSL and all CABS are signed.

2. User clicks on the hyperlink and downloads and runs the Bootstrap CAB. The bootstrap CAB then contains the logic to obtain the correct device specific CAB containing the update.

3. The next cab with the device specific update bits is retrieved from the Microsoft Download center and installed. The Outlook Mobile Update cannot be installed on a storage card. It must be installed in main memory.

AllowMobileOTAUpdate

The AllowMobileOTAUpdate setting is part of the standard ActiveSync policy. This is the main setting that determines if the email with the update hyperlink is ever sent to the device. If the device meets all technical criteria to obtain the update, it still will not receive the email to perform the update.

The default setting is enabled ($True). You can check this setting by using the following cmdlets:

To check a specific user:

1. First, check which policy they have assigned.

Get-CasMailbox <user> | fl ActiveSyncMailboxPolicy

The name of the policy is returned:

ActiveSyncPolicy : Default

2. AllowMobileOTAUpdate setting:

Get-ActiveSyncMailboxPolicy Default | fl AllowMobileOTAUpdate

The setting is returned:

AllowMobileOTAUpdate : True

If True, then the mail will be sent if the other versioning information conditions listed are true also.

Email with Hyperlink and Installation of Update

$True and all technical versioning criteria are met reads as follows:

When the email arrives, the user receives an email alert:

141

After clicking the link presented in the mail, you receive the URL confirmation you must approve if you want the update:

At this point, the device receives the first CAB (bootstrap) to install.

142

After the Bootstrap is extracted and installed, the phone now does some checks phone type, language and screen size. After it has those, the phone goes back online and retrieves the Outlook Mobile Update AND the Outlook Mobile Updater (can be seen on the device as a Program icon), the user is prompted to accept the download and proceed.

143

144

After the restart, the device will resync completely and once all messages have synchronized and completed all sync state upgrades, the new features will become available.

Note: Sometimes you are brought to the Inbox before a complete sync has occurred and only have the display is updated like in this screen shot. The full sync has not occurred yet but part of the interface is present. If this happens, just launch ActiveSync and force a sync process, and then follow the remaining steps in the section below.

The first time you sync to the server after the Outlook Mobile Update has been installed, you are forced to complete a resynchronization of all items. This is because you are now switching to the

145

new 14.0 protocol from the 12.1 protocol the Windows Mobile 6.1 device was using before the update.

Click Yes to resync. If you do not respond to the resync question in a timely manner, you will see an ActiveSync error telling you to sync so you can complete the full resynchronization.

After the resync, you are shown the Outlook Mobile update reminder mail again, but this time it can be ignored because the update is already installed now.

146

The bootstrapper CAB that was installed retrieved the Outlook Mobile Updater for the phone (in addition to the Outlook Mobile Update), and can now be used for any future updates. After the resync and before you go into your Inbox, you are presented with a dialog box asking if you would like to be notified of any updates.

Clicking Yes will ensure you get the latest updates on the Outlook Mobile client.

Email Links for Update Cabs

The links are set through the web.config in the \Sync folder on the Client Access server. The links point to the Microsoft public sites from which the devices will obtain the CABs. These are the links that will be inserted into the mail that is sent when notifying the user that an update is available for the Windows Mobile 6.1 phone.

The second link is the link that is a help resource so the user can learn more about the new features.

<! URL which hosts the bootstrap CAB for Windows Mobile 6.1 - -> <add key="BootstrapCABForWM61HostingURL" value="_http://go.microsoft.com/fwlink/?LinkId=150061" /> <! URL which provides information about setting up Windows Mobile phone to receive updates for Outlook Mobile <add key="MobileUpdateInformationURL" value="_http://go.microsoft.com/fwlink/?LinkId=143155" />

Tip: If the update cannot download for some reason, view the link in the mail (or web.config) and test the URL with your browser to make sure the link is currently functioning.

147

There is also a Bootstrap mail delivery delay option. This lets you set a time delay of how long you want the server to wait before sending out the mail message offering the link to update the phone. The default is 3 days or 259200 seconds.

<! Bootstrap mail delivery delay in seconds. Default is 259200 (= 3 days.) Windows Mobile 6.1 devices needs some time before running a bootstrap CAB.

v

148

RMS AND OWA MAILBOX POLICIES Active Directory Rights Management Services (RMS) is a core feature used by many of our customers in their on-premises environments to provide protection for messages and attachments that remains persistent with the object. Some of our customers will have a set of templates and policies in place (on-premises) that need to be available in Office 365 to meet the security requirements for their messaging systems. This deployment method is known as the cross-premises deployment option of RMS.

