Reasons not to move from on-premises Exchange to Office 365

As many readers will be aware, Microsoft’s Ignite conference starts in Atlanta on September 26, 2016. I am speaking at a number of sessions. Possibly my favorite is the opportunity to debate Greg Taylor from the Microsoft Exchange development group on the topic “The Top Ten reasons not to move your Exchange on-premises mailboxes to Exchange Online“. The debate will be chaired by Steve Conn, who might have quite a task on his hands as those who have seen Greg in action in the past understand how excited he can become. I’ll be the calm, logical one with the scintillating comments. Or not. We’ll just have to see.

In any case, we need to understand the reasons why people might choose to leave their mailboxes on-premises so that we can debate the rationale and reasoning. I’ve put together a list of the most common reasons I know of and would appreciate your help in recording others, if they exist. Please reply to this topic with your reason and we’ll add it to the mix.

I doubt that we will get to debate more than 10 topics during the 75-minute session… But you never know!

Thanks for your help

Follow Tony on Twitter @12Knocksinna.

Backup and recovery

  1. Microsoft uses Native Data Protection and doesn’t take backups of Exchange Online data. I like to have the security of backups, just in case an administrator or a user does something stupid – or we are hit by a ransomware attack and have to restore some mailboxes.

Stability and robustness

  1. Our Exchange 2013 infrastructure delivers better availability to our business than we believe is possible from Office 365, especially with all the horror stories we hear about multi-hour outages for essential components like AAD and EOP. The SLA results as reported by Microsoft are accurate for the entire service but don’t reflect the experience of individual tenants.
  2. Our server infrastructure is modern, we’re up to date with Windows Server, and we think we have a highly cost-effective platform for the next five years.
  3. Exchange 2013 and Exchange 2016 are feature-rich email servers already and Microsoft is doing a good job in transferring some excellent technology from the cloud, like Managed Availability, simplified DAGs, and automatic DAG activation. We don’t need anything else.
  4. Our Exchange admins are the best in the business and have our Windows servers humming beautifully. Why would we plunge into the unknown world of Office 365 and all its component parts?
  5. When a problem happens inside Office 365, it seems like no one knows what is really happening and you have to fall back on Twitter and Facebook to gain some insight into how widespread the problem is and when it might be resolved. That’s an unacceptable state of affairs for our business. In other words, monitoring and reporting for Office 365 to understand the current state of affairs on a minute-by-minute basis is poor when compared to what we can do inside an on-premises environment.
  6. We’ve heard that the Office 365 support is pretty poor at times and you have to wait before you can get to speak to someone who isn’t reading off a script and might actually be able to help. That’s a big concern when you consider moving from a tightly managed and well-supported on-premises environment.


  1. We want to use our own keys with Exchange and AAD RMS and Exchange Online doesn’t support BYOK. In other words, I don’t trust Microsoft to protect the privacy and security of my organization’s email and documents, if we let them own the encryption keys.
  2. The fact that the Office Graph records every interaction between Office 365 users is downright scary in a “big brother” kind of way. There’s no way that my users want or need to know the kind of information that Delve Analytics reports.


  1. My Microsoft sales person is selling Office 365 because they are compensated on that basis. They’re not interested in listening to our desire to remain on-premises and that makes us believe that the move to the cloud is great for Microsoft and probably less good for us.
  2. We don’t trust the costs cited by Microsoft for Office 365. You start off with a low monthly cost but then need to spend more to get the functionality that you really need, like AAD Premium or a high-end plan. We also think that you have to spend a lot of time managing licenses to make sure that you’re not overpaying for unused licenses.
  3. There’s no guarantee that Microsoft won’t increase the costs of all the bits we need to buy to create our Office 365 environment at a higher rate than inflation to achieve their goal of a $20 billion annual revenue run rate for commercial cloud products by mid-2018.
  4. Exchange is the fulcrum of an ecosystem we have constructed to serve business needs. To move to Office 365, we’d need to do a heap of redevelopment to make sure that Exchange Online delivers everything that we need. That work costs money.


  1. Giving users a standard 50 GB mailbox quota only encourages them to keep stuff that they should delete immediately. If we want to give 50 GB quotas, we can, especially now that storage costs are so low and Exchange 2016 does such a good job of supporting JBOD.
  2. We have users in some pretty remote places where Internet access is not great. The cloud’s not for us.
  3. Office 365 requires customers to keep software components at a far more recent level than we are accustomed to on-premises. It seems that we would be constantly updating Exchange 2016 to maintain support for a hybrid connection or Outlook to make sure that clients can connect to Exchange Online. That seems like a whole heap of effort for not a lot of return.
  4. The rate of change inside Office 365 is too rapid and challenging for our business users to cope with. No one wants to see a new client interface every three months. We like the stability and robustness we can assure through our own deployment.


  1. Public folders are all the collaboration tools that any reasonable person could want. It will take us forever to move the data out of public folders and to realign business processes around new types of collaboration tools. That’s a real hidden cost of migration both in terms of getting the work done and the business disruption. We just can’t take that cost on now.
  2. There seems to be a lot of SharePoint wrapped up in Office 365. Who wants to go near that stuff?

Out of the box thinking

  1. I do want to move to the cloud and am thinking about migrating from Exchange to
  2. We believe that Microsoft will fulfil their commitment to support Exchange 2016 until 2025. Why would we ever move until they stop supporting on-premises software?
  3. If we migrated to the cloud, Ross Smith IV and Greg Taylor would hate us very much and that would be no fun.
Posted in Cloud, Email, Exchange, Exchange Online, Office 365 | Tagged , , , , , , | 19 Comments

IT/DEV Connections 2016 – Enterprise Collaboration Track

As has been the case for a number of years now, I helped to select the sessions for the IT/DEV Connections conference, which takes place at the ARIA Hotel in Las Vegas on October 10-13. Given the content that will be covered, it might seem strange to run a conference so close to the Microsoft Ignite event. However, it’s easier to understand when you consider that:

  • Microsoft moved the date and location for Ignite from May in Chicago to September in Atlanta and forced Connections to adjust its mid-September date. The logistics and costs involved make it not an easy task to move large conferences and moving both resulted in the current dates.
  • Naturally, Ignite will be dominated by Microsoft news and updates about products and other marketing announcements. A great deal of product information will be presented also, but “in the best possible taste”. Don’t expect much critical analysis of the flaws of Microsoft products during Ignite sessions! On the other hand, IT/DEV Connections prides itself on the independent and knowledgeable perspective of its speakers. We certainly like Microsoft technology, but we want to expect the ifs, buts, and maybes of the technology as well so that people are fully-equipped to deploy. That’s why IT/DEV Connections is sometimes called the “Anti Kool-Aid” conference. I have never even seen Kool-Aid (to my knowledge) so this analogy fails on me, but there you are…
  • The flood of announcements and news from Ignite need some time to digest and make sense of in terms of what they mean for using different technologies. We hope to be able to help in that respect at IT/DEV Connections.
  • Ignite is on the East Coast; IT/DEV Connections is on the West. The ARIA is actually a very good conference hotel that is relatively well insulated from the madness of Las Vegas, if you want that to be the case. On the other hand, it’s also in the middle of the strip…

In any case, below you can find the full set of Enterprise Collaboration sessions planned for IT/DEV Connections. Some well known faces are on the schedule, including Mr. ExchangeServerPro (Paul Cunningham), Chris McNulty, J. Peter Bruzzese, Jeff Guillet (Expta), Benjamin Naulin, Michael Van Horenbeeck (Van Hybrid), Paul Robichaux, and Scot Hillier. The sessions cover everything from managing Exchange and SharePoint on-premises servers to Skype for Business. This year we made a deliberate decision to create a big set of sessions that address the question of how to effectively manage many aspects of Office 365.

