Preserve Declined Meetings in Calendars to Retain Meeting Notices

Announced in message center notification MC684218 (26 October 2023, Microsoft 365 roadmap item 154056), the ability to enable the preservation of details for declined meetings is now available in the OWA and Outlook Monarch (the “New Outlook”) clients (Figure 1).

The setting is also controllable through the Set-MailboxCalendarConfiguration cmdlet. This command enables saving of declined events for a mailbox:

Set-MailboxCalendarConfiguration -Identity Kim.Akers -PreserveDeclinedMeetings:$true

There’s no organization-wide control to preserve declined meetings. Because it’s an individual choice to keep declined meetings in a calendar, the setting must be enabled for individual mailboxes. However, to enable the setting for all user mailboxes, it’s easy to do this with PowerShell:

[array]$Mbx = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
ForEach ($M in $Mbx) {
   Set-MailboxCalendarConfiguration -Identity $M.UserPrincipalName -PreserveDeclinedMeetings:$true
}

Enabling any calendar setting for a mailbox isn’t fast but it should be a one-time operation. On the other hand, the setting must be enabled for new mailboxes as they are created.

Why It’s a Good Idea to Preserve Declined Meetings

Ever since the first version of Outlook appeared in 1997, when people decline an incoming meeting, Outlook removes all details of the meeting to keep the calendar clear and not block time that might be needed for another event. This scheme works well but it means that once someone declines an inbound meeting, they have no further knowledge about the meeting even if they have no intention of attending the event. They can forward the meeting invitation to someone else (if meeting settings permit forwarding), review any attachments included with the invitation or access content created during a meeting such as the meeting chat or meeting recap (if it’s a Teams meeting). Alternatively, they can decide to attend the meeting if their schedule clears up.

Preserving declined meetings means that Outlook enters details of an event in an invitee’s calendar but does not block the event time in the user’s free/busy data. This means that the Outlook scheduling assistant regards the slot as available and can be used for other meetings.

As a Microsoft MVP, I receive many meetings organized by Microsoft engineering group to discuss new product details. Some of these events are interesting, but only if I can find time to attend. Having the calendar retain the event details allows me to go back to attend an event when I can.

No Declined Meetings for Outlook Desktop

Outlook desktop doesn’t obey the settings used by OWA and Monarch. Its settings are often implemented in values held in the system registry. Even if its implementation has caused some difficulties, roaming signatures are a good example of how Microsoft is moving Outlook desktop from its PC-centric heritage to cloud settings.

With this in mind, it shouldn’t be a surprise to learn that meetings declined using Outlook desktop are not preserved. Meetings declined using the Outlook for Mac and Outlook mobile clients are preserved, even if their UI doesn’t include the ability to control the setting.

Declined meetings kept in the calendar are the same as any other calendar events (Figure 2). The sole difference is that the event doesn’t occupy a slot in the user’s free/busy data. Because the meetings are calendar events, they show up as normal in all clients and any other application that uses calendar data.

If the user changes their response and accepts the meeting, Outlook updates the calendar event and reserves the time in the user’s free/busy data.

A Change in Habit

Microsoft doesn’t make changes like this without some form of feedback that points out why a new approach is necessary. I don’t know if the input came from customers or from inside Microsoft, but I suspect that the driving factor is the increasing amount of information shared with meeting invitations and added to events during Teams calls. Being able to go direct to the event makes it a lot easier for meeting participants to access the information, even if they choose to decline the invitation to attend.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

But What the Hell are OWA Search Refiners?

I’ve been waiting for the “Refiners on Outlook Web” described in message center notification MC664093 (1 August 2023) to show up in my tenant. Now that they have, I can report that the update (Microsoft 365 roadmap item 141109) isn’t very exciting at all. Rollout is under way and you probably have refiners in OWA now, even if you didn’t realize it.

The history of search in Outlook clients has had its ups and downs. That’s a polite way of saying that Outlook hasn’t always delivered the most reliable search results, especially when using the Outlook desktop client. OWA tended to be the best client because it performs searches online, so anything that improves OWA search seems like a good thing. According to MC664093, the refiners “appear after a user completes a search. These will allow users to filter down their search results further to find their emails easily.”

And that’s about it in terms of the description of what the change is all about (obviously, the folks responsible for writing MC664093 don’t have access to Microsoft 365 Copilot to smarten their text and improve its clarity and content). The accompanying figure doesn’t reveal much either.

Using OWA Search Refiners

Let me fill in the gaps and explain what search refiners are all about. Imagine that you do a search. Figure 1 shows a search against my mailbox for the term “TEC 2023.” A bunch of messages are found in different folders.