Importing On-premises Templates to Exchange Online With Exchange, on-premises integration between Exchange and RMS is done through web services calls from Exchange to RMS. There are a number of transactions (certification, publishing, acquiring RMS templates) and then there is a frequently used web service transaction (licensing). The primary problem with this integration is that licensing is the operation done most frequently, it also happens to be the operation that is performed during mail flow on Hub Transport servers. With on-premises solutions, this is not a significant issue because the AD RMS servers are generally collocated with the Exchange servers and the amount of RMS content is low.

In Exchange Online, this picture changes dramatically. When an Exchange server in the datacenter is making these transactions with an on-premises AD RMS server (cross-premise deployment) or a hosted RMS service there are a number of issues that can impact mail flow for one-to-many tenants. In particular, a non-responsive RMS server or latency between datacenters will delay mail flow for a tenant or set of tenants while categorizer threads are being held for licensing calls. This reduces the throughput of Hub Transport and impacts the mail delivery SLA. Once there are multiple non-responsive or high latency RMS servers, the problem is compounded further leading to widespread impacts to mail delivery. The core parts of this problem lead to reduced reliability in mail delivery as well as increased difficultly and cost in supportability.

To get around this issue, we can now export the RMS settings such as the templates and certificate information from the on-premises RMS configuration, then import those settings into the Online Services. This will allow the RMS in the appropriate premise to be used for write protecting the data.

Trusted Publishing Domain Today AD RMS provides a built-in mechanism for exporting Trusted Publishing Domains (TPDs). TPDs contain the root key pair used by AD RMS for generating RACs, CLCs, and EULs. In order for Exchange to perform the same operations, the TPDs (one or many) must be exported from the AD RMS cluster and then imported into Exchange Online. The TPD contains three things: the server licensor certificate (SLC) used for signing and encrypting certificates and licenses, the URLs used for licensing and publishing, and the templates created against that SLC (e.g. no print, cannot forward).

The import process will allow the Exchange Online Services to issue Use Licenses and Publish Licenses for the imported TPD. The Exchange Online services will essentially use the keys from the on-premises AD RMS environment. RMS transactions in the datacenter are executed within the datacenter without any external calls to the on-premises AD RMS server. The Exchange datacenter

149

tenant receives all IRM capabilities, except for Pre-licensing, which is not supported in datacenter. Clients such as Outlook, receive the protected content and continue to call the web services of the on-premises AD RMS server to request the appropriate license to consume the RMS content received.

Distributed Key Management Storage

The TPD is essentially a public and private key pair that represents the root authority of the tenant for RMS purposes. The public key along with domain information is represented as a certificate in XML format (also called Server Licensor Certificate, or SLC) while the private key is a binary blob that needs to be protected.

Embedded RMS uses Active Directory as the storage location for the imported Trusted Publishing Domain, as well as the rights access certificate key pairs and templates used by each tenant. This information is stored for each datacenter tenant in the following locations:

Datacenter AD storage location for imported TPD

Org Container

TPD Object

Tenant Org Unit

IRM Config

TPD Container

Trusted Publishing Domain Stored under the TPD container (TPD object) directly under

Rights access certificate Embedded RMS running in Exchange datacenter only issues a single RAC that represents Exchange server identity (server-box RAC) instead of end users. This RAC is stored on the IRM configuration object (IRM Config) in AD.

RMS Template(s) Stored as part of the TPD object(s) in AD as multi-valued attributes.

150

This information is secured within Active Directory using Distributed Key Management. By default, Exchange DKM uses AES-128 to encrypt the RMS TPD and related keys.

Distributed Key Management works by storing the root encryption key along with crypto policy configurations in Active Directory (AD) and Access Control Lists (ACL) protect it with an Active Directory group. The Exchange datacenter is already pre-Exchange DKM This group is populated with Exchange identities

This essentially allows for any Exchange role server to use DKM to access per-tenant RMS keys and thus can call into Embedded RMS component hosted on that server.

Operations that Need To Be Performed for RMS Cross-Premises The following is a list of the actions that need to be performed to export the RMS settings from the on-premises environment, and then import the settings into the Office 365 environment. The prerequisite here is that you need to have AD RMS configured and running on-premises.

The first operation performed by the administrator will be exporting the TPD to an XML file. The Administrator must navigate to the Trusted Publishing Domain node in the AD RMS console. From here, the administrator will select the TPD that needs to be exported and will click Export Trusted Publishing Domain from the Action bar. If there are multiple TPDs the Administrator can perform the export as described for each of the TPDs.

151

Once Export Trusted Publishing Domain has been selected, the following dialog box will be displayed to the administrator. A file location and name must be specified and a password must be provided.