I’m looking forward to the Wednesday “Bamboozle the Exchange Experts” session, which will feature the Exchange Server CXP (Customer Experience team),including such well-known speakers as Greg Taylor and Ross Smith IV. Please come along with the most obscure and horrible question you can think up between now and then.

We also have a number of new speakers this year. I wish them well. It’s hard to get up in front of an audience and explain your thoughts on technology (and hopefully make sense).

Join us in Vegas!

Tuesday Sessions

Tuesday, October 11, 8:00am-9:00am
Best Practices for Deploying and Managing On-Premises Exchange Server Paul Cunningham
Cloudbreaking – Business Intelligence Engineering for SharePoint 2016 and Office 365 Chris McNulty
Office Graph API & Delve, Unleash the Power Fabian Williams
Avoiding the Icarus effect: Office 365 Risk Mitigation J. Peter Bruzzese
Tuesday, October 11th, 9:15am-10:30am
Exchange Performance Disaster Recovery and Migration Troubleshooting Andrew Higginbotham
Migration (Exchange) to Office 365 Jaap Wesselius
Autodiscover is the Hero of the Exchange Motherland Jeff Guillet
Upgrade to SharePoint 2016 Matthew McDermott
Tuesday, October 11th, 11:00am-12:15pm
Automate Exchange deployment with PowerShell Desired State Configuration (DSC) Ingo Gegenwarth
Configuring a proper SMTP relay for Exchange on-premises and Exchange Online Jeff Guillet
Solving modern day business problems using Power Apps Fabian Williams
Architecting SharePoint 2016 Liam Cleary
Configuring SharePoint Hybrid Search Matthew McDermott
Tuesday, October 11th, 1:15pm-2:30pm
Delve Analytics and the rise of machine learning inside Office 365 Tony Redmond
Building Solutions with the Office Graph Liam Cleary
Message hygiene with Exchange Jaap Wesselius
Deep Dive into Cloud Hybrid Search Jeff Fried
Tuesday, October 11th, 3:00pm-4:15pm
Troubleshooting Exchange Server: Clients, Transport and Security Paul Cunningham
Figuring out this new collaboration with OneDrive, Groups and Team Sites Benjamin Niaulin
The Magnificent Seven: The do’s and don’t about Office 365 Migration J. Peter Bruzesse
Scripting Tasks in SharePoint Online with PowerShell and the REST APIs Alan Byrne

Wednesday Sessions

Wednesday, October 12th, 9:15am-10:30am
Exchange Virtualization Mistakes to Avoid Andrew Higginbotham
A day in the life of an Office 365 consultant Michael Van Horenbeeck
How to Leverage Office 365 Groups in the Enterprise Justin Harris
Data Loss Protection in SharePoint 2016 and SharePoint Online Liam Cleary
Wednesday, October 12th, 11:00am-12:15pm
Monitoring Office 365: What Works and What Doesn’t Paul Robichaux
Demystify OneDrive for Business – The Good and the Bad Benjamin Niaulin
SharePoint In the Clouds – Migrating to Azure and Office 365 Chris McNulty
Office 365 Migration and Administration for Small Businesses Andrew Higginbotham
Wednesday, October 12th, 1:15pm-2:30pm
Bamboozle the Exchange Experts Tony Redmond
Office 365 Governance and Information Architecture Martina Grom
Building Applications for Office 365 and SharePoint with Angular 2, TypeScript, and ASP.NET Core 1.0 Scot Hillier
Office 365 Connectors Toni Pohl
Wednesday, October 12th, 3:00pm-4:15pm
Managing five million Office 365 accounts using PowerShell and some other APIs Alan Byrne
Troubleshooting Exchange client connectivity Ingo Geganwarth
Office in the Outback – Using Office 365 as a Service for Field Mobility Applications Veli-Matti Vanamo
PowerApps, Flow and Logic Apps – what’s in and behind? Toni Pohl

 Thursday Sessions

Thursday, October 13th, 8:30am-9:45am
While You Weren’t Looking: going beyond Office 365 Paul Robichaux
How I design global voice solutions with Skype for Business Stale Hansen
Solving real-world problems with Azure Active Directory Premium Justin Harris
Business Value of Office 365 Adoption Martina Grom
Style Your Web Apps and Office & SharePoint Add-ins with the Office UI Fabric Andrew Connell
Thursday, October 13th, 10:15am-11:30am
Succeeding with Skype for Business Meeting Broadcast Stale Hansen
How Office 365 impacts merger and acquisition activities Joe Palarchio
Securing your Office 365 deployment with acronyms: how to leverage EDP, EMS, RMS and AAD! Michael Van Horenbeeck
Learning Angular2 to Building Office Add-ins Andrew Connell
Development for SharePoint Online using JavaScript Injection and Remote Provisioning Ted Pattison
Thursday, October 13th, 12:30pm-1:45pm
How Office 365 will give your security team heartburn and the relief you can provide them Joe Palarcho
Developers Introduction to the Power BI Platform Ted Pattison
Lessons from the Field: Applying Records Management in the Cloud Veli-Matti Vanamo
Experience from the field – How to use a Team Site effectively for Collaboration Benjamin Niaulin
Thursday, October 13th, 2:15pm-3:30pm
Office 365: Deployment and Management – Ask the MVPs Tony Redmond
Office 365: Programming and APIs – Ask the MVPs Scot Hiller

See here for more information on IT/DEV Connections.


Posted in Cloud, Delve, Delve Analytics, Email, Exchange, Exchange Online, Office 365, Office 365 Groups, SharePoint Online, Technology | Tagged , , , , , , , , , | 1 Comment

HTTP error 400 accessing Office 365


HTTP Error 400. Can’t access the Office 365 Portal

I recently hit a problem when attempting to access the Office 365 Portal with Chrome. Any attempt resulted in a HTTP Error 400 as shown above. The problem was confined to a single PC and a single browser on that PC as both IE and Edge were happy to connect to Office 365.

The wonders of Internet search quickly located some help and suggested that the issue was due to a corrupted cookie associated with the request.


Cookies used by

As obvious from the screen shot, connections to use a lot of cookies. There’s no way to say which of the 22 cookies might be corrupt, so the easiest and quickest fix is to delete the cookies and force the next connection to recreate whatever is needed. Do this by selecting the X opposite the set of cookies and then click Done.

Ten seconds later a connection was made and the problem resolved. Isn’t it great when things fall into place so easily!

