Module 7

Planning and configuring

Exchange Online services
Module Overview

• Planning and configuring email flow in Office 365

• Planning and configuring email protection in
Office 365
• Planning and configuring client access policies
• Migrating to Exchange Online
Lesson 1: Planning and configuring email flow in
Office 365

• Overview of email flow in Office 365

• Configuring accepted and remote domains
• Planning and configuring connectors
• Planning and configuring transport rules
• Planning and configuring journal rules
• Planning message flow for Office 365
• Configuring external mail flow for partners
• Tracking message flow by using message trace
Overview of email flow in Office 365

• A list of DNS records is provided when you add a

domain to Office 365
• An MX record identifies the host receiving mail
for your domain, such as:
• domain.mail.protection.onmicrosoft.com
• An SPF record identifies Office 365 as allowed to
send mail for your domain, such as:
• v=spf1 includes:spf.protection.outlook.com -all
Configuring accepted and remote domains

• Accepted domains define SMTP domains for

which the Exchange organization accepts
messages:
• Authoritative
• Internal relay

• Remote domains define message settings for

external organizations:
• Out of office messages
• Automatic replies and forwarding
• Message format
Planning and configuring connectors

• Inbound connector options:

• SenderDomains
• SenderIPAddress
• AssociatedAcceptedDomains
• RequireTLS

• Outbound connector options:

• IsTransportRuleScoped
• RecipientDomains
• UseMXRecord
• SmartHosts
• TlsSettings
Planning and configuring transport rules

Transport rule
Description
component
Specify which message attributes are used to
Conditions
identify the message to act upon
Specify what action to be performed on the
Actions
selected messages
Specifies message attributes that define messages
Exceptions
that are not acted upon

• When you define multiple conditions, a message

must meet all of them
• When you define multiple exceptions, a message
needs to meet only one
Planning and configuring journal rules

• Journaling retains messages for compliance:

• Journal reports are sent to a journaling mailbox
• Journal rules define which messages are journaled

• Journal rules contain:

• Scope
• Journal recipients
• Journaling mailbox

• When using journaling mailboxes:

• Create specific dedicated journaling mailboxes
• Ensure that you enough storage because journaling
mailboxes require large amounts of storage
• Limit and monitor access
Planning message flow for Office 365

When planning mail flow, you should consider:

• On-premises applications
• Partner organizations
• Integration with on-premises Exchange Server
Configuring external mail flow for partners

• Inbound partner connector

• Partner messages are identified by IP address or
domain
• TLS is required by default
• Specific certificate subject is optional

• Outbound partner connector

• Partner messages are identified by a domain or
transport rule
• Messages are routed by an MX record or a smart host
• TLS with a trusted certificate is required by default
• Can be downgraded to any certificate
• Can be enhanced by requiring a specific subject
• Validation is the final step
Tracking message flow by using message trace

• Use message trace to identify delivery problems

• You can search for messages based on:
• Date range
• Delivery status
• Message ID
• Sender
• Recipient

• In Windows PowerShell, use:

• Get-MessageTrace
• Get-MessageTraceDetail
Lab A: Configuring message transport in
Exchange Online

• Exercise 1: Configuring message-transport settings

Logon Information
Virtual machines: 20347A-LON-DC1
20347A-LON-DS1
20347A-LON-CL1
20347A-LON-CL2
User names: Adatum\Administrator
Adatum\Holly
LON-CL2\Francisco
Password: Pa55w.rd

Estimated Time: 35 minutes

Lab Scenario

The pilot project is going well at A. Datum

Corporation. However, before you finish the pilot
project and perform a full deployment, you need
to confirm that you can configure Exchange
Online settings to match the on-premises settings
for options such as message transport.
Lab Review

• Why did you configure the journal rule to send

messages to journal@humongousinsurance.com
instead of an Office 365 mailbox?
• What formatting options are there for disclaimers
in a transport rule?
Lesson 2: Planning and configuring email
protection in Office 365

• Overview of EOP
• Configuring the malware filter
• Configuring the connection filter
• Configuring the spam filter
• Managing message quarantines
• Exchange Online Protection reports
• Integrating EOP with on-premises Exchange
servers
• Configuring email protection
• Configuring Advanced Threat Protection
Overview of EOP