Refiners are no more than the ability to select a folder from the mailbox to target the search on just that folder. Figure 2 shows the drop-down list of folders to select from. Inbox is selected, so the results displayed by OWA are the items found in the Inbox. If you select a folder that doesn’t include any items matching the search term, OWA tells you that you’re silly to have selected that folder and displays the full set of items found in the mailbox.

Seeing that we’re discussing “refiners,” it would be much better if OWA “refined” the folder list and only showed the users folders that actually contained some search results. But what do I know about UI design…

OWA Search Box Improvements

In an apparently associated notification (MC663633, also published on August 1, Microsoft 365 roadmap item 151024), we learn that:

“The interface of Search Box in Outlook is being upgraded, making it more prominent and discoverable, with higher color contrast on the input area, border, and font, along with fine tunes on all themes, as well as light and dark modes.”

Microsoft provides two images to show the difference. I extracted the relevant parts to create Figure 3. The difference between the two search boxes is stunning (Figure 3).

Apparently, the magnitude of the change contemplated in MC663633 is so large that we won’t see it until early September. Quite why Microsoft couldn’t have combined MC663633 and MC664093 into a single update is beyond me.

For the record, the latest version of the Outlook Monarch (“New Outlook”) client includes search refiners. The search box in Monarch looks as if it’s received the snazzy font-and-border makeover too. However, as I’m not a graphic artist, I find it difficult to tell the difference without really concentrating on what I’m looking at.

No Action is Needed

As Microsoft notes in MC663633, “No action is needed in preparation for the update.” That’s fortunate, because I don’t quite know what action is appropriate to greet these changes. They might just be updates that pass me by without causing any disruption.

Learn about using OWA, Monarch and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Self-Service Group Management for End Users But OWA Option is Broken

By now, your tenant should have received the code for the “My Groups experience” described in message center notification MC522581 (updated on 18 April, 2023). Even though Microsoft predicted that they would complete worldwide deployment by late May, I haven’t invested any time in reviewing what value the new experience delivers. Now that we’ve published Office 365 for IT Pros (2024 edition), I plunged into My Groups to see what it can deliver.

The New My Groups Experience

The new My Groups page (Figure 1) replaces an older page that really didn’t get much attention. Microsoft says that the upgraded and refreshed experience “enables end users to easily manage groups, such as finding groups to join, managing groups they own, and managing existing group memberships.” Of course, self-service management depends on a tenant allowing this activity.

Microsoft’s documentation for My Groups explains the available functionality. Generally, everything works well for Microsoft 365 and security groups as you can update membership and group properties, and even delete the groups. My Groups can’t handle dynamic Microsoft 365 Groups through. This isn’t surprising as the membership of these groups is dictated by queries executed against Azure AD that “normal” users probably couldn’t construct.

The biggest issue with My Groups is its lack of support for distribution lists (groups), or as they’re referred to by My Groups, “Exchange mastered” objects. Distribution lists are valid Azure AD group objects (dynamic distribution lists only exist in Exchange Online) and the methods to update distribution list properties and membership are well known. It’s therefore a mystery why Microsoft should launch a page purporting to enable end-user management of groups when the page is incapable of dealing with a major group type.

The only conclusion I can reach is that the team that developed the My Groups page has an agenda to advance Microsoft 365 groups as the answer for all forms of collaboration. Of course, this is a ridiculous stance, but metrics drive behavior and it’s not unknown for people to do odd things when they’re set a task to advance one option over another. In any case, the lack of support for distribution lists makes the My Groups page a flawed and incomplete implementation that should have been much better.

OWA Distribution Group Management

At the same time, Microsoft has make changes (temporarily) to the ability for users to manage distribution lists through OWA. From a technical perspective, this is understandable because distribution list management depended on components from the old Exchange management center (ECP) that OWA reused. With the demise of the old EAC, those components are less accessible. Now, when you choose the Distribution groups option in OWA settings, you see an unwanted advertisement to use Microsoft 365 groups and a link to a “portal” to manage distribution lists (Figure 2).

The portal (https://outlook.office.com/ecp/MyGroups/PersonalGroups.aspx?showhelp=false) is no more than the old ECP component. Unlike the previous implementation, it takes between ten and fifteen seconds for the ECP code to load. Eventually, the “portal” appears (Figure 3).

On the upside, changes applied through user role assignment policies to restrict users from creating new distribution lists work. On the downside, the code used to update distribution list membership is terrible and doesn’t work. At least, I got tired of waiting to add a new member after sixty seconds of watching the circle of death rotating (Figure 4).