Follow Tony @12Knocksinna

Posted in Office 365, Uncategorized | Tagged , | Leave a comment

The curse of badly written blogs

As a frequent blogger, I take great interest in other blogs, especially those who offer coverage of topics that interest me, such as Exchange and Office 365, or even military history, if it comes to that. Recently, it seems that many of the blogs that cover Exchange (in particular) are not as strong as they were once.

The situation is worse with blogs that proclaim themselves to be “guru” or “expert”, a self-awarded status that is not merited or earned on the basis of the content offered.

Some of the published content is OK, if only it was not obscured by poor writing and opaque grammar. When I started to write articles and books about technology, my editors hammered home the lesson that I should always make sure that the reader knows what object is the actor in a situation. Scattering “it” into a sentence and expecting the reader to understand what “it” means in the presented context requires the mind of a lawyer.

Another horrible habit that is all too prevalent is the termination of a sentence without explaining a statement. Here’s an example of an opening sentence from a blog post that I selected at random:

Exchange 2016 and 2013 are processor hungry so it is very important to size the processors correctly.”

Two issues exist here. First, we have the leading statement that Exchange 2016 and Exchange 2013 are both processor hungry without any evidence being offered that this assertion is correct. Are these versions more demanding of processor power than Exchange 2010 is? If so, a citing of some reliable evidence provided by a competent party would be appropriate. In other words, it’s not good enough to make a statement and assume that the reader understands what “processor hungry” means without providing some way for the reader to understand why this condition exists. In addition, what processor does this statement refer to? I assume it’s a server CPU, but even that is somewhat nebulous given the current state of CPU technology when cores might be a more important issue to focus upon.

The next problem is the statement “it is very important to size the processors correctly.” First, no explanation is offered as to why such importance is attached to this activity. Will the world stop if we fail to size processors correctly? Or will the Exchange servers slow down a little, or a lot, or fail to operate at all? The writer would have done much better had some additional context been provided. For instance: “to ensure optimal performance, it’s important that any server running Exchange is correctly configured with properly-sized processor capacity.” OK, we use more words, but I suggest that the meaning is obvious.

I also hate failure to copy edit, especially because I often fall into this trap myself in an effort to get something out the door in time. However, it doesn’t take a lot of time to read text over to look for obvious flaws, such as the first letter of “Exchange” not being capitalized to tell us that the word refers to the server product rather than an interchange of some sort. Copy editing also identifies impenetrable sentences that are often a dump from the author’s mind. The text makes perfect sense to the writer but requires several readings before someone else can understand what’s going on. Take this example from the same article:

“This was my lab so we didn’t get any issue as load is minimum but try it in your production and let us know and give 5 starts to Marc if it helps.”

After several readings, I conclude that the meaning is:

The example shown above was run in my lab environment. No issue was encountered because of the minimum load placed on servers in that environment. You can try running the script in your production environment to see what results you obtain. Let us know how you get on and please do recognize the script author if you find that his work helps.”

Of course, the advice to run a script in a production environment is not the course of action that any experienced administrator would take. You should always test a script downloaded from the Internet in a sandbox environment to make sure that it cannot do anything harmful before you let it anywhere near production servers. The sentence cited above is a classic example of a throwaway remark that is badly thought through and badly formatted that could lead to someone doing something that they regret, all because they read some advice contained in a blog.

Please don’t stop writing blogs. It’s great to share your experience and knowledge with others. But please remember that your work will be so much better if you are clear, concise, and accurate. You’ll benefit by writing better and your readers will absolutely benefit from your work. It’s a win-win situation.

Follow Tony on Twitter @12Knocksinna

Posted in Exchange, Writing | 2 Comments

Updated version of the Outlook Groups apps available

Microsoft has released updated versions of the Outlook Groups apps. The apps don’t have anything much to do with Outlook but are named as such as to create an association with the brand. In reality, these apps are all about Office 365 Groups and allowing users mobile access to threaded conversations and documents stored in group document libraries. Access is currently unavailable to group calendars, but event notifications for group meetings do arrive in the app.

I’ve been playing around with the version available for Windows 10 Mobile on my Lumia 950 XL. The new Files interface (below) is attractive and looks very much like the Delve app.


Files in an Office 365 group document library

Here’s what the opening screen looks like after you sign into Office 365, Favorite groups are shown first followed by groups that the user has joined. If you press and hold a group name, the option to Pin the group to the home screen is revealed, which is a nice way to create a short-cut to a particular group.  The Discover option uses data held in the Microsoft Graph to determine what other groups the user is most likely to want to join based on common interests and membership.


Listing of Office 365 Groups

Overall, I like the new interface very much. And because it is new, we’ve had to update the information about the Outlook Groups app in Chapter 9 of “Office 365 for IT Pros”. The updated content is in the June 18 version of the eBook. Our change log details all of the changes made to Office 365 for IT Pros. Copies of the book are available on (PDF and EPUB versions) and Amazon (Kindle).

Follow Tony on Twitter @12Knocksinna

Posted in Cloud, Email, Office 365, Office 365 Groups | Tagged , , , , | Leave a comment

Office 365 for IT Pros (3rd edition) – Change Log for Updates

Office 365 for IT Pros is intended to be a “living” book. In other words, the content we published when the book first appeared on June 1, 2016 is under constant review in light of developments that occur, typos and other issues that we find and fix, and comments that come in from readers. Depending on the demand of other work and the importance of new information, we might build new versions of the book on a daily or weekly basis.


Viewing the date that the book was updated (EPUB version)

The current version of the book is dated 20 February 2017. Updates are provided free of charge to those who bought the third edition. The exact mechanism depends on where you purchased the book.

  • If you buy from (the new name for and registered an account with that site, you can download free updates (PDF and EPUB formats) for the edition that you purchase from the site.
  • If you buy a Kindle version from Amazon, you can download free updates from You do this from the Amazon site by going to Manage Content and Devices, select the book, and click on Update Available. Amazon can sometimes be slow at making updates available through this route (they want to avoid lots of extra downloads, so they force authors to go through hoops before they release an update). If an update doesn’t show up, you might have to ask Amazon support to delete the entry in your list and get a refreshed copy of the book.
  • Free updates are not available to people who receive copies distributed by third parties. We provide updated content to companies who buy from us in order that they distribute the latest available text, but we don’t have a way to reach those who receive books in this manner thereafter.

