BEST OF IGNITE 2018EXCHANGE AND OFFICE 365
JAAP WESSELIUS
29 JANUARI 2018
DISCLAIMER
• Please…. Don’t shoot the messenger
• Slides and text are copy-past from Ignite slidedecks, so when there’s “we” it should read
“Microsoft”
AGENDA
• Exchange 2019
• Hybrid
• Email security
• Tips ‘n Tricks
IGNITE IN GENERAL
• Ignite is huge….. REAL HUGE
• 30.000 attendees
• 5.000 organizations
• 2 large separate halls, 2 sky bridges
• You can easily walk 10 to 12 kilometers per day
• Distances might be a problem for the average American ;-)
PROBLEMS WITH DISTANCES?
MY TAKE ON IGNITE TOPICS
• Microsoft 365…
• Modern Workspace…
• Security…
• Azure Active Directory…
• Microsoft 365…
• Security…
• Modern Workspace…
• Cloud…
• Machine learning and AI
• Internet of Things
• Oh Yes… Exchange 2019
• Hybrid
• Exchange Online Protection
• And did I mention Microsoft 365, Cloud
and Security? ;-)
THE STATE OF EMAIL TODAY
• The flow of customers moving from On-Premises to Office 365 is continuing strongly
• Office 365 commercial revenue up 38% YOY
• Office 365 commercial seats grew 29% YOY
• More than 135 million users of Office 365 commercial
• Outlook mobile is being used by more than 100m iOS and Android devices
• 94% of Fortune 500 companies have Office 365
EXCHANGE ONLINE SCALE
175K Physical Servers47 Datacenters
70 Network POPs
5.5 Billion Mailboxes
1.1 EB of Data (Logical)
35 Trillion Items
7.2 Billion Messages Delivered
490 Billion Requests Routed
1.4 Trillion Items Read/Opened
9.6 PB Jet Logs Processed
THE STATE OF EMAIL TODAY
• Some customers can’t adopt the cloud yet, and some customers are still preparing for
the change
• Most of these customers are large and those customers need Exchange On-Premises to
be secure, reliable, easy to manage and always there.
• That’s why Microsoft built Exchange Server 2019
• And Microsoft is distributing this release only through Volume Licensing (including CU’s)
RE-ENGINEERING ENGINEERING
• Microsoft changed the way they build on-premises software
• Microsoft used to share one code branch between Exchange Online and Exchange On-
Premises
• Microsoft branched the code.
• Now Exchange Online and Exchange On-Premises share the same rich heritage but have
distinct futures
• The end result is less change for On-Premises customers, so less chance of regressions,
and more dependability
BUILDING EXCHANGE 2016 AND EXCHANGE ONLINE
New feature / Bug fix
Exchange 2016 CU1 CU2
Bug fix
BUILDING EXCHANGE 2019 AND EXCHANGE ONLINE
New feature / Bug fix
Exchange On-Prem
Bug fix
EXCHANGE 2019
• The latest and greatest on-premises…. For enterprise organizations that need top of the bill
enterprise class messaging
• Need the latest and fanciest features? Go to Exchange Online
• Enterprise Organizations
• Volume License only (including Exchange 2019 CU’s)
• No more ‘hybrid license’ for Exchange 2019
EXCHANGE 2019 REQUIREMENTS
• Exchange 2019 runs on Windows 2019 only
• Windows 2019 Server Core strongly recommended
• .NET Server 4.7.2
• Server memory recommendation is 128 GB (64 GB for Edge Transport)
• Max supported RAM is now 256 GB
• Max processor count is 48 (was 24)
• Oh yes…. Virtualization is still supported ☺
• AD FFL/DFL is now Windows 2012 R2
• N-2 coexistence (no Exchange 2010 support)
NEW FEATURES IN EXCHANGE 2019
• New search engine (big funnel), based on Bing technology
• Content index stored in Mailbox
• Passive copies of database have identical search indexes
• No more database copy health issues (and failing fail-overs)
• MCDB (Metacache Database)
• Combination of JBOD and SSD (tiered storage)
• ‘Hot’ data is cached on SSD disk (failback to JBOD)
• SSD to disk ration is 1:3
• SSD’s store a maximum of 10% of key data in a MetaCache Database (MCDB
RETRIEVAL OF DATA FROM SSD AND JBOD
U S E R R E Q U E S T E X C H A NG E
S S D &
M C D B
H D & D B
RETRIEVAL OF DATA FROM JBOD ONLY
U S E R R E Q U E S T E X C H A NG E
H D & D B
EXCHANGE 2019 NEW FEATURES
• Dynamic database cache
• Exchange 2016 – all databases have equal memory
• Exchange 2019 – mounted database have more memory
• Dynamic database and MCDB results in:
• A 20% increase to the number of users you can put on a server
• The option to use much larger disks
• This cuts client latency for many operations in half…
• Remove-CalendarEvents - IT admins can cancel all meetings organized by a user.
