Category Archives: Office365

Sync-ModernMailPublicFolders.ps1  fails with access denied

Moving mailboxes from Exchange 2016 to Exchange Online is not that difficult, that is when you have all the prerequisites in place of course. Public Folders is a bit different, but luckily Public Folders in Exchange 2016 are ‘Modern Public Folders’ and as such similar to Public Folders in Exchange Online.

You must move Public Folders from Exchange 2016 to Exchange Online when all mailboxes are in Exchange Online, and before doing that you must use Public Folders cross-premises. When mailboxes are in Exchange Online, they must use Public Folders in Exchange 2016.

The first step is to synchronize the Public Folder mailboxes from Exchange 2016 to Exchange Online using Azure AD Connect. Then the mail-enabled folders must be synchronized to Azure AD using the Sync-ModernMailPublicFolders.ps1 script that you can download from the Microsoft download site.

When starting the script, it wants to setup a Remote PowerShell connection to Exchange Online, and the following screenshot says it all: this is a basic authentication login prompt:

When entering the global admin credentials, it fails with an ‘access denied’ error:

And in plain text:

[3/24/2022 11:40:25 AM] Creating an Exchange Online remote session...
InitializeExchangeOnlineRemoteSession : Unable to create a remote shell session to Exchange Online. The error is as follows: "Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.".
At C:\Scripts\Sync-ModernMailPublicFolders.ps1:687 char:5
+     InitializeExchangeOnlineRemoteSession;
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,InitializeExchangeOnlineRemoteSession
[PS] C:\Scripts>

This is because the script is using Basic Authentication, and in Office 365 basic authentication is disabled (at least in our tenant). 

A workaround is to enable basic authentication only for PowerShell. To do this, click ‘Help & Support’ in lower right corner and in the ‘how can we help’ enter the following text “Diag: Enable Basic Auth in EXO” as shown in the following screenshot:

In the next pop-up window, the current basic authentication settings are shown and in the drop-down box you can select the protocol you want to enable basic authentication for: 

Select the Exchange Online Remote PowerShell option.

It takes some time before basic authentication is enabled. In my case, I disabled it late in the afternoon and the next morning it was possible to login using basic authentication. Most likely it will take less time, but overnight was not a big deal 🙂

Now when running the Sync-ModernMailPublicFolders.ps1 again it succeeds and finishes successfully.

However, enabling basic authentication is just a work-around and not really a long-term solution. And, Microsoft will turn off Basic Authentication by the end of this calendar year. But in the meantime, we must wait for Microsoft to release a new script that support Modern Authentication.

Send from Alias in Exchange Online

A bit later than planned, but I was attending a training last week, but a long-awaited feature in Exchange is sending mail from another email address that is stamped on a user, a so called alias. In a typical environment, a mailbox has a primary SMTP address and this address is used to send an receive email. This can be something like Besides this primary SMTP address there can be more SMTP addresses that can be used to receive mail, for example or In Exchange on-premises and Exchange Online, these Aliasses are only used to receive email, not to send email. Up until now that is (for Exchange Online, no idea if they want to enable this for Exchange on-premises).

Microsoft has started to roll out the Send From Alias in Exchange Online starting in January 2022 (it was already announced back in April 2021) and it is available in Outlook on the Web and Outlook for iOS and Outlook for Android. Outlook for the PC will follow, according to Microsoft in Q2, 2022.

To enable the Send from Alias in Exchange Online, execute the following command in Exchange Online PowerShell:

[PS] C:\> Set-OrganizationConfig -SendFromAliasEnabled $True

It takes some time before effective, in my case it worked the next day.

All SMTP proxy addresses on a mailbox are available for this. When you logon as a user and go to settings | Mail | Compose and Reply you can check which aliases you want to use. + Addresses are also shown and so are the addresses. Don’t know who thought this was useful, in my opinion you don’t want to use these (internal) addresses at all:

Now when you write a new email in Outlook on the Web and select the From option, you can select the email address that you checked in the previous step.

The proxy addresses that are selected in the first step (the OWA settings) will automatically available in Outlook for Android and Outlook for iOS.

When you send an email using one of these aliases as a from address, it will automatically be visible in the recipient mailbox, in this example in Gmail:

I don’t expect much use of this feature until Outlook for the desktop will offer it, but it’s a nice add-on (finally).

Older Outlook versions will not connect to Office 365

it was already announced on the Microsoft blogpost New minimum Outlook for Windows version requirements for Microsoft 365, Microsoft will stop support for older Outlook clients on November 1, 2021 (which is 24 days from the time of writing!).

In short, all clients older than Outlook 2013 SP1 with the latest fixes are no longer able to connect to Exchange Online. And yes, this includes Outlook 2010 (I know there are still clients out there running Office 2010!).

More detailed version numbers of Outlook that will not connect anymore:

Office versionOutlook version
Office 2010All versions
Office 201315.0.4970.9999 and older
Office 201616.0.4599.9999 and older
Office 365 ProPlus1705 and older

To check the version of Outlook you are using, select File –> Office Account –> About Outlook. It will show something like Microsoft® Outlook® for Microsoft 365 MSO (16.0.14326.20384) 64-bit.

Please be aware that this is completely independent from the Basic Authentication strategy that Microsoft is following. Older versions will just stop connecting to Exchange Online.

For more information, check MC288472 in the Microsoft 365 Message Center.

Microsoft disables basic authentication in Office 365

I already wrote about Office 365 and Basic Authentication in two earlier blogposts:

The last update from Microsoft regarding basic authentication is published in June 2021:

Microsoft has announced that it starts to disable basic authentication for customers that do not use basic authentication (for new Office 365 basic authentication is disabled by default).

I have disabled basic authentication is my tenant long ago and last week I got an email from Microsoft (MC274505, which can also be found in the admin portal) announcing basic authentication will be disabled in my tenant:

We’re making some changes to improve the security of your tenant. We announced in 2019 we would be retiring Basic Authentication for legacy protocols and in early 2021 we announced we would begin to retire Basic Authentication for protocols not being used in tenants.

30 days from today we’re going to turn off Basic Authentication for POP3, IMAP4, Remote PowerShell, Exchange Web Services, Offline Address Book, MAPI, RPC and Exchange ActiveSync protocol in your tenant, and will also disable SMTP AUTH completely.

Note: Based on our telemetry, no users in your tenant are currently using Basic Authentication with those protocols and so we expect there to be no impact to you.

If disabling basic authentication causes issues for your tenant, you can always re-enable basic authentication as outlined in the Microsoft link in the beginning of this blogpost. But please remember that basic authentication will be disabled permanently some day!

How to change MFA method for your Office 365 account

This might look like an easy blogpost (actually, it is) but every time I’m struggling with this, so I decided to write it down.

My default MFA authentication method was a text message (SMS) on my phone. This works fine, but it is not always easy to work with, especially not when using the native mail app on a mobile device. So, to change it, logon to OWA or the Microsoft Portal, click the initials in the upper right corner and click View account:

You can also navigate to to get here directly. In the overview page click on Security Info to see the MFA methods available. To add a new method, click +Add Method.

In the pop-up window, select another method, for example the authenticator app and click Add. The first step is of course to download the authenticator app on your device, if it’s already installed click Next.

In the Setup your account pop-up box click next and a QR code will appear on your screen:

In the authenticatorapp, click the + icon in the upper right corner, select your account type and select Scan QR code. Approve the sign-in on your device, the security info will show Notification approved and you’re good to go.

The last step you have to do is to change the default sign-in method on the security info page by clicking Change next to Default sign-in method.