Here’s the list of the changes made to date. The number of changes across multiple chapters gives you an idea of how hard it can be to keep up with technology updates inside Office 365…

Chronological updates

Date Chapter Change
20 Feb 1 (Introduction) Amended text covering how uses the Office 365 infrastructure.
20 Feb 8 (Other mail enabled objects) Note that Microsoft really wants tenants to create new Office 365 Groups instead of traditional distribution groups and how they have changed the EAC UI to nudge admins along the path.
20 Feb 9 (Groups) Hidden group membership is supported, but only if you create a group with PowerShell (New-UnifiedGroup). But you cannot change the membership visibility afterwards.
20 Feb 12 (Addressing)) Minor corrections and clarifications.
20 Feb 22 (Delve) Delve search updated to incorporate intelligence from Office Graph.
13 Feb 1 (Introduction) New format for Office 365 Roadmap.
13 Feb 3 (Identities) Section added on how to manage user access to Office 365 tenants.
13 Feb 5 (Managing Office 365) Changes to the description about the Service Health Dashboard.
13 Feb 9 (Groups) Set-UnifiedGroup parameter to hide the membership of a group no longer available. In addition, noted that the Outlook for Mac 2016 client is going into preview with Office 365 Groups support.
13 Feb 20 (IRM) Unified Azure Information Protection client is now available.
13 Feb 23 (Doing More) OneDrive for Business Admin console is now generally available and accessible through the Office 365 Admin Center.
6 Feb 1 (Introduction) Guidance from Microsoft that changes shown in the Message Center are authoritative for a tenant; the roadmap is general guidance.
6 Feb 7 (Mailboxes) Exchange Online now includes an archive folder in its default set.
6 Feb 9 (Groups) Added content explaining how to modify sharing behavior for a site to permit sharing of files with people who are not guest users.
6 Feb 22 (Delve) Mention the importance of the Search Foundation to Delve.
6 Feb 23 (Doing more) Mention script that can disable Sync button for document libraries and prevent users synchronizing from those libraries.
30 Jan 1 (Introduction) German Office 365 datacenters began to deliver service on January 24, 2017.
30 Jan 2 (Making the chance) Slight changing in wording from Microsoft about tenant ownership of data,
30 Jan 4 (Migration) Adjusted availability for the Office 365 Import Service.
30 Jan 5 (Managing Office 365) A tenant can ask for a weekly email digest of message center updates to be sent to up to three tenant administrators (or other email addresses)
30 Jan 7 (Managing mailboxes) New deployment schedule for Outlook clients to support the Focused Inbox feature.
30 Jan 8 (Mail-enabled objects) Adjusting the recipient filters for dynamic distribution groups created some time ago – and how to exclude external guest users from these filters. In addition, some extra detail is provided in the section covering how to prevent users being able to create email distribution groups.
30 Jan 9 (Office 365 Groups) Rewrote section on creating a new Office 365 Group from the Office 365 Admin Center to clarify and expand the content. Also, reflect the general availability of the new OneDrive for Business synchronization client from January 24. Added section showing how to remove a user from membership of all groups in a tenant. Finally, the EAC now supports the GUI to allow the Send As and Send On Behalf Of permissions to an Office 365 Group.
30 Jan 15 (Managing Clients) Office 2013 ProPlus support ends on February 28, 2017.
30 Jan 17 (eDiscovery) January 25 announcement that Microsoft will block creation of new workload-specific eDiscovery searches and holds from July 1 2017
30 Jan 18 (Security & Compliance) Content searches take over from workload-specific searches from July 1, 2017.
30 Jan 23 (Doing more) Update text for the general availability of the new OneDrive for Business synchronization client from January 24. Also, add note about cached credentials that might interfere with OneDrive synchronization. Rewrote section on SharePoint sites.
23 Jan 1 (Introduction) Applications previously available for enterprise customers are now available for U.S. government customers.
23 Jan 2 (Making the decision) Note about issue for Chrome browsers when SharePoint sites were deemed insecure.
23 Jan 3 (Identities) Be specific that the Office 365 Admin Center edit account option can change the UPN for an account (recent changes make it work slightly differently)
23 Jan 5 (Managing Office 365) Details provided about how to manage the StaffHub application.
23 Jan 7 (Managing mailboxes) Clarification about what Exchange Online plans have 100 GB mailbox quotas.
23 Jan 9 (Office 365 Groups) Minor clarifications about creating a connector for a group. New OWA behavior for deleting conversations and replies within conversations. OWA can now include the contents of group mailboxes in its searches. Added text about using Groups with Skype for Business.
23 Jan 10 (Group-enabled apps) Disabling Skype for Business notifications within Teams. Also, Teams can now be licensed to individual users.
16 Jan 1 (Introduction) Rewrote part of Mobile Office 365 section. Included StaffHub in the list of mobile apps.
16 Jan 5 (Managing Office 365) Inserted information about the update to AvePoint DocAve backup software to provide support for Outlook groups. Also, fix some irritating “reference source not found” problems.
16 Jan 7 (Mailboxes) Note about the OWA Undo Send feature.
16 Jan 9 (Office 365 Groups) What to do if an external guest user object does not work. Also, changing site information and access for group members.
16 Jan 10 (Group-enabled apps) Changed title of the chapter to accommodate the inclusion of new material about the StaffHub application. Reordered and reorganized content.
16 Jan 13 (Hybrid recipients) Updated guidance on how to handle Office 365 Groups in a hybrid environment.
16 Jan 18 (Security and Compliance Center) New section added describing how to use PowerShell to manage the components of eDiscovery cases. Also, add a reference to a Microsoft white paper that describes how their litigation department uses Office 365 eDiscovery. Finally, fix some bugs in the description of SRPs.
9 Jan 5 (Managing Office 365) Addition of the Secure Score service. Update for custom tiles to use the new-style App Launcher.
9 Jan 9 (Groups) The introduction of Yammer-based Office 365 Groups means that Groups is now more of a service than an application. The text in the chapter is adjusted to make this point and to clarify when referring to Outlook Groups, which use Exchange to hold their discussions.
9 Jan 20 (Rights Management) Small adjustments to text published on 3 Jan.
9 Jan 23 (Doing More) Update of text covering Yammer in line with Chapter 9.
3 Jan 1 (Introduction) Addition of the Authenticator app as one of the mobile apps useful in an Office 365 environment.
3 Jan 10 (Planner and Teams) Inclusion of additional material relating to Microsoft Teams.
3 Jan 20 (Rights Management) General refresh and removal of obsolete material across the chapter.
21 Dec 5 (Managing Office 365) Rewrite to include all of the various ways to manage different Office 365 workloads via PowerShell.
21 Dec 7 (Managing mailboxes) Addition of call-out to discuss the different methods of adding autosignatures.
21 Dec 9 (Office 365 Groups) Microsoft has removed the email settings option from the Groups menu (first release) to redo the language and make it consistent across clients.
17 Dec 1 (Introduction) Removed section on backup for Exchange Online.
17 Dec 5 (Managing Office 365) Added section on Office 365 backups. This replaces commentary on this topic in several chapters. Also added information on how account-only mobile device wipes occur.
17 Dec 7 (Managing mailboxes) Microsoft is increasing the default mailbox quota from 50 GB to 100 GB for the Office 365 E3 and E5 plans. Also comments about the new calendar sharing model that is being rolled out inside Office 365.
17 Dec 9 (Office 365 Groups) Removed section on backup for Office 365 Groups.
17 Dec 22 (Delve) MyAnalytics now records details of interaction with external users. Text rewritten as required.
17 Dec 23 (Doing more) Removed section on backup for SharePoint Online. Launch of the preview version of the OneDrive for Business console. Rewritten comparison of the collaboration platform choice between Groups, Yammer, and Teams.
10 Dec 9 (Office 365 Groups) New example provided of how to use an Office 365 Group with the Incoming Webhook connector.
10 Dec 10 (Planner and Teams) Additional information provided about Microsoft Teams.
10 Oct 18 (Security and Compliance) Changes to the layout of options in the Security and Compliance Centre.
10 Dec 19 (Reporting and Auditing) Section on Activity Alerts rewritten and expanded with PowerShell examples.
10 Dec 23 (Doing more) Obsolete material removed. Some changes made to the description of OneDrive for Business. Description of how Yammer Groups use the Office 365 Groups service added.
3 Dec 2 (Making the change) Addition of link to Microsoft publication telling how they handle security incidents inside Office 365.
3 Dec 13 (Hybrid recipients) Guidance about the clash between mail contacts and guest users for Office 365 Groups.
3 Dec 19 (Reporting and Auditing) Obsolete material removed and Office 365 audit log information refreshed.
3 Dec 21 (DLP) Section on DLP for SharePoint Online replaced by new section covering Unified DLP policies as these are now live across Office 365.
26 Nov 1 (Introduction) Added Teams to the list of mobile apps available for Office 365. Updated Figure 1-2. Changed text for Office 365 Roadmap to reflect that Change Alerts is now in the Microsoft Technical Network (this change happened a long time ago, it just took us time to realize it). New section added to describe Office 365 service families and their relationships to plans.
26 Nov 2 (Making the change) Added link to Microsoft page describing network endpoints for Office 365. Also added SLA result for Q3 2016.
26 Nov 9 (Groups) Rewrote text about editing team site home page for a group. Also inserted new text to cover the three kinds of Groups now available within Office 365.
26 Nov 14 (Mail flow) Safety tips are now deployed across Office 365.
26 Nov 16 (Retention) Clarification about what needs to be done to export and import retention policies and tags from an on-premises Exchange organization.
19 Nov 7 (Mailboxes) Clarification that the Focused Inbox feature will not be available to the MSI version of Outlook 2016.
19 Nov 9 (Groups) Clarification that dynamic Office 365 Groups cannot be used for Teams and Planner
19 Nov 10 (Plans and Teams) Additional information provided about both Microsoft Planner and Microsoft Teams
19 Nov 22 (Delve) Additional information provided about Office Graph and the way that it is used inside Office 365 applications. The Infopedia section has now been removed because Microsoft shows no inclination to deliver this portal and the section on Delve blogs has been rewritten to reflect this situation. Also, the section on Delve profiles was updated.
19 Nov 23 (Doing More) Added instructions for how to embed Office 365 videos into web pages, including the home page of a SharePoint team site.
12 Nov 1 (Introduction) Minor changes in sections covering Exchange Online and First Release.
12 Nov 2 (Making the change) Addition of reference to Office 365 tenant isolation document.
12 Nov 9 (Groups) Information about Microsoft Teams added.
12 Nov 10 (Planner) Chapter expanded to add information about Microsoft Teams.
12 Nov 22 (Delve) Additional information about Office Graph.
12 Nov 23 (Doing more) Information about SharePoint Online admin setting to control the types of sites that users can create. Update of section about collaboration to replace site mailboxes with Microsoft Teams in table comparing Teams, Groups, and Yammer.
5 Nov 9 (Office 365 Groups) Addition of section describing how to archive inactive groups. Also new Admin UI for external guest users in Admin Center.
5 Nov 12 (Addressing) Update to reflect new maximum for proxy addresses on a mail-enabled Exchange Online object.
5-Nov 22 (Delve) MyAnalytics now allows users to select the people in their network that they believe to be most important. Other minor UI changes.
28 Oct Multiple Replacement of “Outlook on the web” with OWA everywhere as this seems to be what Microsoft now prefers!
28 Oct 9 (Groups) Minor corrections/improvements to some PowerShell code.
28 Oct 15 (Clients) Refresh of information about Office client deployment and servicing.
28 Oct 19 (Report and auditing) Replacement of list of audit sources with links to official Microsoft page describing these sources and the schema used for each.
24 Oct 1 (Introduction) Microsoft now reports over 85 million active users for Office 365.
24 Oct 7 (Mailboxes) Coverage of the Focused Inbox feature.
24 Oct 17 (eDiscovery) Expansion of coverage about the Search-Mailbox cmdlet including an example command to delete content from user mailboxes.
24 Oct 18 (Security and Compliance) Expansion of coverage of how to create and execute content searches via the New-ComplianceSearch cmdlet.
24 Oct 23 (Doing more) Removal of text covering how to set up and manage the Clutter feature. The text is now available online.
17 Oct 1 (Introduction) Removal of some obsolete material and extra details about Office 365 datacenter locations.
17 Oct 2 (Making the move) Updated Microsoft guidance about ExpressRoute for Office 365
17 Oct 9 (Office 365 Groups) Rewrite of content to take account of the fact that Office 365 Groups now have a complete SharePoint team site.
17 Oct 19 (Reporting and Auditing) Yammer audit events are now a source for the Office 365 audit log.
17 Oct 22 (Delve) Additional detail about MyAnalytics
10 Oct 7 (Mailboxes) To preserve employee data after they leave, you can use Set-SPOTenant to increase the retention period from the default 30 days.
10 Oct 16 (Retention) Minor correction about the Recoverable Items default folder.
10 Oct 23 (Doing more) Skype for Business will soon allow conference traffic to be determined by region of the meeting organizer rather than the tenant.
5 Oct 1 (Introduction) Addition of section comparing Office 365 with Google G Suite.
5 Oct 5 (Management) New Office 365 Admin Center is now generally available.

