Skip to main content

Exchange Online Notes

Last Updated: May 15, 2022

Office 365 Exchange

Use Connect-ExchangeOnline to connect.

If you want to connect to a delegated organization, use:

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline `
  -UserPrincipalName "<username>"`
  -DelegatedOrganization "<domain.com>" `
  -ShowProgress $true

Allow everyone to access room/equipment meeting details

Set-MailboxFolderPermission "<email>:\Calendar" -User Default -AccessRights LimitedDetails

Don't change subject to requesters name on resource calendar

Set-CalendarProcessing -Identity  "email" -DeleteSubject $False -AddOrganizerToSubject $False

Allow booking conflicts

Set-MailboxCalendarSettings -Identity "email" -AllowConflicts $True

Add alias

To add a mailbox alias make sure that proxyAddress attribute is set in AD. The primary is capitalized.

proxyAddress:
- SMTP:<primary email>
- smtp:<alias>

Allow sending from an alias

Set-OrganizationConfig -SendFromAliasEnabled $True

Hide a mailbox (Active Directory Synced)

To hide a mailbox if you have your directory synced, make sure that these AD attributes are set:

  • msExchHideFromAddressLists : True

  • mailNickname : Alias of the User (eg: If the UPN of the user is [email protected], then alias is user). This should not be left blank.

If you have the resources, an easier way is to do a hybrid Exchange setup, but this requires another Windows server license.

Exchange Online Security

Block auto forward

New-TransportRule "Block auto forwarding" `
  -FromScope InOrganization`
  -MessageTypeMatches AutoForward`
  -RejectMessageReasonText "Auto forwarding is blocked" `

Strip IP Address from header

This may be removed by default now. A while ago this was included in emails sent by Outlook.

New-TransportRule "Strip IP Address from outbound emails" `
  -SentToScope NotInOrganization`
  -Priority 0 `
  -RemoveHeader "x-originating-ip"`
  -Mode Audit

Add External Tag (Native)

Set-ExternalInOutlook -Enabled $true

To add emails to the allow list you can run:

Set-ExternalInOutlook -AllowList admin@fabrikam.com,admin@fourthcoffee.com

Add External Tag (Subject)

New-TransportRule "External Email Warning (Subject)" `
  -FromScope NotInOrganization -SentToScope InOrganization `
  -PrependSubject "[EXTERNAL] " -Priority 0 `
  -ExceptIfSubjectContainsWords "EXTERNAL" `
  -ExceptIfSenderDomainIs "email.teams.microsoft.com","microsoft.com","messaging.microsoft.com" `

Add External Disclaimer

$Disclaimer='<p><div style="background-color:#FFEB9C; width:100%; border-style: solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:Calibri; color:Black; text-align: left;"><span style="color:#9C6500"; font-weight:bold;>CAUTION:</span> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</div><br></p>'
New-TransportRule "External Email Warning" `
  -FromScope NotInOrganization `
  -SentToScope InOrganization `
  -Priority 0 `
  -ApplyHtmlDisclaimerText $Disclaimer
  -ExceptIfSenderDomainIs "email.teams.microsoft.com","microsoft.com","messaging.microsoft.com" `
  -ApplyHtmlDisclaimerLocation Prepend
  -ApplyHtmlDisclaimerFallbackAction Wrap

The rule adds the below header to all external messages:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

DKIM Setup

This method will allow you to generate 2048-bit keys. At the time of writing, the Admin interface could only generate 1024-bit keys and you had to use PowerShell to generate then 2048-bit keys.

New-DkimSigningConfig -DomainName techstormpc.com -KeySize 2048 -Enabled $True
Get-DkimSigningConfig -Identity techstormpc.com | Format-List Selector1CNAME, Selector2CNAME
Set-DkimSigningConfig -Identity techstormpc.com -Enabled $true

The second command will output something like this, which you will need to create DNS Records from.

Selector1CNAME : selector1-techstormpc-com._domainkey.techstormpc.onmicrosoft.com
Selector2CNAME : selector2-techstormpc-com._domainkey.techstormpc.onmicrosoft.com

Create the following CNAME Records with 3600 as the TTL:

selector1._domainkey -> selector1-techstormpc-com._domainkey.techstormpc.onmicrosoft.com
selector2._domainkey -> selector2-techstormpc-com._domainkey.techstormpc.onmicrosoft.com

Test it using https://email-test.had.dnsops.gov/.

Apply message encryption (OME)

This applies encryption to the message if the subject contains secure.

New-TransportRule "Apply email encryption" `
  -SubjectContainsWords secure `
  -ApplyOME $True

Secure email gateway setup

If you have a secure email gateway in front of your EXO environment, such as Proofpoint, Mimecast, or Cisco IronPort, see below for additional setup.

Lock inbound emails to specific gateway

Use this method to block inbound connections to Exchange Online that are not from the specified server(s).

If you don't perform this step, people can still send emails directly to Microsoft and bypass your email gateway.

The following example is for Proofpoint Essentials. Replace the SenderIPAddresses property to whatever is applicable to your environment.

