Outlook

Outlook Search Results Won’t Delete

I ran into this issue when migrating users to Exchange Online, while running Outlook 2016 MSI 32 bit.

Once a user is on Exchange Online, Outlook starts leveraging the power of FAST search. This search occurs on the Exchange Online end, rather than the device end, and is designed to give quicker results while being more reliable than Windows Desktop Search. There’s a great write-up on this on Microsoft’s TechCommunity that goes into much more detail.

It does depend what sort of search you do as to whether it’ll use FAST or Windows Desktop Search too, but the most basic of searches will use FAST. There’s also timeouts and speed checks that can force it to fail back to Windows Desktop Search.

However, there are some catches with this search from my testing. If you do an email search and decide to delete one of the emails in the results, it appears that nothing has happened. You can delete and delete, right click, press the delete key, click the X to delete and it all appears to do the same – nothing. In the background though, it has actually deleted your email, it just doesn’t display this in any way. It’s like the search results are a static result and won’t update on an action like this.

This behavior can be confusing for a user, especially when they’re used to seeing emails disappear and react when something’s done to them.

There’s another catch that depending on your environment, might be more of a deal breaker. If you use the category field, flag, or extra fields, for example when filing a document into a DMS system, those aren’t displayed or updated in a FAST search. If your users need this to effectively manage their emails, then it’s worth looking at just disabling FAST search via Outlook altogether.

As mentioned in the above post and this Technet article, there’s a single registry setting that can disable FAST search:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Search

Value name: DisableServerAssistedSearch

Value type: REG_DWORD

Value: 1

A restart of Outlook is needed after this change, and users won’t be alerted of anything different. Search will just start using Windows Desktop Search (which was always running anyway) and not know any better.

Access An Exchange Online Mailbox Without a License

This is just a quick one. Most Office 365 admins will hopefully have a separate admin account to perform higher level tasks, compared to their normal user account.

Because of this, the admin accounts shouldn’t need any licensing, because they’re not being used like a normal user. One person shouldn’t need to have two sets of licenses – but there are some problems that can come up because of this.

For example, if you want to use your admin account to access someone’s mailbox, that can be difficult when you don’t have a mailbox yourself to log onto, to then open another user’s mailbox. Outlook can be used to work around this, where you set up a profile for the email address of the user you want to access, but enter your admin credentials when prompted:

Your Name is just a display name field, email address needs to be the user’s email. Don’t enter a password here and click ‘Next’
This login page will start by showing the user’s email address, use the option ‘Sign in with another account’ and use your admin account.

The above works OK, but is a little time consuming if you’re accessing a mailbox for a quick check.

If you try to go to Outlook Online, you’ll get a message saying your admin account doesn’t have a license or a mailbox. To get around this, you’ll need to use a URL like:

https://outlook.office.com/owa/user@mydomain.com/?offline=disabled

so it jumps straight to that user’s mailbox, assuming you have access rights to it, and have waited a few minutes for the rights to apply.

Using the URL method is really quick way of accessing another user’s mailbox without needing a license yourself.

Hide ‘Do not forward’ in Outlook

If you’ve noticed this option in Outlook, you might wonder where it comes from:

On a new/reply email window in Outlook, under the ‘Options’ tab is a button called ‘Permission’ (which in the future based on the time of writing, is changing to be called ‘Security’). This by default has three or four options, which seem to be dependent on the version of Outlook being run (MSI vs CTR). Click To Run has another called ‘Encrypt-Only’ which I haven’t tested yet.

These options are actually using Azure Information Protection (AIP) to encrypt your email. That’s a giant topic in itself, but the one liner is that wherever you send an encrypted email to, needs to sign in to view the message. In some scenarios this works seamlessly, such as sending to an external user also using Exchange Online. In other scenarios they’ll need to click a button to log in and view the email via their browser.

The ‘Tenant name – Confidential’ and ‘Tenant name – Confidential View Only’ are default AIP labels. You can view/edit these by going to your Azure portal and looking under Azure Information Protection > Classifications > Labels. 

As you’ll see in the screenshot above, the two labels I mentioned are listed, and you can go into those and disable them if you don’t want them to appear for your users (there’s a toggle for ‘Enabled’ set to ‘On’, set that to ‘Off’). You could also completely disable Azure Information Protection, but that might cause you other problems if you want to use AIP in any way.

You might be wondering why you’d want to turn these off, encryption and security is good right? You might not be ready for users to start using this yet for support reasons, you might have a different method of securing emails, or you might be using a 3rd party backup system. That backup system won’t be able to read encrypted emails by default – so unless you can get that working somehow, you will only have copies of emails that contain a link to the actual content that require the right access to get to the contents – not a true backup.

Getting back to the title of this article – Do No Forward. If you’re at this stage, you may have noticed that it’s not actually a label listed. As covered in this documentation, it’s inbuilt rather than being a customisable policy, template or tag.