Remove-CalendarEvents -Identity ″Kim AKers″ -CancelOrganizedMeetings
-QueryStartDate 11-1-2018 -QueryWindowInDays 120
UNIFIED MESSAGING SERVER ROLE
• UM is completely removed from Exchange 2019
• Replaced by Cloud Voice Mail and Auto Attendant
• Currently UM user but do not want cloud? Stay on Exchange 2016 (supported until 2025)
• Go to 3rd party vendor
BLOCK CALENDAR WHEN OUT OF OFFICE
DEFAULT END DATE (RECURRING APPOINTMENTS)
Do Not Forward
Organizers using OWA to create a meeting can mark it so that attendees won't be able to forward
Transport in Exchange Server 2016 and 2019 will respect the flag and prevent forwarding
Example of a feature that didn’t make it….
DELIGHTING END USERS
EMAIL ADDRESS INTERNATIONALIZATION
• What’s an EAI?
• Latin alphabet (with diacritics): Pelé@example.com
• Greek alphabet: δοκιμή@παράδειγμα.δοκιμή
• Traditional Chinese characters: 我買@屋企.香港
• Japanese characters: 甲斐@黒川.日本
• Cyrillic characters: чебурашка@ящик-с-апельсинами.рф
• Hindi email address: संपर्क @डाटामेल.भारत
• send and receive to/from external users with EAI addresses
HYBRID EXCHANGE
THE HYBRID CHALLENGE
It’s necessary, but it’s hard.
ORGANIZATION CONFIGURATION TRANSFER
OCT v1 – Released June 2018
• One time copy of Org Config objects to EXO
• Sub set of policies & objects
• Retention Policy
• Retention Policy Tags
• OWA Mailbox Policy
• Mobile Device Mailbox Policy
• Active Sync Mailbox Policy
• New-* actions only
ORGANIZATION CONFIGURATION TRANSFER V2
• One time copy of Org Config objects to EXO
• Set-* actions added
• Sub set of policies & objects
• Retention Policy
• Retention Policy Tags
• OWA Mailbox Policy
• Mobile Device Mailbox Policy
• Active Sync Mailbox Policy
• DLP Policy
• Organization Config
• Active Sync Device Access Rule
• Active Sync Organization Settings
• Malware Filter Policy
• Policy Tip Config
• Address List
HYBRID SETUP AND ONBOARDING
Sign up for Exchange Online
Read the 20 different pages on Docs about hybrid
Create a DataFlow Diagram (DFD)
Review with your networking team
Review with your security team
Update the DFD config when we publish new IPs
Re-review with networking
Deploy some new “Exchange hybrid servers”
Argue with security about installing Exchange in the DMZ
Create some new DNS records
Create some inbound firewall flows
Run the HCW (with OCT!)