Recommendation to use version of the Azure Active Directory module as that’s the one we have tested.

5 Oct 6 (Hybrid Connections) Clarification about the use of Autodiscover with the Hybrid Configuration Wizard.
5 Oct 9 (Groups) Clarification of various points throughput the chapter following new information released at Microsoft Ignite 2016.

Addition of text explaining classifications for groups.

New code example showing how to use classifications to block guest user access to groups.

5 Oct 22 (Delve) General replacement of “Delve Analytics” with “MyAnalytics” throughout all relevant chapters and insertion of new information from Ignite 2016 conference
5 Oct 23 (Doing more) New version of the OneDrive sync client supports SharePoint libraries.

Yammer and Office 365 Groups announce a link-up (but no code yet)

24 Sept 7 (Mailboxes) Using the Set-MailboxCalendarConfiguration cmdlet to stop Exchange creating calendar events from emailed notifications.

Rewritten section on expandable archives.

Fixed error in table 7-1 that listed shared mailboxes as having an unlimited quota.

24 Sept 9 (Office 365 Groups) Outlook Groups app now has an iPad version.
24 Sept 22 (Delve) Analytics link in Delve navigation has been changed to MyAnalytics
19 Sept 5 (Office 365 management) Add reference to TechNet Gallery license reconciliation report.
19 Sept 9 (Office 365 Groups) Make it clear that guest access to Office 365 Groups does not respect the SharePoint Online whitelist for domains to which sharing invitations can be sent.