Little Evidence of Joined Up Thinking

It’s obvious that no joined up thinking exists within Microsoft when it comes to delivering functionality to allow end user to edit groups that they own. The old OWA distribution list code worked well but only handle distribution lists, and now it’s broken. The new My Groups page works for Microsoft 365 groups but ignores distribution lists. Is it any wonder why people become exasperated with how Microsoft delivers software, especially when it’s to do with features that have worked for years that fail when engineers step in to enhance their capabilities.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Oversharing Popups  for Outlook Help Users Avoid DLP Problems

Originally due for deployment in March 2023, Microsoft is rolling out the ability for Outlook clients to detect and highlight messages using “oversharing popups” if the messages have specific sensitivity labels. The change is covered by message center MC523046 (last updated 9 June 2023) and Microsoft 365 roadmap item 100157. It’s also associated with Microsoft 365 roadmap item 100255, which covers the general effort to provide customers with replacement technology for the features available in the Azure Information Protection unified labeling client (due to retire in April 2024).

Azure Information Protection (AIP) labels were the predecessor of Microsoft 365 sensitivity labels. Users had to install a separate add-in to use labels (now the unified labeling client). As part of the process to retire the unified labeling client, Microsoft has incorporated information protection technology in the Microsoft 365 apps. The UI exposed by the AIP is gradually being replaced in native Microsoft 365 features. The arrival of the sensitivity bar in Microsoft 365 apps is an example of the process in action.

Implementing Oversharing Popups in Microsoft 365 DLP Policies

In this case, instead of relying on the unified labeling client to detect potential “oversharing” problems when users compose email, it’s now possible to include checks in Data Loss Prevention (DLP) policies. The effect is to cause Outlook to use a policy tip to highlight that a message contains sensitive content that shouldn’t be shared outside the organization as users work with message content. DLP detects the oversharing condition in either the message or an attachment and the user is forced to take action before they can send the message.

DLP policies have always been able to detect and block oversharing of email. What’s different here is that DLP checks happen during message composition instead of the user sending the message and receiving a non-delivery notification because a DLP policy detects a violation and blocks the message. Of course, oversharing of email protected by a sensitivity label might not matter all that much if the rights granted in the sensitivity label don’t allow the external recipient to read the content. The value of the policy tip is that by proactively highlighting the issue, the user can take action to avoid problems detected by DLP. For instance, they could choose a different label for the message (and justify the downgrade).

Microsoft documents an example DLP policy to explain how the oversharing policy tip work. They document the steps for creating a policy with both the Microsoft Purview compliance portal and PowerShell. Despite my affiliation for PowerShell, I wouldn’t do anything with DLP rules through PowerShell because of the relative complexity of rule construction.

Testing DLP Oversharing Popups

After creating a DLP policy with a rule to check for the presence of sensitivity labels on email addressed to non-internal domains (Figure 1), wait about an hour to allow the policy information to replicate.

You’ll know that the rule works if you see a policy tip when composing a message to an external recipient and the message or any attachment has one of the sensitivity labels specified in the rule. Figure 2 shows a message assigned the Public sensitivity label, which isn’t covered by the rule. However, the attachment has the Confidential sensitivity label (you can’t see this, so you’ll have to trust me), so DLP detects a violation and displays the policy tip to say that the recipient isn’t authorized to receive this information.

Attempts to send the message fail and Outlook displays a pop-up to tell the user why (Figure 3). OWA displays a similar prompt. In both cases, the user must take action before they can send the message.

It’s possible that a user will send a message with one of the sensitivity labels defined in the policy from Outlook mobile. It’s also possible that a user will send a message before the DLP code in Outlook or OWA detects a problem. In these instances, the Exchange transport service imposes the general block on sharing messages with the specified sensitivity labels and rejects the message.

The Power of Policy Tips

Allowing users to correct potential errors when they compose email is a good idea. Apart from anything else, it helps reinforce the idea that email can contain confidential and sensitive information that shouldn’t go outside the organization. I’s much more powerful when users see policy tips that help amend behavior than simply having their email rejected for some inexplainable (to them) reason.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Run the Edge, Chrome or Firefox Browsers on Windows or Get OWA Lite

On June 2, 2023, Microsoft published an “initial communication” to inform Microsoft 365 tenants that they plan to redirect OWA connections created with unsupported browsers to use OWA Lite instead of the expected OWA Premium client. Microsoft says that they’re making the change to align OWA with the requirements for minimum browser support for other browser-based Microsoft 365 apps introduced earlier this year (MC518729, updated February 27, 2023). The changes announced in MC518729 affect apps like the Teams browser client and are due to take effect in July 2023.

OWA Lite

OWA Lite is a version of the browser client created for the on-premises versions of Exchange Server that still looks like the kind of email client you’d see around the year 2000. The client hasn’t changed much since its creation and is much simpler than OWA Premium. Although you can manage a mailbox with OWA Lite, don’t expect support for functionality like access to shared mailboxes.