Exchange Online will only support exporting in the v2 format. If the administrator checks the Save trusted publishing domain file in RMS version 1.0 Exchange Online will reject it during the import process.

152

This process will result in an XML file containing the SLC, the internal/external URLs, and the RMS templates for that SLC. This process will be repeated for each TPD that needs to be exported.

Import the RMS Template

Once the administrator has the TPDs saved in XML format, they will need to run a task Import-RMSTrustedPublishingDomain in PowerShell connected to the Office 365 Exchange environment, specifying the following required parameters:

The XML file data ($file = Get-Content -Path C:\exported.xml -Encoding byte)

The password to be used to decrypt the contents of the TPD (the same password specified during export of the TPD)

The name parameter is used to provide a unique name for the TPD

ExtranetLicensingUrl and IntranetLicensingUrl should specify the URL that is used to access the Exchange server that is AD RMS enabled.

Optionally a switch can be used to indicate if the TPD should be set as the default TPD. (-default). The first imported TPD will by default be marked as default.

In order to see the value that should be set for the ExtranetLicensingUrl and IntranetLicensingUrl you can view the URL set in the Active Directory Rights Management MMC in the following location. Typically, this will be set to https://mail.company.com/_wmcs/licensing.

153

The Following is the full list of the Syntax and the parameters available with the Import-RMSTrustedPublishingDomain cmdlet.

Syntax:

Import-RMSTrustedPublishingDomain [ Organization <OrganizationIDParameter>] [Name <String>] [ FileData <Byte [ ]>] [ Password <SecureString>] [IntranetLicensingURL <URL>] [ ExtranetLicensingURL <URL>] [ Default<Switch>] [RefreshTemplate <Switch>] [ PrivateKeyFileData <Byte [ ]>] [PrivateKeyPassword <SecureString>]

For complete usage details on this cmdlet, review its entry in the "Reference to Available PowerShell Cmdlets" at http://help.outlook.com/en-US/beta/dd575549.aspx.

This process can be repeated for each TPD, the URLs that are part of the SLC plus the optional list of licensing URLs provided will be used when content needs to be decrypted and Exchange Online needs to figure out which TPD to use. In order to ensure that the TPD is used in local licensing operations, the administrator will need to specify one or more RMS licensing URLs in the Exchange server tenant configuration. These licensing URLs should correspond to the set of internal and external licensing URLs defined on the RMS licensing servers from which the TPDs were originally exported. Additionally the URLs assigned to a TPD will be stamped into the Publishing License (PL) when Exchange creates protected content (This ensures old URLs used by decommissioned clusters will still work properly.)

. This means that any new publishing operations will be done using this TPD. The default TPD can be changed using Set-RMSTrustedPublishingDomain -Identity <TPD ID> -Default cmdlet. If the administrator attempts to

ith a warning and InternalLicensingEnabled on the IRMConfiguration object will be set to false. If the administrator attempts to remove the default TPD and there are other TPDs, the remove task will fail and instruct the administrator to set another TPD as default before re-attempting to remove a TPD.

154

The TPDs are stored securely in Active Directory as described above. TPDs are protected such that unauthorized users, services, or processes cannot access the private key of the TPD. The same level of protection also extends to RACs that are stored in AD.

View and Enable the RMS Templates

When the Import is completed, you then need to enable the templates that have been imported. When the Import is complete, you will notice that the "type" is set to Archive which means that we cannot assign that license and it will not show as an option from the transport rules or from OWA. You will however be able to open messages that were previously protected with that template at the time of the import without changing the type from Archive to Distributed.

The first step you should perform is to view the Template that was imported so you can see the status. The following is the output from the Get-RMSTemplate -TrustedPublishingDomain CrossPremisesRMSDomain (Where CrossPremisesRMSDomain is the value specified in the name parameter when using the import-RMSTrustedPublishingDomain in the previous stage)

RunspaceId : c57c84d2-35fe-40a0-a025-b95edd5686ff Name : MyTestRMS Description : This is a test RMS template Type : Archived TemplateGuid : 461be8a6-eb94-4826-bd22-89dbb05756e6 Identity : MyTestRMS IsValid : True RunspaceId : c57c84d2-35fe-40a0-a025-b95edd5686ff Name : Do Not Forward Description : Recipients can read this message, but they can't forward, print, or copy content. The conversation owner has full permission to their message and all replies. Type : Distributed TemplateGuid : cf5cf348-a8d7-40d5-91ef-a600b88a395d Identity : Do Not Forward IsValid : True

From the preceding, you can see that the MyTestRMS (which is a custom template) template is set to Archive as the type. In order to apply this template to new messages within the Online Services this needs to be switched to Distributed. The following is the sample of the command used to make the switch.