Test some flows for onboarding and free/busy
Go back to the networking team to fix some inbound flows missed
Security team puts the project on hold and shuts down connectivity
Etc…
HYBRID AGENT
Tenant-specific endpoint:
https://{guid}.resource.{flow}.his.msappproxy.net
Outbound ACL Only
IP Whitelist
• No customer DNS changes
• No certificate changes
• No firewall/network changes
• Protect On-Prem systems
HYBRID AGENT V1
• V1 supports hybrid f/b and mailbox moves only
• V1 will support new hybrid setups only
• Install 3 or more agents
• Install the agent on existing Exchange servers
• Oh… and it’s auto-update only
• Maybe better installing on separate servers?
TAKE-AWAYS (ACCORDING TO MICROSOFT)
• EXO Hybrid setup has never been easier
• Your networking and security teams can bother other people now
• My take on this….
• A potential man-in-the-middle issue
• Security officer will not like this idea
• Lots of possibilities… think about searching on-premises mailboxes from Search Online…. Or on-
premises management from EXO (dangerous guess ☺)
• But not a word about removing this last Exchange Server
EMAIL SECURITY
EMAIL, WHAT ARE WE TALKING ABOUT?
• The fraudulent attempt to obtain sensitive informationPhish
• Creation of email messages with a forged sender addressSpoofing
• Common technique in targeted phishing attacks Impersonation
• A way to prove the sender really is the senderAuthentication
• Sender Policy FrameworkSPF
• DomainKeys Identified MailDKIM
• Domain Message Authentication Reporting & ConformanceDMARC
WHAT’S THE ISSUE?
• SMTP has always been by default anonymous
• You can easily send an email pretending it came from someone else
• “Proper” uses of this include outsourced marketing and mailing lists
• Its difficult to implement this well and the perceived complexity means that companies
worry their email will get blocked if they implement it badly
DMARC POLICIES OF FORTUNE 500 COMPANIES
6%3%
31%
60%
Reject
Quarantine
None (take no action on a spoofed
message)
No record published
HOW DO WE AUTHENTICATE EMAILS WE RECEIVE
• v=spf1 ip4:1.2.5.5 ip4:8.2.7.4 ip4:7.3.2.2 ip4:5.5.1.8 include:_spf.salesforce.com include:spf.protection.outlook.com -all SPF
• "v=DKIM1; p=MIGfMA0GDQEBgQCrZ6z … 6UvqP3QIDAQAB"DKIM
• v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]
WHAT ARE THE OPTIONS TO PROTECT USERS?
• ATP features
• Office ATP for Safe Links and Safe Attachments
• Insider Phishing
• Attack Simulator
• Multi-Factor Authentication
• Conditional Access
• Stopping Weak Password, Legacy Auth etc.
• Authenticators and Hardware Tokens
SCOTT SCHNOLL – TIPS ‘N TRICKS
DOZENS OF TIPS AND TRICKS, INCLUDING
• Exchange 2019 RAM pagefile
• Mailbox autoreply and timezones
• Windows A/V software on Exchange servers
• Best practices for health mailboxes
• How/when to decommission on-prem servers
• Resources for Managing change in Office 365
• Changes to EOP IP Address Ranges
• Exchange Online Achrive auto-expansion
• Handling accounts/data for former employees
• License Administrator built-in role in Preview
• Mailflow insights
MIGRATE DLS FROM ON-PREMISES TO CLOUD
• Migration process involves moving the DL to an OU that does not sync
• AAD Connect will see this as a DL deletion and remove it from Azure AD
• DL settings are exported for later import
• Change propagates to Exchange Online Active Directory, resulting in the DL being deleted
• New replacement DL is created in Office 365
• DL settings imported to recreate DL users, groups and attributes
• Entire process can now be scripted
• We’ve tested a script using a DL with 10,000 members, with a minimum of 10 members in each of
the multi-valued attributes
• Took just over 3 hours to migrate
• DL is maintained on-premises during entire process
https://aka.ms/DLMoveScript
MAIL FLOW INSIGHTS
• Microsoft is building a dashboard of mail flow insights that includes
• Mail flow map
• Outbound and inbound mail flow
• Recent alerts
• Non-delivery report
• Sent and received mail
• VIP (exec) mail status
• Queues
• Auto-forwarded message
• SMTP auth submission
• Fixes for slow mail flow rules, incorrect connector, mail loops and sender domains
SUMMARY
• Ignite 2018 was a huge event with 30,000 attendees from 5,000 organizations
• Dozens and dozens and donzes of different tracks and technologies
• Lots of technical information, mostly level 200 ~ 300
• But also Vision and Strategy information
• Exchange? Just a handful of sessions, despite the new version
• Exchange Online? Settled technology, a bit more sessions
• Azure AD, security, security, security, there’s the main focus?