In its place, OWA Lite can be useful. For instance, over a low-bandwidth connection, OWA Lite (Figure 1) consumes less network resources than the premium version does. I’ve even used the OWA Lite client on a Linux-based TV to create and send a few messages.

Another reason to use OWA Lite is when people have accessibility needs. The premium version of OWA is in an ever-changing state as Microsoft adds new features and tweaks the UI to prepare for the introduction of the new Outlook for Windows client (code name Monarch), which is based on OWA Premium. I’ve called Monarch a slightly prettier version of OWA, but because its UI is evolving, using the client can be hard for those who depend on client UIs being predictable.

Accessing OWA Lite

There used to be an option in OWA settings to select OWA Lite for a mailbox that seems to have disappeared. To test OWA Lite, connect to Exchange Online with the URL https://outlook.office.com/owa/?layout=light. To revert and return to the Premium client, use https://outlook.office.com/owa/?layout=premium.

Supported Browsers

Supported browsers for OWA Premium with Exchange Online include Microsoft Edge, Chrome, or Mozilla Firefox on Windows 11 and 10. For macOS, Safari is on the list. Curiously, there’s no mention of the Brave browser, which is based on Chromium like Edge and Chrome. It might be that some of the bits that Brave removes from the Chromium engine create some difficulties for OWA. I have never had any issues using Brave with OWA premium, but that doesn’t mean that I’ve never encountered some lurking problems with the browser. Opera is another common browser missing from the supported list.

Restriction Starts in September 2023

Microsoft says that they plan to roll out the change to targeted release tenants in September 2023 and complete the worldwide deployment in November 2023. After the code update to impose the restriction arrives in a tenant, users who attempt to use an unsupported browser will get OWA Lite.

Forcing people to use OWA Lite and being unable to switch to OWA Premium with a user’s preferred browser is likely to be the source of disruption, annoyance, and help desk calls if users do not receive warning to switch to a supported browser. Microsoft minimizes the difficulty of the situation by bluntly saying that tenants should check browsers in use and arrange for upgrades to make sure that users “can utilize the full set of features from Outlook on the web.” Just another thing to add to the to-do lists of tenant administrators.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

When Users Define Their Work Locations, It Helps Others to Schedule Meetings

On May 10 2023, Microsoft published a post titled “Coordination is the key to spontaneity with these features in Outlook on the web and Teams.” That’s quite a mouthful, but essentially it’s about some features Microsoft is introducing in OWA and Teams to help people know where their colleagues are working. The update for OWA to allow users to define their location during work hours started to appear in tenants on May 9. You’ll know if your tenant has the update if you see a Work hours and locations setting in the Calendar section of OWA settings (Figure 1).

I have not yet seen the updates to the OWA calendar to display locations in the scheduling assistant or to adjust the set location when reviewing a calendar event. No doubt the bytes are on their way.

Teams Update to Change or Clear Work Locations

On May 26, Microsoft followed up with message center notification MC561188 to say that the changes in Teams to allow users to set the work location for a day (Microsoft 365 roadmap item 125375) has started to roll out to targeted release tenants and Teams preview. Standard release tenants can expect to see the functionality starting in early June with full worldwide deployment complete by early August.

Once again, not all the code has shown up yet. The bits to allow users to change their work location for the current day (Figure 2) are present but work locations don’t yet appear on user profile cards alongside the other information to help schedule meetings like someone’s office and local time.

Updating your work location in Teams has no effect on the settings defined in OWA. There is no link between acting to update the work location for the current day and the set of work locations defined for a (default) week.

It’s not unusual for Microsoft 365 code updates to arrive in pieces. Being able to set a work location doesn’t depend on the user profile card and vice versa, so Microsoft can deploy the code at different times. Unless you’re expecting something to be present, you won’t notice that anything’s awry.

Restricted Work Locations

Nice as the idea of helping colleagues know where someone is when arranging meetings, the implementation is limited by the choice between two locations. You can’t add a third location, and you can’t rename the locations (for example, from “Remote” to “Home Office”). It would be nice if OWA settings supported more flexibility in managing work locations. In addition, there’s no word if Outlook desktop or Outlook mobile will support work locations.

There’s also no way for an administrator to block the work locations feature or to set it for users. Public availability of a way to set a new feature in a user’s calendar through a cmdlet like Set-MailboxCalendarConfiguration normally appears a few months after it is introduced.

Which brings me to the point that the most important way to inform co-workers about your working arrangements is to make intelligent use of the Teams status message. Update your status message daily to let people know important details about how to contact you and where you’re located and you’ll find that the work location feature is a lot less important (and useful) than it first seems. You could even exploit the pronoun support in Teams to insert a 30-character message to make people aware of your current status and use the more expansive text available in the status message for precise details of how and when you can be contacted.