Get-RMSTemplate -Identity MyTestRMS -TrustedPublishingDomain CrossPremis esRMSDomain | Set-RMSTemplate -Type Distributed

This will allow the template to be usable for protecting new content via Outlook, OWA, and Transport Rules. The reason the Template is set to Archive is so you can import a template and allow old protected messages to be decrypted. There will be times when the organization may not want to use the old template for protecting new content, allowing the template to be imported without allowing new content to be protected by this template allows Administrators to have greater control of the RMS templates that are used.

155

Enable the Use of RMS for Web-based Clients

Now that you have the RMS configuration imported and configured for use you can optionally move on to allowing RMS to be implemented for OWA and ActiveSync clients. Most of the companies that implement RMS will want to allow this for their web based clients. If you just wanted to use RMS for Outlook then this step is not needed. To see the current configuration of the RMS configuration you would run the following command. I have included the default output from that command as well.

Run Get-IRMConfiguration from PowerShell connected to Exchange Online services:

InternalLicensingEnabled : False ExternalLicensingEnabled : True JournalReportDecryptionEnabled : True ClientAccessServerEnabled : True SearchEnabled : True TransportDecryptionSetting : Optional EDiscoverySuperUserEnabled : True ServiceLocation : https://mail.get-mailbox.com/_wmcs/certificati on PublishingLocation : https://mail.get-mailbox.com/_wmcs/licensing/p ublish.asmx LicensingLocation : {https://mail.get-mailbox.com/_wmcs/licensing}

As you can see from the above output, the InternalLicensingEnabled is set to False. This is the default setting, and should be set to true to allow web-based clients to utilize the RMS services. The following is the syntax to set this value to true. The changes should be immediate and the users should then be able to use the templates from any RMS supported client.

Connect to the Exchange Online Environment using PowerShell run Set-IRMConfiguration -InternalLicensingEnabled $True

The following lists out the syntax and the parameters that are available for the Set-IRMConfiguration Cmdlet.

Syntax:

Set-IRMConfiguration [-Organization <OrganizationIDParameter>] [-Identity <IDParameter>] [-ExternalLicensingEnabled <$true | $false>] [-InternalLicensingEnabled <$true | $false>] [-JournalReportDecryptionEnabled <$true | $false>] [-ClientAccessServerEnabled <$true | $false>] [-SearchEnabled <$true | $false>] [-TransportDecryptionSetting <Disabled | Optional | Mandatory>]

For complete usage details on this cmdlet, review its entry in the "Reference to Available PowerShell Cmdlets" at http://help.outlook.com/en-US/beta/dd575549.aspx.

There are many options with the Set-IRMConfiguration cmdlet, they can be used to control the behavior of the RMS usage within the Online Services, just as they could for the on-premises services. The settings within Office 365 will typically match what you have within the on-premises

156

environment (which can be viewed from the on-premises Exchange server EMS running the same Get-IRMCnfiguration Cmdlet).

The settings do not have to match; there will be some customers that may want to limit the footprint of their RMS configuration. This is why the settings do not have to match; most customers will choose to make the settings match to allow for a more seamless experience for the users.

Extending RMS to Office 365 The following is a step by step for exporting the Trusted Publishing Domain from the on-premises RMS server to the Office 365 environment. This is assuming that RMS is already in place and running correctly on-premise. This will explain the Export and import steps in order.

Step 1: Export TPDs from AD RMS Clusters

The first step is to export the required TPDs to a XML file.

selecting the TPD thathe Action bar. A file location, name, and password need to be provided to export the TPD into the XML file.

This process will result in an XML file containing the SLC, the internal URLs, and the RMS templates for that SLC. The process will be repeated for each TPD that needs to be exported and each RMS cluster that is used for licensing new or old content.

The export process and task syntax is described in more detail in the following articles:

http://technet.microsoft.com/en-us/library/cc731228.aspx

http://technet.microsoft.com/en-us/library/ee617275.aspx

Note

Exchange only supports production hierarchy keys. Test or pre-production hierarchies are not supported.

Step 2: Import TPDs to Exchange Online

Once the TPDs are exported to a XML file, they can be imported into your Exchange Online tenant.

To do this, administrators need to connect to their Exchange Online tenant using remote PowerShell in the Organization Management or Information Rights Management role. The Import-RMSTrustedPublishingDomain task must then be used with the following parameters for each TPD that you need to import:

Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0)) -Name "TPD Name" -ExtranetLicensingUrl https://<external rms cluster

157

hostname>/_wmcs/licensing -IntranetLicensingUrl https://<internal rms cluster hostname>/_wmcs/licensing

FileData Contents of the exported TPD file location.

ExtranetLicensingUrl The extranet licensing URL used by your on-premises RMS cluster.