• EOP provides anti-spam and antivirus protection,

and it:
• Provides an SLA
• Scans inbound and outbound messages

• Exchange Online Advanced Threat Protection

provides additional protection against zero-day
threats
Configuring the malware filter

• Anti-malware policies control what happens

when malware is detected
• Delete the entire message
• Delete all attachments and use default alert text
• Delete all attachments and use custom alert text

• You can enable a common attachment types

filter
• You can configure additional notifications,
including:
• Sender notifications
• Administrator notifications
Configuring the connection filter

• A single connection filter applies to all incoming

messages, including
• IP Allow list
• IP Block list
• Enable safe list

• CIDR ranges must be /24 or smaller

Configuring the spam filter

• Actions can vary for spam and high-confidence spam

• Move message to Junk Email folder
• Add X-header
• Prepend subject line with text
• Redirect message to email address
• Delete message
• Quarantine message
• You can control spam detection based on:
• Bulk email
• Block and allow lists
• International languages or regions
• Advanced options
• Outbound messages are always scanned
Managing message quarantines

• Administrators or end users can manage

quarantined messages
• You can configure message expiration in the spam
filtering policy
• You should analyze messages and then you can:
• Release messages to specific recipients
• Release selected messages to all recipients
• Release selected messages and report them as false
positive
• Release selected message and allow sender
• If there are many messages in quarantine, you can
search for specific messages
• Consider using end-user spam notification with
quarantine
Exchange Online Protection reports

• You can access protection reports from the

Office 365 admin center
• Protection reports that EOP can generate include:
• Top senders and recipients
• Top malware for mail
• Malware detections
• Spam detections
• Send and received mail
• Spoof mail report

• You can configure EOP to generate reports on a

specific schedule and deliver them by email
Integrating EOP with on-premises Exchange servers

• To enable inbound mail flow, you need to:

1. Add the email domain to Office 365
2. Create a connector from Office 365 to the
on-premises email server
3. Change the MX for the domain to point to Office 365

• Create transport rules on-premises to process

the X-Forefront-Antispam-Report header
• Secure communication by using TLS
• Consider:
• Using Directory Based Edge Blocking
• Routing outbound messages through EOP
Configuring email protection

Consider the following for email protection:

• Identify appropriate malware notifications
• Enable safe list in connection filtering
• Delete or quarantine high-confidence spam
• Enable international spam options
• Use test mode when you implement spam advanced
options
• Identify groups of users with different protection needs
• Create a transport rule to block specific file extensions
• Run scheduled reports to monitor protection activity
Configuring Advanced Threat Protection

• Policies define which recipients they apply to

• Safe attachments policies define processing for
unknown malware:
• Off, monitor, block, replace
• Enable redirect
• Apply if malware scanning fails

• Safe links policies define processing for unsafe

URLs:
• Use Safe Attachments to scan downloadable content
• Do not track user clicks
• Do not allow users to click through to original URL
• Do not rewrite the following URLs
Lesson 3: Planning and configuring client access
policies

• Configuring policies for Outlook on the web

• Configuring access for mobile devices
• Configuring mailbox policies for mobile devices
Configuring policies for Outlook on the web

• Outlook Web App mailbox policies:

• Control settings for Outlook on the web
• Are configured per user

• Policy settings that you can configure include:

• Features
• File access
• Offline access

• Public computer detection is available when you

use AD FS for authentication
Configuring access for mobile devices

• Mobile device states include:

• Allowed
• Blocked
• Quarantined

• All device types are allowed by default

• You can:
• Set the default device state for the organization
• Create mobile device access rules
Configuring mailbox policies for mobile devices

• Use mobile device mailbox policies to enforce

security settings on mobile devices
• The Default policy does not enforce any security
settings
• Settings for the mobile device mailbox policy
include:
• Device password requirements
• Encryption requirements
• Local wipe options
• Device inactivity settings
• Password lifecycle settings
Lesson 4: Migrating to Exchange Online

• Options for migrating to Exchange Online

• Implementing a cutover Exchange migration
• Implementing a staged Exchange migration
• Implementing an IMAP migration
• Implementing a PST migration
• Implementing a public-folder migration
• Full hybrid configuration
• Minimal and express hybrid configuration
Options for migrating to Exchange Online