Synchronization is Important

It’s good that OWA and Teams are synchronizing the introduction of new features. The unfortunate thing is that the current implementation of the work locations feature is really not all that useful. Perhaps this will change in time. Let’s hope that this happens.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Project Moca to Outlook Board to Fast Deprecation

MC554157 (May 12) announces the retirement of the board view in the Outlook calendar. Well, the OWA calendar because the board view never existed in the Outlook desktop calendar, unless you count the Monarch client as an Outlook desktop client.

The origins of the board view come from Project Moca. In 2020, Moca seemed like a nice way for people to organize different pieces of information drawn from different sources on a board, kind of like pinning bits of paper to a pinboard. After going through a preview phase while Microsoft figured out where Moca might fit inside Microsoft 365, eventually Moca turned up as a new board view for the OWA calendar in mid-2021.

Low Usage for Boards

Getting on for two years later, Microsoft’s famous telemetry must show that the usage of boards remains staggeringly low. At least, that’s what I anticipate the data indicates because I have never been asked a single question about this aspect of OWA, and that’s despite writing several articles on the topic. I have several boards (Figure 1), but I haven’t used them in months. The fact is that the board view seems to have been in a sad state of disrepair for quite a while. No new features appeared and no-one in Microsoft seemed interested in curing the obvious quirks that sometimes emerged when moving items around a board. Software that stays static is always in trouble unless it’s a COBOL program running tax software from the 1970s.

Many Ways to Take Notes

Another truth is that there are just too many ways to take notes available in Microsoft 365. Some like the simplicity and mobile access of To Do; others like OneNote. And now Microsoft is preaching the wonders of the Loop app. Over the long term, I could see a consolidation in the OneNote/Loop space with the newer application winning because of its better synchronization capabilities and its roots in SharePoint Online. But we shall see.

The End of Boards

In any case, the guillotine descends on boards on June 26, 2023, or roughly six weeks from the announcement and just before the end of Microsoft’s FY23 fiscal year. By Microsoft standards, retiring an Outlook feature in six weeks is very fast and is further testimony to its low usage. Boards are no public folders, something that Microsoft has been trying to dump since 1987 or thereabouts.

Microsoft’s advice to users is confusing. On the one hand, they say that there’s nothing that users need to do. Boards will simply disappear on the designated date. The items linked to boards remain in place and can be accessed from their original location. For instance, when you create a note on a board, Outlook stores the underlying item in the Notes folder of your mailbox. Outlook Notes is another application that hasn’t received much tender loving care from Microsoft in the recent past, but at least the data is there and can be copied and pasted into a more up-to-date and functional digital notebook.

On the other, Microsoft recommends going to the Privacy and Data section of Outlook (OWA) options to export board data (Figure 3). I shouldn’t bother. In a decision surely taken by a developer without supervision, OWA outputs the board information in JSON format to a file called boards.json. I wonder what target the developer had in mind when they contemplated how to export the board data?

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

Intelligent Technology Depends on Machine Learning Access to User Data

Some years ago, I wrote about how Outlook uses machine learning to predict words to insert in messages. This was an early example of machine learning in Outlook. Text prediction is common practice today and we almost expect applications to include machine learning to help us compose notes, documents, and responses. Given the introduction of ChatGPT and Bing’s AI Bot, some worry about the prospect of increasing amounts of machine-generated text and its effect on human creativeness. It’s definitely a story to follow.

Over the last few years, Microsoft has steadily increased the use of “intelligent technology” in Outlook. Currently, the range of features covers features like birthday detection to text predictions to suggested replies, controlled through OWA settings (Figure 1). Regretfully, the Set-MailboxMessageConfiguration cmdlet doesn’t currently support updating these settings for a mailbox.

The combination of Microsoft Research and product engineering groups has driven the introduction of intelligent technology in OWA. For example, Outlook’s suggested replies feature is underpinned by the Azure Machine Learning Service.

Outlook Desktop Lags in Intelligence

Outlook desktop clients receive the intelligent technology features after OWA. This lag has always existed, but at least we can respond to email with an emoji. Oddly, there’s been a few recent reports of Outlook for Windows failing to display the “show text predictions while typing” setting in its options (here’s an example). I don’t see the setting on one PC and do on another, both of which run the same build of Outlook click to run. I even updated the system registry at HKCU\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings to set the InlineTextPrediction DWORD value to 1 to enable text predictions with no effect.

Microsoft Processing of User Data

One thing that people get worried about is the notion that Microsoft “reads” their email to create suggested replies and to build models for text predictions. It’s true that Microsoft processes email to create the suggestions and predictions used by Outlook, but the important thing is that the data used by the learning models constructed to help machine learning understand how individual users work with text remain in user mailboxes. Microsoft doesn’t gather information from the 380-odd million active Office 365 users to improve its detection algorithms. The general foundation for the models come from public data (and I imagine, messages circulating within Microsoft), but the tweaks to make those models personal remain private to the user.