IntranetLicensingUrl The intranet licensing URL used by your on-premises RMS cluster.

Default Switch to indicate if the TPD should be set as the default TPD (optional parameter).

When prompted for a password, enter the password used during export of the TPD from AD RMS.

Import-RMSTrustedPublishingDomain needs to be repeated for each TPD.

Note

When a TPD is imported, the corresponding templates from AD RMS are also imported. The TPD contains the templates that were created with the specific SLC contained within the TPD. Exchange will support up to 20 templates per TPD.

Note

The URLs that are specified when importing will be used by Outlook clients and will also be used when content needs to be decrypted and Exchange needs to figure out which TPD to use. In order to ensure the right TPD is used these URLs must match the configuration in your on-premises AD RMS cluster.

Step 3: Distribute RMS Templates

As in AD RMS, Exchange Online uses the concept of Distributed and Archived templates. Once a TPD has been imported you need to select which RMS templates are Distributed (i.e., visible by end-users in OWA). You can see the list of all templates contained within the default TPD by running:

Get-RMSTemplate -Type:All

You can then change templates from Archived (i.e., not visible) to Distributed (i.e., visible) by running:

Set-RMSTemplate -Identity <template identity> -Type:Distributed

Only Distributed templates in the default TPD are shown in OWA. All templates in the default TPD are allowed in transport rules. Templates in non-default TPDs are only used for decryption. Although templates in non-default TPDs can be marked as type Distributed, that has no effect unless the TPD is made the default.

To view templates in a non-default TPDs, use the TrustedPublishingDomain parameter as follows:

Get-RMSTemplate -TrustedPublishingDomain "one TPD name"

158

Step 4: Enable IRM in Exchange Online

Once a default TPD has imported you need to enable IRM for your tenant:

Set-IRMConfiguration -InternalLicensingEnabled $true

Step 5: Change the Default TPD (Optional)

When the first TPD is imported it will be marked as the default TPD. Any new publishing operation (i.e. IRM content is created) will be done using this default TPD.

The default TPD can be changed using this command:

Set-RMSTrustedPublishingDomain -Identity <TPD ID> -Default

Updating Exchange Online with New Templates If RMS templates are changed on-premises, the Import cmdlet can be used to refresh Exchange Online. Export the TPD again per step 1. Use this variation of the Import cmdlet:

$data = [byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0) Import-RMSTrustedPublishingDomain -FileData $data -Name "TPD Name" -RefreshTemplates

The Name must match the name of the previously imported TPD. When prompted for a password, enter the password used during export of the TPD from AD RMS.

After the import, you will see a list of templates that are new to Exchange Online and a list of templates that are no longer in Exchange Online. If any of the new templates should be visible in OWA, mark them as type Distributed the same way as in step 3. Ensure that deleted templates are not referenced by transport rules because that will cause NDRs.

Disable IRM in Exchange Online To stop using the TPD in Exchange Online temporarily, the IRM feature can be turned off:

Set-IRMConfiguration -InternalLicensingEnabled $false

To remove the TPD (and the embedded SLC), use the Remove-RMSTrustedPublishingDomain cmdlet. The following removes all non-default TPDs:

Get-RMSTrustedPublishingDomain | ?{ $_.Default -eq $false } | Remove-RMSTrustedPublishingDomain

The following removes the default TPD after all non-default TPDs have been removed:

Get-RMSTrustedPublishingDomain | Remove-RMSTrustedPublishingDomain -Force

159

Note

only TPD, then removing the TPD will succeed with a warning and IRM will be disabled. If the administrator attempts to remove the default TPD and there are other TPDs, the remove task will fail and instruct the administrator to set another TPD as default before re-attempting to remove the TPD.

Using Outlook Protection Rules in Exchange Online The Outlook Protection Rules feature may be enabled in Exchange Online after importing a TPD. Outlook Protection Rules instruct the Outlook client to protect composed messages that match your criteria. Read more at http://technet.microsoft.com/en-us/library/dd638178.aspx.

Most IRM features in Exchange Online require that the AD RMS private key (part of SLC) be in the exported TPD. Outlook Protection Rules are the exception. The TPD can be exported without a private key and imported into Exchange Online. You cannot enable IRM with the Set-IRMConfiguration cmdlet if any imported TPD lacks a private key. However, you can use the Outlook Protection Rules cmdlets to enable that feature.

The imported TPD should contain the templates that are also distributed to Outlook clients. From this point on, all of the templates that are available on-premises will be available for Office 365 use as well. The following is the user experience for creating a message with IRM protection. You can see that the RMS templates that have been imported are available for use; you can also see that there is a custom template in place for MyTestRMS that can be selected. If that template still had the archive status, you would not see that template as an option.