Limit of 300 subscribers for a group has been lifted

New example of creating a group from a SharePoint team site

19 Sept 19 (Reporting and Auditing) Extra detail about Exchange admin auditing plus the addition of reasons why you’d use a third-party reporting product rather than the standard Office 365 reports.
14 Sept 2 (Making the decision) Microsoft provided the Q2 2016 SLA data for Office 365.
14 Sept 9 (Office 365 Groups) Ability to control issuing of AAD sharing invitations to external users now in Office 365 Admin Center
12 Sept 9 (Office 365 Groups) Section added to describe the support for external guest user to Office 365 Groups.
12 Sept 10 (Planner) Explain that guest access for Groups does not yet mean that the same access is available for Plans. Also note that changing a plan type from private to public can have unexpected consequences.
12 Sept 12 (Addressing) Note that Exchange Online supports a maximum of 100 proxy addresses for a mailbox (the actual limit is higher).
12 Sept 14 (Mail Flow) Additional notes on S/MIME and Safe Links
12 Sept 16 (Retention) Explain why the recoverable item quota is often exceeded.
7 Sept 5 (Managing Office 365) Note about #EXT# accounts found in Azure Active Directory and whether or not they can be deleted.
7 Sept 7 (Mailboxes) Introduction of Restore user mailboxes walkthrough.
7 Sept 14 (Mail Flow) Additional information about spoof intelligence available through the Security and Compliance Center.
7 Sept 18 (Protection Center) 1.      Note that it’s possible to export all the contents of a mailbox to a PST through a content search (mimic on-premises New-MailboxExportRequest)

2.      Export of multiple searches in an eDiscovery case can now be done at one time.

3.      Introduction of the special “all case content” search for eDiscovery cases.

7 Sept 19 (Reporting and Auditing) New audit event sources (Sway, eDiscovery, Power BI)
1 Sept 2 (Making the decision) More detail about the number of TCP/IP sessions that users can consume when connecting to Office 365 services
1 Sept 4 (Migration) Inclusion of pointer to free eBook about PST migration that’s available from QUADROtech. Addition of section covering the import of legacy email archives to Office 365.
1 Sept 9 (Office 365 Groups) Groups will now have a SharePoint team site and the maximum size of a site collection is now 25 TB.
1 Sept 16 (Retention) Clarification of what happens when a retention tag is updated.
1 Sept 22 (Delve) Mention that anonymized data from five active users is required before Delve Analytics shows company averages to users.
1 Sept 23 (Doing more) Maximum size of SharePoint site collection is now 25 TB. Office 365 Groups now have a default team site.
1 Sep 24 (Sponsor chapter) Replacement of sponsor content provided by Binary Tree with content provided by QUADROtech, our new sponsor.
26 Aug 16 (Clients) New architecture for the Outlook for iOS and Android apps plus removal of section covering BlackBerry services, which are being deprecated inside Office 365.
26 Aug 22 (Delve) New Delve UI for cards and document views replaced old content.
22 Aug 4 (Migration) Clarify that the Office 365 import service applies retention holds to mailboxes that are targets for data imports.
22 Aug 9 (Office 365 Groups) The More menu item in the OWA interface now links to Planner.
22 Aug 10 (Planner) The More menu item in the OWA interface now links to Planner.
17 Aug 19 (Reports and Auditing) Clarify some elements of mailbox auditing.
15 Aug 18 (Security and Compliance) New permissions available for the role groups used for the Security and Compliance Center.
15 Aug 19 (Reports and Auditing) Note about PowerShell access to activity alerts (Get-ActivityAlert etc.)
15 Aug 23 (Doing more) Versioning of OneDrive and SPO libraries can offer a solution against ransomware and other virus attacks.
10 Aug 18 (Security and Compliance) It’s now possible to export content search results from Exchange mailboxes to individual MSG files. Section updated to reflect this and the addition of an option to export just the search reports.
10 Aug 19 (Reporting and Auditing) Section on Activity Alerts added.
5 Aug 7 (Mailboxes) Emphasize that archive mailboxes cannot be used to store information originating from multiple users.
5 Aug 9 (Office 365 Groups) Option to convert a distribution group to an Office 365 Group is now available in the EAC.
5 Aug 17 (eDiscovery) Note that a maximum of ten journal rules can be configured for an Office 365 tenant.
5 Aug 23 (Doing more) You can now add people information to an uploaded video in Office 365 Video.
2 Aug 8 (Managing other mail-enabled objects) Note that applying a distribution group naming policy for Office 365 will cause groups synchronized from on-premises to be stamped with new names (according to the policy).
2 Aug 9 (Office 365 Groups) Emphasize that it is best practice to make a sensitive group private to avoid any chance of documents being unearthed by Delve.
2 Aug 13 (Hybrid recipients) Note about the distribution group naming policy.
2 Aug 15 (Clients) Added information about ActiveSync protocol v16.1. Added new mobile device authentication section to call out the preview availability of certificate-based authentication for Exchange Online. Updated information about the migration from AWS to Azure-hosted services Outlook for iOS and Android. Added section introducing Microsoft Intune, and the decision around choosing standalone Intune or a hybrid MDM model by integrating Intune with SCCM.
28 July 3 (Identities and authentication) Change in the way that UPNs are synchronized for accounts that have Office 365 licenses assigned.
28 July 11 (Public Folders) Clarification about Outlook 2016 for Mac access to public folders.
28 July 22 (Delve) The Delve Analytics add-in app for Outlook is now automatically deployed when user accounts are enabled for Delve Analytics.
28 July 23 (Doing more) Mention that the Focused Inbox will replace the Clutter feature eventually.
26 July 9 (Office 365 Groups) Added section about how to check for obsolete groups.
26 July 19 (Auditing and Reporting) New parameters for the Search-UnifiedAuditLog cmdlet mean that you don’t have to use the ConvertFrom-JSon cmdlet to read the audit data any more. Code examples updated.
22 July 6 (Hybrid connections) Introduction of the minimal configuration for a hybrid connection mandated rewrites of several sections.
22 July 9 (Office 365 Groups) Updated to reflect fact that Office 365 Groups can now be managed through the Exchange Online Admin Center. Also updates in section about migrating distribution groups to Office 365 Groups to provide additional examples.
20 July 1 (Introduction) Added note about Microsoft’s assertion that 40% of enterprise Office 365 tenants use EMS. Also updated section on the commercial success of Office 365 following Microsoft’s FY16 Q4 results.
20 July 7 (Managing mailboxes) Note that the use of the last name, first name convention for display names can end up with seemingly odd initials in Office 365 avatars.
20 July 20 (IRM) Add section covering the preview of Azure Information Protection.
20 July 21 (DLP) Add note that the OneDrive for Business mobile apps can now display DLP policy tips.
20 July 23 (Doing more) 1.      News that the Yammer-based Office 365 Network is being replaced by,com.