In its user documentation for suggested replies, Microsoft says that “Suggested replies are generated by a computer algorithm and use natural language processing and machine learning technologies to provide response options.” It also says that “Outlook uses a machine learning model to continually improve the accuracy of the suggestions. This model runs on the same servers as your mailbox within your organization. No message content is transmitted or stored outside of your organization.”

These statements don’t mean that the machine learning code runs on 300K Exchange Online mailbox servers. Instead, Microsoft uses a concept called Privacy Preserving Machine Learning (PPML) to transfer data to specialized AI computers in the Microsoft cloud. After processing, Microsoft erases the source information from the AI computers and background agents update mailboxes with user-specific results. It is this information that Outlook consumes locally when dealing with messages.

Email is worldwide, but the structures and syntax used by different languages means that Microsoft’s machine learning processes is limited to certain languages. For instance, at the time of writing, suggested replies are available in only 22 languages.

I’ve heard (but can cite no public evidence) that AI processing occurs on a tenant basis to allow some consolidation of generic results at the tenant level. For instance, if many users in a tenant use “OK” as a standard response, it’s likely that machine learning will consider “OK” as a prime candidate to be a suggested response for everyone in that tenant. The consolidated generic data remains in the tenant.

Viva Insights Processes User Email Too

In addition to the way Microsoft processes user email to understand text patterns, Viva Insights looks through email to detect commitments made by users. Its MyAnalytics predecessor started to scan emails for commitments in 2018. When users open the Viva Insights add-in or use the Viva Insights app in Teams, they see recommendations and insights derived from the contents of the calendar and inbox folders from their mailbox.

Among the information Viva Insights highlights are messages that might contain commitments that the user needs to follow up. Viva Insights displays details of the messages it has found and prompts the users to either note the potential task as complete or add it as a personal To Do task (Figure 2).

Viva Insights also finds messages where the user asks recipients to do something and prompts them to either follow up or mark the task as done.

There’s lots of deep research into finding commitments in email and highlighting those commitments to users. But again, the important thing is that the data used by Viva Insights remains in user mailboxes and is under the control of users.

Worrying About the Data Used by Machine Learning in Outlook

Those with responsibility for compliance and privacy in an organization are usually the people most worried about the processing of user data. With the growth of machine learning and AI-powered “experiences” and the resultant need for access to user data to learn from, this is a good concern to have. In the case of Microsoft 365, many “connected experiences” exist where people consume a cloud service without realizing where data comes from or is consumed.

Personally, I’m not concerned about how machine learning processes my email as the outcome is useful (when it works), but I realize that others have different feelings. It’s a topic for every organization to work through and figure out how happy they are to have Microsoft process their data to create new features.

To finish off, Figure 3 shows how Bing chat answered my question about how Outlook uses machine learning…

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Time to Consider How to Handle Outlook Add-Ins for New Clients

A recent Practical365.com article about user submissions of suspicious email caused me to think. Not about the proposal because it’s obvious that allowing people to report suspicious messages that Exchange Online delivers to their inboxes is a good idea.

After all, if someone receives an email that looks like malware, smells like phishing, and has a faint hint of spam, it’s probably not a good thing. And if it gets to a mailbox, it’s a failure of Exchange Online Protection (EOP) or whatever email cleansing service the message passed through en route. Reporting this kind of message to their administrator or Microsoft for further analysis is right and proper. Everyone benefits when Microsoft receives copies of messages that get past the EOP tests.

Customizable Notification Messages

The article explains how Exchange Online now allows organizations to customize the messages displayed when people report bad email. It’s a nice feature that allows organizations to reassure people that something happens when they take the time to report a problem. No one likes their efforts to disappear into a black hole. Figure 1 is an example of a customized message sent to people in my tenant when an administrator reviews a reported message. The format of the message contains corporate branding to reassure the recipient about its source.

The End of COM Add-ins

But the goodness of being able to create customized notification messages for reporting bad email is not what caused me to think. My attention was drawn to the assertion that the Report Message/Report Phish add-ins will stop working at some point in the future. These add-ins allow users to report messages as junk mail or phishing and have been around for a while. Their long-term replacement is a built-in Report message button that can report messages as either phishing or junk. In other words, a consolidation of add-ins.

At this point, you might wonder why I focus on such an arcane subject. Does it matter if Microsoft decides to replace some Outlook add-ins? Of course, it doesn’t, except when it’s a pointer to a change that might affect customer organizations and ISVs. The older Outlook (for Windows) add-in model is COM-based. Many such examples of these add-ins exist, whether built by ISVs or in-house.