160

One other behavior that should be mentioned is the Outlook client experience when you open a protected message. You will get a warning letting you know that you are being redirected to the RMS endpoint. You can select the "Don't show this message again" option to prevent the popup from recurring.

161

The reason for the popup is because we are being redirected to a different location for the RMS endpoint. We are being redirected to the external URL for the RMS server to obtain the Use License from the RMS server on-premise.

Change/Update the RMS Configuration

Customers will have to update their RMS configurations from time to time. These updates can include removing templates, adding new templates, and modifying existing templates. When changes are made to the on-premises RMS template configuration the information needs to be re-imported into the Office 365 environment. The process for importing the updates is the same as it is for the initial import process with one exception, there is an additional switch that needs to be added to the Import-RMSTrustedPublishingDomain parameter, and RefreshTemplates is used to refresh the templates with the newly exported XML file that contains the updates.

Important: If there were any templates that were deleted on-premises, the templates will also be removed when the import is completed. The assumption is that you want to mirror the implementation that you have on premise so the template will match the on-premises environment with each import process. This includes the RefreshTemplates option.

The template refresh behavior depends on whether the templates from the imported TPD already . The following table outlines the expected behavior when

refreshing IRM templates in the datacenter:

Import TPD effects on IRM Templates.

Imported TPD contains Template(s) Present in

Template Not Present in

New and existing template(s) Existing Template(s) unmodified

State (type) is preserved.

New Template(s) added

State (type) set to

162

Imported TPD contains Template(s) Present in

Template Not Present in

Only new templates Existing Templates removed New Template(s) added

Updates to existing template(s)

Existing Template updated

State (type) is preserved

n/a

Important: Any new imported templates are added to the environment. Before the new template can be used for protecting new content, (This process was described earlier in this lesson).

Following are the high-level steps that need to be performed to perform the update/refresh to the TPD's:

1. Export the RMS settings from the On-premises Environment. (This is the same process as described previously when the initial export was completed.)

2. Connect PowerShell to the Exchange Online Environment and run the following:

$file = Get-Content -Path C:\RMSPublishing.xml -Encoding byte

3. Run the following:

Import-RMSTrustedPublishingDomain -FileData $file -Password (ConvertTo-SecureString P@ssword1 -Force -AsPlainText) -Name CrossPremisesRMSDomain -RefreshTemplates

4. Run the Get-RMSTemplate -TrustedPublishingDomain CrossPremisesRMSDomain to see if there are any new Templates that need the Type set to Distributed from Archive.

5. Run the following for any templates that are set to Archive as the type:

Get-RMSTemplate -Identity NewTemplate -TrustedPublishingDomain CrossPremisesRMSDomain | Set-RMSTemplate -Type Distributed

Potential Error: Enabling RMS without Importing the TPD

The Embedded RMS component is used as a way of hosting RMS services for Exchange Online mailboxes with the on-premises AD RMS deployment. Once the administrator has imported at least one TPD, InternalLicensingEnabled on the IRMConfiguration object will automatically be set to true.

TPD then the task will fail.

The following is the output of what would occur if you were to run the Set-IRMConfiguration -InternalLicensingEnabled $true and there was not imported TPD.

163

Important: At the time of this writing, the InternalLicensingEnabled will not be set to true as explained above. This is supposed to be addressed by RTM. In the Steps for configuration above, you will notice steps for enabling the internal licensing. It will not hurt to enable or to verify whether the licensing is enabled when you import the TPD.

Other Tasks

There may be a time when the Tenant Administrator may need to remove a TPD from the Office 365 environment. The Remove-RMSTrustedPublishingDomain cmdlet can be used to perform that operation. The following should be run from a PowerShell Session connected to the Office 365 Exchange environment.

Remove-RMSTrustedPublisingDomain

The preceding cmdlet can be used if this TPD is not set as the Default and is not the last TPD in the RMS Online configuration. If there was another TPD that was imported (there can be up to 20), you could designate that TPD as the Default. The Default TPD can be set even if you do not intend to remove any TPDs. The following would be used to designate another TPD as the default. (This is assuming that you are already connected using PowerShell to the Exchange Office 365 environment.)

Set-RMSTrustedPublisingDomain Identity OtherTPD -Default

Then, you would be able to remove the TPD that was previously the default TPD with the same command mentioned earlier, because this is no longer marked as the Default.

Remove-RMSTrustedPublisingDomain

What if this is the last TPD? Well, if this were the last TPD, you would want to disable the InternalLicensingEnabled parameter for the IRM configuration first, setting it to False, which is the default value. (This may not be required at RTM, since this setting should be set to False by default when the last TPD is removed. However, at this time, this needs to be done manually.) To set the value to False manually, run the following command before removing the last TPD.