2.      Microsoft Stream will eventually merge with Office 365 Video and provide that service to tenants.

13 July 1 (Introduction) Add more information about Office 365 plans.
13 July 5 (Managing Office 365) Updated section on Message Center including new version of Figure 5-11 to show off new icons. Figure 5-12 updated with a more interesting example.
13 July 18 (Security and Compliance) Updated description of content searches to reflect introduction of “Search everywhere” option. Also additional detail about re-establishing holds after a closed eDiscovery case is reopened.
13 July 22 (Delve) New version of the Delve Analytics Outlook add-in app released. Figures and text updated.
9 July 8 (Mail-enabled objects) Rewrote section of group naming policy to clarify how the properties are used.
9 July 13 (Hybrid Recipients) Remove erroneous $True value passed to AutoComplete parameter in PowerShell example of creating a migration batch
9-July 20 (IRM) Clarify what happens when protected messages cannot be indexed.
4 July 8 (Mail-enabled objects) Rewrote section on Email redirection for better clarity and to reflect recent changes in how the Email Forwarding option is handled by the Office 365 Admin Center.
1 July 9 (Office 365 Groups) Clarify why a limit exists for the number of groups that a single user can create.
30 June 7 (Managing mailboxes) Using MAPI/HTTP endpoint to find the current location of a mailbox
30 June 19 (Reporting and auditing) Expanded discussion about the Office 365 Unified Auditing system.
28 June 20 (IRM) Added section about using IRM usage logs to track how people use IRM within a tenant.
24 June 1 (Introduction) Add new section to summarize the benefits of Azure Active Directory Premium licenses to Office 365 tenants
24 June 3 (Identities) Minor updates based on change made to Chapter 1.
24 June 9 (Office 365 Groups) Rewrote section on the cost of dynamic Office 365 Groups because some of the information is now in Chapter 1.
23 June 9 (Office 365 Groups) Updated Figure 9-10 to show new @All capability in use and rewrote surrounding text to explain its use.
22 June 14 (Mail Flow) Emphasize point that new mail hygiene features will show up in the Security and Compliance Center rather than EAC.
22 June 18 (Security and Compliance) Note that audit and other reports documents made available to tenants through the Service Assurance section of the SCC are covered by Microsoft non-disclosure.
21 June 1 (Introduction) Rewritten note about customizing the App Launcher to take account of coverage of custom tiles and other methods in Chapter 5.
21 June 5 (Managing Office 365) Expanded coverage of custom tiles and the other methods available to introduce Apps to the My Apps options for users and thereafter to be pinned to the App Launcher.
20 June 4 (Migrating to Office 365) Rewritten section about checking calendar delegates.
20 June 5 (Managing Office 365) New Figure 5-4 inserted to reflect new UI for the Office 365 Admin app (on iOS).
20 June 10 (Planner) Add note that you can assign a task to a user by dragging icon onto the task.
20 June 13 (Hybrid recipients) New section “The New-RemoteMailbox cmdlet and the ExchangeGUID”
20 June 14 (Mail flow) Updated anti-spam and anti-malware sections to reflect options now available in the Security & Compliance Center
18 June 5 (Managing Office 365) Describe the meaning of the warning status returned by the Get-MsolAccountSku cmdlet.
18 June 9 (Office 365 Groups) Expanded section on Mobile Office 365 Groups following availability of updated mobile apps
17 June 8 (Mail-enabled recipients) Note about deciding whether to use shared mailboxes and Office 365 Groups.
17 June 20 (IRM) Fixed incorrect information about how to find the link to manage IRM in the new Office 365 Admin Center,
17 June 23 (Doing more) Note that an individual sway can have up to ten co-authors.
16 June 14 (Mail Flow) Note that message hygiene features now show up in the Security Policies section of the Security and Compliance Center. Also fixed a weird Word formatting problem that prevented the chapter heading showing up properly in the PDF.
16 June 18 (Security and Compliance) Describe the message hygiene options that are now available under Security Policies.
16 June 19 (Reporting and Auditing) Include fact that Advanced Office 365 Security makes up to six months of tenant data available.
16 June 23 (Doing more) Emphasizing point about Office 365 Video that a restriction (being fixed) limits channels to 5,000 videos. When fully deployed, the fix allows up to 20,000 videos per channel.
15 June 9 (Office 365 Groups) Outlook 2016 (build 16.0.6741.2048) introduced some new options into the ribbon, including the “Browse Groups” option, which delivers the same functionality as “Discover” Groups in OWA. Other minor updates, including stressing the point that using a group to build out the membership of a new group is a one-time operation.
15 June 12 (Addressing) Office 365 Groups don’t support the WindowsEmailAddress property, but they do support PrimarySmtpAddress.
15 June 18 (Security and Compliance) New Audited Controls option added to the Service Assurance menu of the dashboard. Also, added note that inactive mailboxes are not currently supported by content searches.
15 June 19 (Reporting and Auditing) Added note that the Azure Active Directory Premium license is required for some interesting passport events reports.
14 June 8 (Mail-enabled recipients) Updated and clarified example of using the Get-MailboxPermission cmdlet to retrieve the permissions that exist on a shared mailbox. Added some code examples showing how to retrieve permissions.
14-June 23 (Doing more) Maximum file size for video uploads to Sway specified
13 June 5 (Managing Office 365) Additional clarification and expanded advice about how to manage Office 365 licenses with PowerShell.
13 June 9 (Office 365 Groups) Figure 9-4 refreshed to show new UI for group document libraries including link to conversations in top right-hand corner.
13 June 9 (Office 365 Groups) Addition of text covering the Usage Guidelines and Classification List settings that can be set in the AAD policy governing the creation of new Office 365 Groups.
13 June 15 (Clients) Clarification about Outlook releases following reader feedback.
13 June Introduction Fixed formatting problem that caused the Legal Bits not to be displayed in the EPUB version.
13 June 10 (Planner) Completed updating of all text to reflect change of official name to “Microsoft Planner”. Also updated text of section about using PowerShell to manage Planner licenses.
9 June 5 (Managing Office 365) Rewrote Custom Help section to reflect new UI now available in the Office 365 Admin Center. Figures updated for new UI.
9 June 15 (Clients) New Email Apps section available when editing user properties in the Office 365 Admin Center allows email protocols to be enabled and disabled. New figure inserted.
9 June 22 (Delve) Beta version of Delve UWP app available in Windows app store.  Section renamed from “Mobile Delve” to “Other Delve apps” and new text about UMP app and screen shot inserted.
6 June 9 (Office 365 Groups) Addition of new section to explain how to use the AAD policy to govern how users can create new Office 365 Groups together with the knock-on changes to text about applications that can create Office 365 Groups. Subsequent update of text (June 9) when clarifications became available from Microsoft
8 June 20 (IRM) Expansion of details about what Exchange Online features do not work when BYOK is used with AAD RMS.
8 June 2 (Moving to the Cloud) Update of reference in Table 2-1 about Exchange Online and BYOK to point to Chapter 20
8-June 21 (Data Loss Prevention) Minor typos updated after technical edit pass.
7 June 9 (Office 365 Groups) Addition of section covering the Compliance Features available in Office 365 that work for Office 365 Groups.
6-June 9 (Office 365 Groups) Modification of text covering how to use the “old” OWA Mailbox Policy to govern user creation of new groups.
6 June 10 (Planner) General availability of Microsoft Planner announced and addition of section explaining how to assign licenses for Planner to user accounts and how to use PowerShell to disable Planner if required.