New-InboundConnector `
  -Name "Proofpoint Essentials Inbound Connector" `
  -SenderDomains * `
  -ConnectorType "Partner" `
  -RequireTls $true `
  -Enabled $true `
  -SenderIPAddresses 148.163.159.0/24,148.163.158.0/24,148.163.157.0/24,148.163.156.0/24,148.163.155.0/24,148.163.154.0/24,148.163.153.0/24,148.163.152.0/24,148.163.151.0/24,148.163.150.0/24,148.163.149.0/24,148.163.148.0/24,148.163.147.0/24,148.163.146.0/24,148.163.145.0/24,148.163.144.0/24,148.163.143.0/24,148.163.142.0/24,148.163.141.0/24,148.163.140.0/24,148.163.139.0/24,148.163.138.0/24,148.163.137.0/24,148.163.136.0/24,148.163.135.0/24,148.163.134.0/24,148.163.133.0/24,148.163.132.0/24,148.163.131.0/24,148.163.130.0/24,148.163.129.0/24,148.163.128.0/24,67.231.149.0/24,67.231.148.0/24,67.231.147.0/24,67.231.146.0/24,67.231.145.0/24,67.231.144.0/24,67.231.156.0/24,67.231.155.0/24,67.231.154.0/24,67.231.153.0/24,67.231.152.0/24 `
  -RestrictDomainsToIPAddresses $true

You can test to see if this works through telnet by connecting to your Microsoft tenant-specific MX server. That address is in the format domain-tld.mail.protection.outlook.com, such as techstormpc-com.mail.protection.outlook.com.

If you have it forced over TLS, you can also test it over tls by replacing the telnet command with openssl s_client -debug -starttls smtp -crlf -connect <MX_ADDRESS>:25

telnet <MX_ADDRESS> smtp


Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 BN8NAM04FT011.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 16 Mar 2022 01:09:21 +0000
ehlo
250-BN8NAM04FT011.mail.protection.outlook.com Hello [x.x.x.x]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
mail from: <[email protected]>
250 2.1.0 Sender OK
rcpt to: <[email protected]>

550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message's recipient domain. The connector had either the RestrictDomainsToIPAddresses or RestrictDomainsToCertificate set [BN8NAM04FT011.eop-NAM04.prod.protection.outlook.com]
QUIT

Exchange online protection fix

Proofpoint recommends you set a transport rule to bypass spam filtering by setting SCL to -1 on all mail coming from Proofpoint.

This isn't the best option because it disables some security features that you get from Exchange Online Protection.

You can create an enhanced filtering rule to retrieve the originating IP address from the header.

Read more here.

Set-InboundConnector `
  -Identity "Proofpoint Essentials Inbound Connector" `
  -EFSkipIPs 148.163.159.0/24,148.163.158.0/24,148.163.157.0/24,148.163.156.0/24,148.163.155.0/24,148.163.154.0/24,148.163.153.0/24,148.163.152.0/24,148.163.151.0/24,148.163.150.0/24,148.163.149.0/24,148.163.148.0/24,148.163.147.0/24,148.163.146.0/24,148.163.145.0/24,148.163.144.0/24,148.163.143.0/24,148.163.142.0/24,148.163.141.0/24,148.163.140.0/24,148.163.139.0/24,148.163.138.0/24,148.163.137.0/24,148.163.136.0/24,148.163.135.0/24,148.163.134.0/24,148.163.133.0/24,148.163.132.0/24,148.163.131.0/24,148.163.130.0/24,148.163.129.0/24,148.163.128.0/24,67.231.149.0/24,67.231.148.0/24,67.231.147.0/24,67.231.146.0/24,67.231.145.0/24,67.231.144.0/24,67.231.156.0/24,67.231.155.0/24,67.231.154.0/24,67.231.153.0/24,67.231.152.0/24

Messages that are hit by this rule have the X-MS-Exchange-SkipListedInternetSender and X-MS-Exchange-ExternalOriginalInternetSender header added to them.

You should also see a proper value on the Authentication-Results and Received-SPF header rather than fail.

Proofpoint Security Awareness Setup

Additional set up must be performed since I opted out not to create the transport rule to set all incoming mail's spam confidence level to -1 (bypass).

You can assume that the messages with these headers are safe if they got past Proofpoint. Do not enable this if you don't have the connector in place.

New-TransportRule -Name "Proofpoint Security Awareness" `
  -Enable $false `
  -Mode Enforce `
  -FromScope NotInOrganization `
  -HeaderContainsMessageHeader "X-ThreatSim-Header"
  -HeaderContainsWords "http://threatsim.com/speartraining"
  -SetSCL -1

New-TransportRule -Name "Proofpoint Security Awareness - skip attachment scan" `
  -Enable $false `
  -Mode Enforce -FromScope NotInOrganization `
  -HeaderContainsMessageHeader "X-ThreatSim-Header"
  -HeaderContainsWords "http://threatsim.com/speartraining"
  -SetHeaderName X-MS-Exchange-Organization-SkipSafeAttachmentProcessing `
  -SetHeaderValue 1

New-TransportRule -Name "Proofpoint Security Awareness - skip link scan" `
  -Enable $false `
  -Mode Enforce `
  -FromScope NotInOrganization `
  -HeaderContainsMessageHeader "X-ThreatSim-Header"
  -HeaderContainsWords "http://threatsim.com/speartraining"
  -SetHeaderName X-MS-Exchange-Organization-SkipSafeLinksProcessing `
  -SetHeaderValue 1