Tag Archives: Exchange Online

Office 365 Message Encryption OME

Office 365 Message Encryption (OME) is a Microsoft solution to send mail safely, fully encryption with multiple layers of protection. Instead of sending an email to a recipient via SMTP, the message is encrypted and stored on a Microsoft viewing portal. An informational message is sent to the recipient with a one-time password which the recipient can use to logon to the viewing portal and read the (decrypted) message as shown in the following picture:

Office 365 Message Encryption Overview

To configure OME you have to enable Azure Rights Management first. To do this, open the Office 365 Admin portal and select Settings | Services & Add-ins. In the details pane select Microsoft Azure Information Protection. Click Manage Microsoft Azure Information Protection Settings as shown in the following screenshot:

Enable Azure information Protection

Click Activate and after a few moments you will see a confirmation.

Azure Rights Management is activated

If you open Exchange Online Powershell and execute Get-IRMConfiguration you will see that AzureRMS is enabled as shown in the screenshot below. Please note that the LicensingLocation is empty, this is important in subsequent steps.


According to Microsoft documentation you should now be able to test the IRM configuration using the Test-IRMConfiguration command, but this will fail with a “Failed to acquire RMS templates” error as shown in the following screenshot:

Test-IRMConfiguration Fails

The reason for this (took me some time to figure out) is that the LicensingLocation property is empty. To populate this property, we can retrieve the correct value from the Azure AD Right Management service using PowerShell. This can be installed using the Install-Module AIPService command.

After installing, open the Exchange Online PowerShell module and execute the following commands:

PS C:\> $RMSConfig = Get-AadrmConfiguration

PS C:\> $RMSConfig

PS C:\> $LicenseUri = $RMSConfig.LicensingIntranetDistributionPointUrl

PS C:\> $LicenseUri

PS C:\> Set-IRMConfiguration -LicensingLocation $LicenseUri

PS C:\> Set-IRMConfiguration -InternalLicensingEnabled $true

Note. The only reason for executing the $RMSConfig and $LicenseUri commands is to check is there are any values in these variables. The output is shown in the following screenshot:


When you execute the Test-IRMConfiguration command again you will see it succeeds:


So how do you know this works?

The easiest way is to use OWA. To create an additional “encrypt” button in OWA, execute the following command in the Exchange Online PowerShell window:

PS C:\> Set-IRMConfiguration -SimplifiedClientAccessEnabled $true

Now when creating a new message in OWA this button is clearly visible. Send a new message (to your own test account for example in Gmail) and click the Encrypt button. A message will appear that this message is encrypted, nice to know, the recipients cannot remove the encryption, only the sender of the message can change this. You can use the change permissions button to change it from encrypt only to do not forward or confidential.

Encrypt button in OWA

After a few second the email will appear in Gmail, but not directly. You have to open the decrypted message on the viewing portal. A one-time password can be used (which is sent to the same email address, i.e. the Gmail address we used here) or you can use the Gmail account to logon. The latter is also true if the recipient is a hotmail mailbox or even nicer, an Office 365 mailbox.

OME in Gmail

When you click Read the message it will be opened on the viewing portal.

view ome

A message is displayed again that this is an encrypted message. When you reply to the message, an encrypted message is returned to the original sender. If you have selected do not forward in the permissions drop down box earlier, the recipient does not have this option and can only reply to the message.

It also works fine in Outlook (I have tested this with Outlook 2016 Click-2-Run, still have to test other versions). If you create a new message and select Options, you can select Connect to Rights Management Server and get templates under Permissions as shown in the following screenshot:

Outlook Connect to Rights Management Server

This will retrieve the RMS templates from Exchange Online that were created earlier in this blog post. In a few seconds you will see the following options:

  • Encrypt Only
  • Do not forwards
  • Confidential
  • Confidential View Only

Outlook Set permissions on this item

When you select Encrypt Only  as shown in the following screenshot an encrypted message will be sent to the intended recipient:

Outlook Encrypt Only

From this point the behavior will be the same as with Outlook Web App as discussed earlier in this blog post.


Outlook Message Encryption as outlined in this blog post is a way to send encrypted messages to recipients. It’s not encryption in transit like TLS or S/MIME, but the encrypted message is stored on a Microsoft server. The recipient will receive an email that an encrypted message is waiting, and the recipient can logon to a special website using a one-time password (or using a Microsoft or Gmail account).

Since the RMS (Rights Management Service) templates are used it is also possible to use additional features like do not forward (the forward button is greyed out) or tag a message as confidential. This can be used in combination with transport rules to add additional features or mail flow when it comes to confidential information, functionality that’s not available when using good old email.

Connecting to remote server outlook.office365.com failed

In a previous blog I explained how to enable MFA for Admin accounts. This is a great security solution, but unfortunately it breaks Remote PowerShell for Exchange Online.
When you try to connect to Exchange Online using the following commands:

$Cred= Get-Credential
$Session= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-LiveID -Credential $Cred -Authentication Basic -AllowRedirection

It fails with the following error message:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:11
+ $Session= New-PSSession -ConfigurationName Microsoft.Exchange -Connec …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

As shown in the following screenshot:


To overcome this issue, Microsoft has a special Exchange Online PowerShell module that supports Multi Factor Authentication. You can download this from the Exchange Admin Center in Exchange Online by selecting hybrid in the navigation pane as shown in the following screenshot:


Click Configure followed by Open to download and start the setup application. Click Install to continue. The Exchange Online PowerShell module will be automatically installed in seconds and when finished it will automatically open a PowerShell window as shown in the following screenshot:


You can now use the Get-EXOPSSession -UserPrincipalName admin@tenant.onmicrosoft.com command to logon to Remote PowerShell. A separate windows will be opened requesting your tenant credentials, followed by the MFA option you’ve configured.