Posted in Cloud, Delve, Delve Analytics, Exchange Online, Office 365, Office 365 Groups | Tagged , , , , , , , | 21 Comments

Controlling the creation of Office 365 Groups using an Azure Active Directory policy

This text is an extract from Chapter 9 from the eBook “Office 365 for IT Pros”. This is an example of how we incorporate new events quickly into the publishing process and make new content available to readers. In this case, the General Availability of Office 365 Planner (announced by Microsoft on June 6 and covered in Chapter 10) served as a catalyst for the change in how policies control the creation of Office 365 Groups. We were able to test, assess, and document within a day and release new files to customers of For more information about Office 365 for IT Pros, see (for PDF and EPUB versions and some bonus material) or Amazon (for the Kindle version). 

Implementing a policy to control the creation of new Office 365 Groups

In November 2014, OWA was the first client to support Office 365 Groups. It was therefore logical that the developers chose to add a new setting to OWA mailbox policies to limit the creation of new groups. When a user attempts to create a new group, the setting (GroupCreationEnabled) contained in the OWA mailbox policy assigned to the user’s mailbox is checked. If the setting is $True, creation is allowed. Conversely, if the setting is $False, creation is blocked. Remember that a tenant can have several OWA mailbox policies active at any time, so it is quite normal to have an OWA mailbox policy that allows all options, including group creation, and others that are more restricted. OWA mailbox policies are applied to mailboxes by editing their properties through the EAC or by running the Set-CASMailbox cmdlet.

The downside of using an OWA mailbox policy is that it is a method specific to Exchange Online, where it is used to control the options available to users in the OWA client. As time went by and integrations with Office 365 Groups appeared that had no relationship with Exchange, the fact that OWA mailbox policies exist was ignored and any user was able to create new groups through these integrations. This is true for Power BI, Dynamics CRM, and Office 365 Planner, and when new groups are created with PowerShell.

Clearly, a new answer was required. The General Availability of Office 365 Planner on June 6, 2016 provided the opportunity to change the control mechanism to a policy stored in Azure Active Directory. The advantage of this approach is that Azure Active Directory provides a central point that all Office 365 applications can check. After a suitable policy is created, control over the creation of new Office 365 Groups is consistent everywhere. That is, once applications have been upgraded to use the new approach.

Follow these steps to create and implement a suitable Azure Active Directory policy to control group creation.

Create a group containing the set of authorized users: Azure Active Directory needs to be provided with a set of users who are allowed to create new Office 365 Groups. To define the set, you create a new group using the Office 365 Admin Center, PowerShell, or the Azure Active Directory console. The group can be a distribution group or an Office 365 Group.

Add the set of authorized users to the new group: You can add as many or as few users as you want. Because Office 365 Groups only exist in the cloud, the users who create Office 365 Groups should have cloud accounts. You can’t add a group to this group as only individual accounts are accepted.  Users who hold certain administration roles for the tenant do not have to be added to the set of authorized users as the role automatically allows them to create new Office 365 Groups. These roles are:

  • Company Administrator
  • User Account Administrator
  • Mailbox Administrator
  • Partner Tier1 Support
  • Partner Tier2 Support
  • Directory Writers

Prepare to edit the Azure Active Directory policy: The policy that controls group creation is also referred to as a directory settings object. As the default mode of operation allows any user to create a new Office 365 Group, the intention behind the new policy is to disable the ability of users to create groups by limiting creation to a set of users defined in a specific group. Because no UI exists for this purpose, you have to create the policy and populate its settings using PowerShell. Version or later of the Microsoft Azure Active Directory Module for PowerShell (or later) contains the required cmdlets. As per the release history, this is a preview version of the module. To check what version you have, run the following command:

[PS] C:\> (Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\ Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion

Next, you need to retrieve the object identifier (ObjectID) for the group that contains the set of authorized users. The PowerShell module for Azure Active Directory uses GUIDs to identify directory objects instead of display names. You can run the Get-MsolGroup cmdlet to access the object identifier for the group, but it’s easier to retrieve the information using the Azure Active Directory console to view the properties of the group (see screenshot). The object identifier is the last field shown for the group properties. Note the Copy icon to the right of the object identifier. Click this to copy the value of the object identifier to your clipboard.


Viewing the Object Id for an Azure AD group

Use PowerShell to update the Azure Active Directory policy: Open a PowerShell session and execute the commands shown below. The commands identify the template that you want to use to create the new directory settings object that will govern group creation for the tenant, and then identify the group containing the set of users who are allowed to create new Office 365 Groups. The object identifier for the template you’re updating is consistent across all tenants. You can see that the object identifier supplied to update the template is the one copied from the group properties as shown in the screen shot.

[PS] C:\> Connect-MsolService
[PS] C:\> $Policy = Get-MsolSettingTemplate –TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b
[PS] C:\> $Setting = $Policy.CreateSettingsObject()
[PS] C:\> $Setting[“EnableGroupCreation”] = “false”
[PS] C:\> $Setting[“GroupCreationAllowedGroupId”] = "a3c13e4d-7083-4448-9224-287f10f23e10"
[PS] C:\> New-MsolSettings –SettingsObject $Setting

Once the commands complete, a new directory settings object exists that contains the values needed to control group creation. Any application that can access Azure Active Directory is able to check the settings and take the appropriate action to allow or deny a user the option to create a new Office 365 Group. To verify that the change is effective, run the following command:

[PS] C:\> Get-MsolAllSettings | ForEach Values

Name                        Value
----                        -----
GroupCreationAllowedGroupId A3c13e4d-7083-4448-9224-287f10f23e10 AllowToAddGuests True
EnableGroupCreation         False

Alternatively, you can use the Microsoft Graph Explorer to check the settings. Log in using your tenant account and enter into the navigation bar and “beta” into the drop-down option list on the right-hand side. You should then see a set of settings data returned, including the values for the Object Id of the group containing the set of users who are allowed to create new Office 365 Groups and the setting that blocks general creation.


“name” : “GroupCreationAllowedGroupId”

“value”: “a3c13e4d-7083-4448-9224-287f10f23e10”



“name” : “EnabledGroupCreation”

“value”: “false”


Test that the new policy works: A user who is included in the authorized user group should be able to create new Office 365 Groups from the integrated applications (Planner, Dynamics CRM, and Power BI), and the Outlook Groups mobile app. A user who is not included should see an error message if they attempt to create a new group (something like “The group couldn’t be created. Your admin hasn’t given you permission to create a new group”).

It will take a little time for all of the applications and clients to fully support the new method and provide the necessary UI and that time will differ from tenant to tenant depending on the release cadence they follow. In particular, the MSI version of the Outlook 2016 desktop client will take time to be updated and then deployed to client desktops. However, the old OWA mailbox policy method continues to work for OWA and Outlook until superseded by the new method.

Follow Tony @12Knocksinna

Posted in Cloud, Office 365, Office 365 Groups, Uncategorized | Tagged , , , , | 17 Comments