Monarch and OWA Don’t Use COM

But Microsoft is heading to a common Outlook base, aka “One Outlook” or Project Monarch, with the aim of delivering a unified client on as many platforms as possible. The Monarch client is based on OWA and cannot use COM add-ins. Instead, the new Outlook add-in model uses JavaScript or HTML. Monarch is currently in preview with Office Insiders and, like OWA, receives frequent updates. We don’t know when Monarch will transition to become the next version of Outlook for Windows. Given the current state of play, this probably won’t happen in 2023. But 2024?

This brings me to the point of this note: Microsoft is updating its Outlook add-ins to move away from COM. Is the same happening for the add-ins created by ISVs or in-house development? With its knowledge of where the Outlook puck is going, Microsoft has first-mover advantage here, but the fact that it’s making the change should signal a warning to tenant administrators and architects that it’s time to understand what COM-based add-ins are in use and the plans to evolve them to work with the new Outlook, or even with today’s OWA client.

ISVs know what’s happening and will have plans to evolve their products. I wonder if the same attention is paid for in-house code. Given the longevity of the current Outlook for Windows architecture, it’s possible that some add-ins are in situ that no one wearing an administrator hat knows much about. It would be a shame if an obscure but necessary add-in surfaced to disrupt future deployment plans, so do yourself a favor and check now.

Keep up to date with developments like Project Monarch by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers understand the most important changes happening across Office 365.

Driving Usage for the Bookings with Me App

The January 12 announcement that bookable time is coming to Outlook (OWA) is no more than a Microsoft attempt to drive usage of the Bookings with Me app. There’s nothing wrong with that tactic, even if it might make some people think that the announcement brings news of a brand new feature.

Microsoft also refers to bookable time as “Bookings in Outlook” and asserts that the apps helps to reduce “the back and forth in scheduling while helping you [to] maintain control of your calendar.” Bookable time in Outlook is available to users with the following licenses:

• Office 365: A3, A5, E1, E3, E5, F1, F3 
• Microsoft 365: A3, A5, E1, E3, E5, F1, F3, Business Basic, Business Standard, Business Premium 

The Magic of Controlled Scheduling

This magic happens through uses creating a personal bookings page where they publish slots where they are available to meet people who care to make a booking through the page. The control Microsoft mentions comes about by the user establishing a schedule of available time slots when the user will accept 1:1 meetings (Figure 1).

Microsoft’s documentation for Bookings with Me explains the various settings.

It’s important to emphasize that bookings are regular Outlook meetings that show up in a user calendar alongside other events. There’s absolutely nothing different between a meeting scheduled in the normal way and one created using Bookings with Me. The intelligence in the Bookings with Me app is entirely in the user interface to define available slots and the processing that publishes those slots and allows people to make bookings. Users can edit the settings of their booking pages by going to the Booking app.

Not everyone will want to or be interested in Bookings with Me. Within a company, it’s a facility that people like HR consultants might use to allow employees to easily set up meetings to seek advice, Externally, people need an Azure AD account (school or work account) to book an appointment using Bookings with Me. The calendar owner remains in full control at all time and can reschedule or cancel appointments made with them at any time. Those who request meetings can also cancel or reschedule appointments (with the calendar owner’s assent).

Publishing and Using a Booking Page

When the schedule is ready, the user can publish (share) their availability for meetings. If the user hasn’t published a booking schedule before, the app generates a URL that the user can share with people who might want an appointment (Figure 2). For instance, they could include the URL in their email signature or publish it in their Teams status.

Clicking the link displays the user’s personalized booking page and exposes the available time slots based on the schedule established by the user (Figure 3).

Bookings and Bookings with Me

Some are confused between Bookings with Me and Microsoft Bookings. The differences are straightforward:

• Bookings with me is for personal use and deals with 1:1 meetings only. It is an Outlook feature that can schedule Teams online meetings. All events are in the user’s calendar.
• Microsoft Bookings is a separate application with its own (scheduling) mailboxes intended for use by a group or other entity.

Whether the advent of bookable time in OWA will convince more people to create Bookings with Me pages to allow others to schedule meetings with them remains to be seen. If you need a feature like this, it’s nice to have Bookings with Me. If not, it’s very safe to ignore bookable time.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Email Signatures Shared between Outlook and OWA But Not a Panacea for Signature Management

A reader pointed me to Microsoft’s Email Signature Gallery and asked if these signatures could be used with Outlook and OWA. The answer is yes, and there’s documentation to show how, which is always nice.

The gallery of email signatures is in a Word document (Figure 1), which can be downloaded or edited online. Editing is important as you need to update one of the sample signatures to use it.

After making the appropriate changes, you can cut and paste the signature into OWA or Outlook desktop (Figure 2) and the wonders of roaming signatures will make it available in both clients. Basically, all you need to do is replace the photo, update the values for title, phone numbers, organization, and address, and add links for your web site and Twitter handle. The email signatures gallery sounds like a very useful tool, but some downsides exist.