If all is entered correctly the Remote PowerShell for Exchange Online is opened with MFA enabled.


Cannot find a recipient that has mailbox GUID when moving from Exchange Online to Exchange 2016

When moving mailboxes from Exchange Online to Exchange 2016 on-premises in a hybrid environment, the move fails with an error “Cannot find a recipient that has mailbox GUID ‘ ‘


The error is listed here for Search Engine purposes:

Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ‎’add02766-9698-48e6-9234-91c3077137bc’. –> Cannot find a recipient that has mailbox GUID ‎ add02766-9698-48e6-9234-91c3077137bc ‎’.
Report: bramwess@exchangelabs.nl

When checking the user account with ADSI Edit in the on-premises Active Directory it is obvious that this property is empty:


When checking the Mailbox in Exchange Online (using Remote PowerShell) the Exchange GUID is visible when using the command

Get-Mailbox -Identity name@exchangelabs.nl | Select Name,*GUID*

As shown in the following screenshot:


It took me some time to figure out why this property was empty. Normally when moving mailboxes from Exchange on-premises to Exchange Online the Mailbox GUID is retained. Keeping the Mailbox GUID makes sure you don’t have to download the .OST file again after moving to Exchange Online.

What happened here is that the user was created in Active Directory on-premises, and a Mailbox was directly created in Exchange Online using the Enable-RemoteMailbox command. In this scenario, there never was a Mailbox on-premises and thus never a Mailbox GUID.

The solution is to copy and paste the Mailbox Guid as found in the previous command into the Remote Mailbox object on-premises using the Set-RemoteMailbox command

Set-RemoteMailbox user@exchangelabs.nl -ExchangeGuid “copied value”

As shown in the following screenshot:


When setting the Mailbox Guid the mailbox can be moved from Exchange Online to Exchange on-premises.

Ps. Don’t forget to repeat this for anchive mailbox (if one exists)

MigrationTransientException: Target database GUID cannot be used (Mailbox database size limits in Exchange Online)

If you are designing Exchange 2016 (or have been designing Exchange 2013) environment you are aware of the The Exchange 2016 Preferred Architecture (https://blogs.technet.microsoft.com/exchange/2015/10/12/the-exchange-2016-preferred-architecture/) and articles like Ask the Perf Guy: How big is too BIG? (https://blogs.technet.microsoft.com/exchange/2015/06/19/ask-the-perf-guy-how-big-is-too-big/) which explain pretty much how to design an Exchange solid (and large) Exchange environment.

When it comes to Mailbox databases, the recommended size limit for non-replicated databases is 200GB and for replicated databases 2 TB (when running 3 or 4 copies of a Mailbox database).

One can only guess how Microsoft has designed their Exchange servers in Exchange Online, but we can assume that the Preferred Architecture is written with their Exchange Online experiences in mind.

Sometimes error messages that are generated in Exchange Online can reveal more information. While moving mailboxes from Exchange 2010 to Exchange Online in a hybrid configuration the following error message was returned in a migration batch for a number of Mailbox databases:

Error: MigrationTransientException: Target database ‎’07bdf507-ab94-479b-aeb6-1bfef1458c4c‎’ cannot be used: Current database file size: 1502835900416 Current space available inside database: 100237312 Allowed database growth percentage: 90 Maximum database file size limit: 1622722691784 Is database excluded from provisioning: ‎’False‎’. –> Target database ‎’07bdf507-ab94-479b-aeb6-1bfef1458c4c‎’ cannot be used: Current database file size: 1502835900416 Current space available inside database: 100237312 Allowed database growth percentage: 90 Maximum database file size limit: 1622722691784 Is database excluded from provisioning: ‎’False‎’.

Obviously it’s telling us the migration cannot proceed since the target Mailbox (in Exchange Online!) has reached its size limit. The following sizes are reported:

  • Current database file size: 1502835900416 (1,502,835,900,416 bytes, approx. 1.5TB)
  • Current space available inside database: 100237312 (100.237.312 bytes, approx. 100MB)
  • Maximum database file size limit: 1622722691784 (1.622.722.691.784 bytes, approx. 1.6 TB)

So, the maximum size limit for Exchange 2016 in Exchange is not really used in Exchange Online, but it’s getting close, which is interesting to see.

What I don’t understand is why this issue occurs in the first place. To me it looks like a failing part in the provisioning service but I have to admit I’ve never seen this before in the last couple of years so I expect it’s only one Exchange server that’s failing here.

Exchange Online PowerShell multi factor authentication (MFA)

It’s a good thing to enable multi-factor authentication (MFA) for Office 365 administrators. For web based management portals this is not a problem, just enter your username and password, wait for the text message to arrive, enter it in the additional dialog box and you’re in.

For PowerShell this has been more difficult, but MFA for PowerShell is available as well for some time now. When you login to the Exchange Admin Center and select hybrid in the navigation pane you can configure a hybrid environment (first option) or install and configure the Exchange Online PowerShell MFA module.

Click on the second configure button, and in the pop-up box that appears click Open to start the installation of the PowerShell module:


Continue reading Exchange Online PowerShell multi factor authentication (MFA)