• When planning a migration, you should consider:

• The volume of data to be migrated
• User requirements for historical data

• The common migration scenarios are:

• Cutover Exchange migration
• Staged Exchange migration
• IMAP migration
• PST migration
• Hybrid mode
Implementing a cutover Exchange migration

• A cutover migration:
• Creates users and mailbox in Office 365
• Moves mailbox data to Office 365
• Incrementally synchronizes new data to Office 365
• To prepare for a cutover migration:
• Configure a migration administrator with correct permissions
• Enable Outlook Anywhere
• After synchronization is complete:
• Update DNS records
• Delete the cutover migration batch
• Assign licenses to users
• Update Autodiscover
• Decomission an on-premises Exchange Server
Implementing a staged Exchange migration

• A staged Exchange migration:

• Provides coexistence between Exchange 2007 or
Exchange 2003 and Office 365
• Requires directory synchronization to create users
accounts
• Uses CSV files to define migration batches

• After synchronization is complete:

• Convert on-premises mailboxes to mail-enabled users
• Update DNS records
• Delete the cutover migration batch
• Assign licenses to users
• Update Autodiscover
• Decommission on-premises Exchange Server
Implementing an IMAP migration

• Considerations for an IMAP migration:

• Only mail items can be migrated
• A maximum of 500,000 items can be migrated
• A maximum message size of 35MB can be migrated
• Folders with a forward slash are not migrated
• Mailbox limits:
• The Office 365 Setup wizard maximum is 150 mailboxes
• The Exchange admin center maximum is 50,000 mailboxes
• To optimize IMAP migrations:
• Use test batches to optimize network settings
• Migrate data by using an administrator account
• Prevent users from changing passwords
• Ask users to delete unnecessary messages
Implementing a PST migration

• Prepare for using PST import by:

• Configuring Office 365 to receive email for the domain
• Creating PST files for mailboxes in the previous email
system
• Creating user accounts in Office 365

• Importing PST files with Outlook is slow and

decentralized
• Importing PST files to Office 365 requires:
• Assigning the Mailbox Import Export role
• Creating a PST to user mapping file
• Moving PST files to Microsoft Azure
Implementing a public-folder migration

To migrate public folders from Exchange Server

2007 or Exchange Server 2010 to Office 365, use
the following steps:
1. Download the migration scripts
2. Prepare for the migration
3. Generate a CSV file for folder mapping
4. Create a public folder mailbox in Office 365
5. Start the public folder migration
6. Lock down legacy public folders
7. Finalize the public folder migration
8. Test the public folder migration
9. Complete the public folder migration
Full hybrid configuration

• Benefits of hybrid mode include:

• Shared domain names
• Integrated free/busy searches
• Integrated group memberships
• Integrated public folders
• Integrated global address lists
• The ability to move mailboxes between an on-premises
server and Office 365
• Requires directory synchronization but password
synchronization and AD FS are optional
• Enable with the hybrid configuration wizard
• Keep one Exchange server on premises for
management tools
Minimal and express hybrid configuration

• Minimal hybrid configuration

• For short-term coexistence
• Does not include:
• Federation
• Secure email transfer
• Free/busy lookups between on-premises and cloud
• Redirection of OWA and ActiveSync clients
• Redirects Outlook clients
• Requires ongoing directory synchronization

• Express hybrid configuration

• For very short-term coexistence
• Does a one-time directory synchronization
Lab B: Configuring email protection and client policies

• Exercise 1: Configuring email protection

• Exercise 2: Configuring client access policies
Logon Information
Virtual machines: 20347A-LON-DC1
20347A-LON-DS1
20347A-LON-CL1
20347A-LON-CL2
User names: Adatum\Administrator
Adatum\Holly
LON-CL2\Francisco
Password: Pa55w.rd
Estimated Time: 35 minutes
Lab Scenario

The pilot project is going well at A. Datum. Before

finishing it and moving into a full deployment, you
need to confirm that you can configure the
Exchange Online settings to match the on-
premises settings for options such as anti-spam
and antivirus settings, and client access policies.
Lab Review

• Why did you configure different anti-spam

settings for members of the sales group?
• Why is it important to require a password on
mobile devices?
Module Review and Takeaways

• Review Questions