This is just a quick one. Most Office 365 admins will hopefully have a separate admin account to perform higher level tasks, compared to their normal user account.
Because of this, the admin accounts shouldn’t need any licensing, because they’re not being used like a normal user. One person shouldn’t need to have two sets of licenses – but there are some problems that can come up because of this.
For example, if you want to use your admin account to access someone’s mailbox, that can be difficult when you don’t have a mailbox yourself to log onto, to then open another user’s mailbox. Outlook can be used to work around this, where you set up a profile for the email address of the user you want to access, but enter your admin credentials when prompted:
The above works OK, but is a little time consuming if you’re accessing a mailbox for a quick check.
If you try to go to Outlook Online, you’ll get a message saying your admin account doesn’t have a license or a mailbox. To get around this, you’ll need to use a URL like:
If you’ve noticed this option in Outlook, you might wonder where it comes from:
On a new/reply email window in Outlook, under the ‘Options’ tab is a button called ‘Permission’ (which in the future based on the time of writing, is changing to be called ‘Security’). This by default has three or four options, which seem to be dependent on the version of Outlook being run (MSI vs CTR). Click To Run has another called ‘Encrypt-Only’ which I haven’t tested yet.
These options are actually using Azure Information Protection (AIP) to encrypt your email. That’s a giant topic in itself, but the one liner is that wherever you send an encrypted email to, needs to sign in to view the message. In some scenarios this works seamlessly, such as sending to an external user also using Exchange Online. In other scenarios they’ll need to click a button to log in and view the email via their browser.
The ‘Tenant name – Confidential’ and ‘Tenant name – Confidential View Only’ are default AIP labels. You can view/edit these by going to your Azure portal and looking under Azure Information Protection > Classifications > Labels.
As you’ll see in the screenshot above, the two labels I mentioned are listed, and you can go into those and disable them if you don’t want them to appear for your users (there’s a toggle for ‘Enabled’ set to ‘On’, set that to ‘Off’). You could also completely disable Azure Information Protection, but that might cause you other problems if you want to use AIP in any way.
You might be wondering why you’d want to turn these off, encryption and security is good right? You might not be ready for users to start using this yet for support reasons, you might have a different method of securing emails, or you might be using a 3rd party backup system. That backup system won’t be able to read encrypted emails by default – so unless you can get that working somehow, you will only have copies of emails that contain a link to the actual content that require the right access to get to the contents – not a true backup.
Getting back to the title of this article – Do No Forward. If you’re at this stage, you may have noticed that it’s not actually a label listed. As covered in this documentation, it’s inbuilt rather than being a customisable policy, template or tag.
You can turn off this single function in the Azure portal under Azure Information Protection > Policies > Policy: Global and toggling the ‘Add the Do Not Forward button to the Outlook ribbon’ to Off:
There is a registry trick to disable this from Outlook too, which was given to me by Microsoft Support:
Open registry key editor: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\DRM 14.0 = 2010 15.0 = 2013 16.0 = 2016 2.On the Edit menu, point to New, and then click DWORD (32-bit) Value.
Type DisableDNF, and then press ENTER.
In the Detailspane, right-click DisableDNF, and then click Modify.
In the Value databox, type 1, and then click OK.
Exit Registry Editor.
This will at least grey out the option so it can’t be used. The option will still be usable in Outlook via Web, and if I find a solution to that I’ll update this post. As far as I know at this stage, it can’t be hidden or removed.
Update: It’s possible to hide this in OWA also.
The ‘Encrypt’ or ‘Protect’ button (Right now I see different options in different tenants) can be hidden with this PowerShell command:
For a very long time, users have been able to manage email group members via the Outlook client. Going into the Address Book, finding the group in the Global Address list, going into Properties and choosing ‘Modify Members’:
From there, someone can add or remove members as long as they’d been added to the “Managed By” field against the object in Active Directory, as well as ticking the box “Manager can update membership list” below it.
Easy! Except, that no longer works if the user is in Exchange Online, and the Email Group is from on-premises AD rather than Azure AD/Office 365. It’s not supported. This problem has been around for a while, back in 2015 Perficent wrote about this same topic. The options given for managing these groups are:
Exchange Admin Center
Exchange Management Console
Exchange Management Shell
None of those are what you want your standard users touching in my opinion – although you can give someone access to the Exchange Admin Center and only see the distribution groups they own – but for me, I’m still on Exchange 2010 so this isn’t an option. This leaves you with a few options:
1. Change all your email groups to Cloud based groups. If this makes sense for you, doing this will let the manager of a cloud based group add/remove members via the Outlook Address Book. You can also look at changing distribution groups over to Office 365 Groups (which are also cloud based), which give a whole bunch of different features beyond a what a distribution group can do, while giving the same standard DG experience.