Set-IRMConfiguration -InternalLicensingEnabled $False

Remove the last TPD using the syntax that was used previously, but add the -force switch, which would force the removal of the last TPD. Following is a sample of the syntax that would be used.

Remove-RMSTrustedPublisingDomain -Force

Before we make any changes to the environment, it is a good practice to view the TPDs that are currently in place. There may have been another Tenant Administrator that may have added or removed a TPD without your knowledge. To view the current TPDs you would first connect using PowerShell to the Office 365 Exchange environment, and then run the Get-RMSTrustedPublishingDomain | FL cmdlet. This will provide the output similar to the following.

164

Get-RMSTrustedPublishingDomain | fl RunspaceId : c57c84d2-35fe-40a0-a025-b95edd5686ff IntranetLicensingUrl : https://mail.get-mailbox.com/_wmcs/licensing ExtranetLicensingUrl : https://mail.get-mailbox.com/_wmcs/licensing IntranetCertificationUrl : https://mail.get-mailbox.com/_wmcs/certification ExtranetCertificationUrl : https://mail.get-mailbox.com/_wmcs/certification Default : True CSPType : 1 CSPName : KeyContainerName : KeyId : {bc3e3e2a-6700-45b9-9ef4-08da7379a478} KeyIdType : MS-GUID KeyNumber : 1 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : CrossPremisesRMSDomain DistinguishedName : CN=CrossPremisesRMSDomain,CN=ControlPoint Config,CN= Transport Settings,CN=Configuration,CN=o365.onmicros oft.com,CN=ConfigurationUnits,CN=Microsoft Exchange, CN=Services,CN=Configuration,DC=namprd03,DC=prod,DC= outlook,DC=com Identity : CrossPremisesRMSDomain Guid : add9db13-4fb9-42b0-8064-31d1330c86a0 ObjectCategory : namprd03.prod.outlook.com/Configuration/Schema/ms-Ex ch-Control-Point-Trusted-Publishing-Domain ObjectClass : {top, msExchControlPointConfig, msExchControlPointTrustedPublishingDomain} WhenChanged : 11/18/2010 2:18:17 PM WhenCreated : 11/18/2010 2:18:17 PM WhenChangedUTC : 11/18/2010 7:18:17 PM WhenCreatedUTC : 11/18/2010 7:18:17 PM OrganizationId : namprd03.prod.outlook.com/Microsoft Exchange Hosted Organizations/o365.onmicrosoft.com - namprd03.prod.o utlook.com/Configuration/Services/Microsoft Exchange /ConfigurationUnits/o365.onmicrosoft.com/Configurati on OriginatingServer : SN1PRD0302DC004.namprd03.prod.outlook.com IsValid : True

You can see this gives a lot of great detail, including the details on which is the Default TPD. This also provides a full list of the imported TPDs. The list above only includes one TPD, since that is all that was imported. If there were multiple TPDs, you would see each of the TPDs that were imported.

OWA Mailbox policies allow you to enable selected OWA features for groups of users. OWA features are enabled or disabled via OWA Mailbox policies, which can then be assigned to specific users within the organization. OWA Mailbox policy settings, once assigned override any OWA virtual directory settings.

165

Identifying OWA Mailbox Policies Assigned to a User

Use the Get-CASMailbox cmdlet to identify which OWA Mailbox policies that have been assigned to a user:

Get-CASMailbox Mod1User1 | fl *owa* OWAMailboxPolicy : OWAEnabled : True

OWA Mailbox Policy is NOT automatically assigned to users when they are initially created. All OWA Mailbox Policy assignments are made using the Set-CASMailbox cmdlet. The

Set-CASMailbox Mod1User1

Identifying if IRM Support is Enabled on an OWA Mailbox Policy

Use the Get-OWAMailboxPolicy cmdlet to identify which mailbox policies are configured to support IRM.

Get-OWAMailboxPolicy | Name, IRMenabled Name : Default IRMEnabled : False

Enabling/Disabling IRM Support within an OWA Mailbox Policy

IRM in OWA can be enabled and/or disabled at the mailbox policy level through the -IRMEnabled setting in the OwaMailboxPolicy object. The following example illustrates how to enable IRM

Set-OWAMailboxPolicy Default-IRMEnabled $true

Important: If the IRMEnabled setting in the OWAVirtualDirectory conflicts with the OWAMailbox Policy assigned to the user, the OWAMailboxPolicy takes precedence.