• Next year again? Hell yeah!
MORE INFORMATION, PRESENTATIONS AND VIDS
• BRK2176 - Welcome to Exchange 2019
https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK2176.pptx
https://www.youtube.com/watch?v=XTAEmDoU5jU
• BRK3143 - Hybrid Exchange: Making it easier and faster to move to the cloud
https://www.youtube.com/watch?v=QhOh5RCcLu8
https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3143.pptx
• THR3024 - How to add MFA to your Exchange Online/on-premises mailboxes in 20 minutes or less
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/THR3024.pptx
https://www.youtube.com/watch?v=7hoEmEwV8Rk
• BRK3279 - So long and thanks for all the (email) phish
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3279.pptx
https://www.youtube.com/watch?v=6XFTDdsILZw
MORE INFORMATION, PRESENTATIONS AND VIDS
• THR2145 - Why do we need to keep an Exchange Server on-premises when we move to the cloud?
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/THR2145.pptx
https://www.youtube.com/watch?v=XHFleM6OElc
• BRK3147 - Scott Schnoll’s Exchange and Office 365 tips and tricks
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3147.pptx
https://www.youtube.com/watch?v=0WNMX8EKYZk
• BRK3130 - Email search in a flash! Accelerating Exchange 2019 with SSDs
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3130.pptx
https://www.youtube.com/watch?v=VHrScskhCQk
• BRK2177 - Outlook mobile for the enterprise
https://www.youtube.com/watch?v=jEbjTOfezLU
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK2177.pptx
MORE INFORMATION, PRESENTATIONS AND VIDS
• BRK3145 - Deploying Outlook mobile securely in the enterprise
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3145.pptx
https://www.youtube.com/watch?v=4mHlxdJMh1Q
• BRK3146 - What's amazing and new in calendaring in Outlook!
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3146.pptx
https://www.youtube.com/watch?v=-ZrNTylawOA
• BRK3114 - Manage your tenant's security and privacy settings, and protect your organization's data using
Compliance Manager
https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3114.pptx
https://www.youtube.com/watch?v=wyO2lNs0ZRA
• BRK2407 - Windows 10 and Office 365 ProPlus lifecycle and servicing update (CONDENSED)
https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK2407.pptx
https://youtu.be/t9Bs55czc1E
MORE INFORMATION, PRESENTATIONS AND VIDS
• BRK3234 - An IT pros guide to Open ID Connect, OAuth 2.0 with the V1 and V2 Azure Active Directory
endpoints
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3234.pptx
https://www.youtube.com/watch?v=sXRp2s0DKXw
• THR3036 - Azure Active Directory hybrid identity and banned password detection
https://mediusprodstatic.studios.ms/presentations/Ignite2018/THR3036.pptx
https://www.youtube.com/watch?v=kuVkfIiapI4
• BRK3226 - Secure access to Office 365/Azure Active Directory with new features in AD FS in Windows
Server 2019 and Azure AD Password Protection
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3226.pptx
https://www.youtube.com/watch?v=DC4cyF_JEgw
• BRK3081 - Implementing a modern network architecture to get the most out of Office 365
https://mediusproduction.blob.core.windows.net/presentations/Ignite2018/BRK3081.pptx
https://www.youtube.com/watch?v=FGMzS_MjuPY
MORE INFORMATION, PRESENTATIONS AND VIDS
• BRK3408 - Azure Active Directory best practices from around the world
https://mediusprodstatic.studios.ms/presentations/Ignite2018/BRK3226.pptx
https://youtu.be/wGk0J4z90GI