You can turn off this single function in the Azure portal under Azure Information Protection > Policies > Policy: Global and toggling the ‘Add the Do Not Forward button to the Outlook ribbon’ to Off:

There is a registry trick to disable this from Outlook too, which was given to me by Microsoft Support:

Open registry key editor:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\DRM
14.0 = 2010
15.0 = 2013
16.0 = 2016
2.On the Edit menu, point to New, and then click DWORD (32-bit) Value.

Type DisableDNF, and then press ENTER.

In the Detailspane, right-click DisableDNF, and then click Modify.

In the Value databox, type 1, and then click OK.

Exit Registry Editor.

This will at least grey out the option so it can’t be used. The option will still be usable in Outlook via Web, and if I find a solution to that I’ll update this post. As far as I know at this stage, it can’t be hidden or removed.

Update: It’s possible to hide this in OWA also.

The ‘Encrypt’ or ‘Protect’ button (Right now I see different options in different tenants) can be hidden with this PowerShell command:

Set-IRMConfiguration -SimplifiedClientAccessEnabled $false

Although this hides the option, there’s also a ‘Set Permissions’ menu options in the ellipsis that can be hidden with this PowerShell command:

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -IRMEnabled $false 

Those two together should stop any user being able to encrypt an email themselves via OWA.

Finally, you could look at completely disabling rights management in all forms on Azure Active directory, which can be done here:

https://account.activedirectory.windowsazure.com/RmsOnline/Manage.aspx?brandContextID=O365

Users Managing Email Groups and Exchange Online

For a very long time, users have been able to manage email group members via the Outlook client. Going into the Address Book, finding the group in the Global Address list, going into Properties and choosing ‘Modify Members’:

From there, someone can add or remove members as long as they’d been added to the “Managed By” field against the object in Active Directory, as well as ticking the box “Manager can update membership list” below it.

Easy! Except, that no longer works if the user is in Exchange Online, and the Email Group is from on-premises AD rather than Azure AD/Office 365. It’s not supported. This problem has been around for a while, back in 2015 Perficent wrote about this same topic. The options given for managing these groups are:

  • Exchange Admin Center
  • Exchange Management Console
  • Exchange Management Shell

None of those are what you want your standard users touching in my opinion – although you can give someone access to the Exchange Admin Center and only see the distribution groups they own – but for me, I’m still on Exchange 2010 so this isn’t an option.  This leaves you with a few options:

1. Change all your email groups to Cloud based groups. If this makes sense for you, doing this will let the manager of a cloud based group add/remove members via the Outlook Address Book.
You can also look at changing distribution groups over to Office 365 Groups (which are also cloud based), which give a whole bunch of different features beyond a what a distribution group can do, while giving the same standard DG experience.

2. Make all requests come through to IT so you can make the changes yourself. Not great for anyone involved, as it’s double/triple handling something where the user could quickly do it themselves.

3. Create Dynamic Distribution Groups and let automation do it’s thing – which will work for some, but exceptions to rules and the inability to see who’s in a group can make this frustrating for some.

4. Provide another way for staff to change group members themselves.

I’ve gone with option 4 – as I’m a big fan of Adaxes which I’ve written about a few times on my blog before, and they have a nice way of giving users a web interface that only lets staff manage the groups they’re the owner of.

There’s other ways to do this as well of course and other 3rd party solutions that can expose ways of adding/removing members of a on-premises distribution group – but remember there could be up to a half hour delay in syncing the change from AD to AAD via Azure AD Connect. If possible, look at adding a trigger at the end of a group change to do a delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

That’ll be the quickest way to get the change up quickly, as staff may be used to the change working immediately.

There’s a lot to consider on how you’ll manage this, so make sure it’s sorted before you migrate – or expect a lot more tickets going through your helpdesk.

Office Support and Recovery Assistant Tool

I was just made aware of this useful tool by Microsoft Support – the Microsoft Support and Recovery Assistant for Office 365 (also known as ‘SaRA’).

Even better, it’s not just for Office 365, other Office products can be scanned using this tool such as Outlook in Office 2010, 2013 and 2016.

The article above has a step by step guide for scanning Outlook for problems. It takes a few minutes to run, but will identify a bunch of possible issues you may have. But, from the results I see, I’d say everyone should run this tool regardless!

For example, my scan came up with this as one of the issues found:

The link goes here which then goes into details about the problem. I had noticed in Outlook 2016 by default, that users had sometimes mentioned they could no longer delete items from mailboxes they only had Inbox access to, and I assumed this was a change in behavior from Outlook 2010. This tells you how to toggle that setting if you’d rather the deleted items go to the other person’s mailbox, which removes the need for the delegate to have access to someone else’s deleted items.

If I’d run this at the start of the Office 2016 deployment during testing, it would have given me a better idea of potential issues that might come up. Here’s another one:

That’s not ideal at all! Again the link goes into more detail and this one seems really important –

Since it was patched in 2010 and 2013, but 2016 needs a registry change to fix it (why would they not just change the registry value in 2016 with an update?). This is something that may never get picked up without running this utility.
I’ve now got some work ahead of me to go through the rest of the issues from my scan, do testing and hopefully improve things. I’ve only looked at the Outlook component so far, and there’s other scans I’ll also need to try. Check it out and hopefully it’ll help you too.