166

REFERENCES Exchange Server 2010 Design and Architecture at Microsoft: How Microsoft IT Deployed

Exchange Server 2010 - Technical White Paper (http://technet.microsoft.com/en-us/library/ff829232.aspx)

167

MODULE REVIEW Knowledge Check Questions

1. Describe the various means by which you can access your Exchange Online mailbox.

2. What versions of Outlook and Entourage are supported for use with Exchange Online in Office 365?

3. Describe the improved cross-premises free/busy functionality available in Office 365.

4. What are some of the tools and techniques used to troubleshoot free/busy issues?

5. In OWA, how do you designate a distribution group for moderation?

6. Currently when accessing OWA in cross-premises environments, there is a different URL used depending on where the mailbox resides. This is very unattractive to customers -- how can this issue be resolved?

168

7. A customer contacts support because some of his mail is missing. What are the most likely causes?

8. Most IRM features in Exchange Online require that the AD RMS private key (part of SLC) be in the exported TPD. Is this true of Outlook Protection Rules?

9. List the five main steps required to extend RMS to Office 365.

169

Knowledge Check Answers 1. Describe the various means by which you can access your Exchange Online mailbox.

Web browser Use Outlook Web App and the light version of Outlook Web App with browsers like Internet Explorer, Firefox, and Safari.

Internet email programs Use any program that supports IMAP4 or POP3, like Mozilla Thunderbird, Outlook Express, or Windows Live Mail.

Outlook/Entourage Connect using Outlook or Entourage through an Exchange account (Outlook 2007, Outlook 2010, Outlook 2011 for Mac, or Entourage).

Mobile phones with an Internet connection You can connect using your Windows Mobile phone, Apple iPhone, or other Internet-capable mobile phone.

Any phone Use Outlook Voice Access with any phone to access your email, calendar, and contacts.

2. What versions of Outlook and Entourage are supported for use with Exchange Online in Office 365?

Outlook 2007, Outlook 2010, and Outlook 2011 for Mac, plus Entourage 2008 WSE. Although Outlook 2003 was supported in wave 12 (BPOS-S), Outlook 2003 is not supported in Office 365. Customer running Outlooks 2003 must upgrade to a newer version of Outlook before connecting to Exchange Online.

3. Describe the improved cross-premises free/busy functionality available in Office 365.

A feature that customers will almost definitely be looking to use for with their federation setup will be to share availably information between their environments irrespective of whether their mailboxes are in the Cloud or on-premises. When federation is set up within Office 365 and in the on-premises environments, you can create an Organization Relationship and specify the level of access that your cross-premises users will have to the Availability information.

4. What are some of the tools and techniques used to troubleshoot free/busy issues?

Verify there is no local issues

Testing the Federation Trust

Verify Free/Busy issues from various clients

170

Test-OutlookWebServices

Event Viewer

Exchange Troubleshooting Assistant (ExTRA)

5. In OWA, how do you designate a distribution group for moderation?

Use the Message Approval portion of the Group screen Access OWA through the ECP, click Options, and select the desired group under Groups I Own in the Group section to configure a group's moderation settings.

6. Currently when accessing OWA in cross-premises environments, there is a different URL used depending on where the mailbox resides. This is very unattractive to customers -- how can this issue be resolved?

Perform OWA redirection for the user. This is very similar to doing redirection for the OWA URL; for example, when the users are in a different on-premises site for Exchange 2007 or Exchange 2010. The users will be told to hit a different URL and will then have access to OWA directly without providing their credentials again, as long as identity federation is in place. To facilitate this, you can use the TargetOwaURL parameter in the Set/New-OrganizationRelationship cmdlet to specify the URL to redirect the user when the user mailbox is in Exchange Online.

7. A customer contacts support because some of his mail is missing. What are the most likely causes?

The message was deleted.

The message was archived.

The Outlook client is configured to use a custom view that may be filtering the missing message.

The POP3 settings are configured incorrectly.

8. Most IRM features in Exchange Online require that the AD RMS private key (part of SLC) be in the exported TPD. Is this true of Outlook Protection Rules?

171

No. Outlook Protection Rules are the exception. The TPD can be exported without a private key and imported into Exchange Online. You cannot enable IRM with the Set-IRMConfiguration cmdlet if any imported TPD lacks a private key. However, you can use the Outlook Protection Rules cmdlets to enable that feature.

9. List the five main steps required to extend RMS to Office 365.

Step 1: Export TPDs from AD RMS Clusters

Step 2: Import TPDs to Exchange Online

Step 3: Distribute RMS Templates

Step 4: Enable IRM in Exchange Online

Step 5: Change the Default TPD (Optional)

Office365 Exchange Online Module5 Client Access

Documents

managed folder

web services

retention

troubleshoot

recent schedule

outlook web

exchange control

exchange online