2. Make all requests come through to IT so you can make the changes yourself. Not great for anyone involved, as it’s double/triple handling something where the user could quickly do it themselves.
3. Create Dynamic Distribution Groups and let automation do it’s thing – which will work for some, but exceptions to rules and the inability to see who’s in a group can make this frustrating for some.
4. Provide another way for staff to change group members themselves.
I’ve gone with option 4 – as I’m a big fan of Adaxes which I’ve written about a few times on my blog before, and they have a nice way of giving users a web interface that only lets staff manage the groups they’re the owner of.
There’s other ways to do this as well of course and other 3rd party solutions that can expose ways of adding/removing members of a on-premises distribution group – but remember there could be up to a half hour delay in syncing the change from AD to AAD via Azure AD Connect. If possible, look at adding a trigger at the end of a group change to do a delta sync:
Start-ADSyncSyncCycle -PolicyType Delta
That’ll be the quickest way to get the change up quickly, as staff may be used to the change working immediately.
There’s a lot to consider on how you’ll manage this, so make sure it’s sorted before you migrate – or expect a lot more tickets going through your helpdesk.
The article above has a step by step guide for scanning Outlook for problems. It takes a few minutes to run, but will identify a bunch of possible issues you may have. But, from the results I see, I’d say everyone should run this tool regardless!
For example, my scan came up with this as one of the issues found:
The link goes here which then goes into details about the problem. I had noticed in Outlook 2016 by default, that users had sometimes mentioned they could no longer delete items from mailboxes they only had Inbox access to, and I assumed this was a change in behavior from Outlook 2010. This tells you how to toggle that setting if you’d rather the deleted items go to the other person’s mailbox, which removes the need for the delegate to have access to someone else’s deleted items.
If I’d run this at the start of the Office 2016 deployment during testing, it would have given me a better idea of potential issues that might come up. Here’s another one:
That’s not ideal at all! Again the link goes into more detail and this one seems really important –
When you use double quotation marks to search a restrictive phrase in an online archived mailbox, a mailbox in online mode, or a mailbox in hybrid mode in Outlook, you receive unexpected search results.
Since it was patched in 2010 and 2013, but 2016 needs a registry change to fix it (why would they not just change the registry value in 2016 with an update?). This is something that may never get picked up without running this utility.
I’ve now got some work ahead of me to go through the rest of the issues from my scan, do testing and hopefully improve things. I’ve only looked at the Outlook component so far, and there’s other scans I’ll also need to try. Check it out and hopefully it’ll help you too.
After migrating to Outlook 2016 from 2010, I noticed this inconsistency.
If you use secondary mailboxes in Outlook, you’re probably going to want them in Online Mode rather than Cached Mode. With Cached Mode on, you’ll have an OST file created for each extra mailbox you add, and you’ll hit performance issues if you have over 500 folders over all mailboxes added to the account.
One of the ways to avoid these performance issues is turning off ‘Download shared folders’ in the mailbox settings:
This can be done manually, or company wide with the Group Policy setting “Disable shared mail folder caching” found in User Configuration / Administrative Templates / Microsoft Outlook 2016 / Outlook Options / Delegates. Enabling this will disable and grey out the option as per the screenshot above.
However, I was previously doing this through a registry setting ‘CacheOthersMail’ under HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\cached mode with the value set to 0. This worked on Outlook 2010 fine I believe, but in 2016 it did something slightly strange. Although clicking on a secondary mailbox’s folders showed they were in Online Mode with the status bar status of ‘Online’, the ‘Download shared folders’ tickbox was still enabled. I’ve confirmed this on both CTR and MSI versions of Office 2016.
At first I thought nothing of this, as it seemed to be working as intended. However, after a while I worked out that having it configured this way lead to performance issues, and people who had over 500 folders had cases where the inbox would stop updating. Changing the tickbox setting resolved the issue, despite the secondary mailboxes before and after this showing as ‘Online’. I didn’t dig into this any further so I can’t explain what was actually going on, but at a guess it was still doing some sort of sync or connection on each folder despite it being in Online Mode.
My advice is – make sure the ‘Download shared folders’ tickbox is off rather than just checking that the folders show as being ‘Online’. If you really need a secondary mailbox in cached mode but want to disable it by default, you could add it as a seperate mailbox account which will have it’s own cached mode settings.