According to message center notification MC450845 (October 27, 2022), rollout of roaming signatures should now be complete. Microsoft also refers to the feature as “cloud signatures.” Both mean the same thing. The signature information is in user mailboxes and clients download signature information from the mailbox to apply signatures to messages.

Set-MailboxMessageConfiguration Remains Broken

The first issue is that Microsoft hasn’t addressed the issue with roaming signatures that broke the Set-MailboxMessageConfiguration cmdlet by removing HTML support for signatures in OWA. Microsoft removed the warning from the documentation that roaming signatures causes the problem, which was nice of them. The problem means that if you’ve taken the time to develop nicely-formatted signatures for OWA, any scripts that apply OWA signatures to mailboxes won’t work.

You can’t make an omelette without breaking eggs and Microsoft would say that you can’t introduce roaming signatures and give users a choice of signatures to use without breaking something. At least, I think they’d say this because they broke something.

It’s reasonable to assume that an update would be necessary for the Set-MailboxMessageConfiguration cmdlet after the introduction of roaming signatures. The update needs to:

• Support the storage of signature information in the user’s mailbox.
• Support reading and setting of multiple signatures per mailbox.
• Support selecting a default signature for new messages and replies from the available set.

It would be nice if Microsoft fixed the cmdlet problem so that those who’ve invested time and energy to develop PowerShell scripts to manage email signatures can continue to benefit from their work.

Roaming Signature Data in User Mailboxes

Up to now, the cmdlet could retrieve signature information from its settings. Now it must read data from the ApplicationDateRoot\49499048-0129-47f5-b95e-f9d315b861a folder in the non-IPM part of the mailbox. The MFCMAPI utility reveals that each signature has its own sub-folder (Figure 3) along with other information stored in ApplicationDateRoot\49499048-0129-47f5-b95e-f9d315b861.

The folder for a signature has a contents table storing some message items. The message items hold the signature data (Figure 4) in HTML format, including graphic elements like icons.

It’s obvious that the implementation of roaming signatures is very different in many ways to the simplicity of the earlier approach taken by OWA, which only supports a single HTML signature.

Roaming Signatures Work for OWA

In any case, signatures updated in Outlook desktop become available to OWA (and vice versa) after a period for the clients to learn about updates and refresh caches. Figure 5 shows the signature from the email signatures gallery that I pasted into Outlook as it appears in an OWA message.

Current State of Play

The current state of play is therefore that clients that support roaming signatures (OWA, the Monarch client, and the latest Outlook click to run builds) share signatures stored in user mailboxes. No matter what client someone updates a signature in or the source of the signature (from the gallery, from another user, or generated by the user), the clients will all pick up and use that signature.

Does this mean that ISV signature management products like Code Two’s Email Signatures for Office 365 are out of business? Not at all. Roaming signatures fix a problem in that a common signature is now available within the Outlook client family. It’s not a universal panacea for email signature management and does nothing about making sure that people use suitable corporate signatures throughout the organization, including with non-Outlook clients. If you’re interested in central management of email signatures across multiple clients, there’s still a ton of value to be gained from investing in the right tools.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

Being Able to Work with Folders and Rules Make Outlook Groups More Useful

In August 2022, Microsoft announced that support for group owners and members to create and use folders and inbox rules in Outlook groups was coming. As is often the case, the rollout of the new functionality stalled a little, but is now reaching tenants (MC422161). The feature only works with OWA and Outlook Monarch and there’s no news when, if ever, it will appear in Outlook desktop or Outlook mobile. Nevertheless, giving Outlook groups some new functionality is welcome as not much has happened in this area for a while. The last major update was the addition of Send As and Send on Behalf of support in 2019.

New Support for Folders and Rules

The new capability allows group owners and members (if allowed) to:

• Create new folders in the group mailbox used by an Outlook group. Although you can then list and access the new folders, you can’t access any of the default folders in the mailbox except Inbox and Deleted Items (and calendar, but only through the calendar view). For years, people have asked for access to the Junk Email folder in group mailboxes to allow them to rescue messages that end up there.
• Move and copy items between folders. Oddly, OWA doesn’t support drag and drop of items between group mailbox folders.
• Create rules to process messages delivered to the group mailbox’s inbox.

Group owners can always create and delete folders and rules. Group members need permission before they can use these functions.

What’s odd about this implementation is that OWA has allowed access to group folders for years if you add a group mailbox to its set of resources as a shared folder. For instance, Figure 1 shows the folders in a group mailbox when accessed as a shared folder. You can see default folders like Archive and Junk Email. The “Happiness” folder, created using the new functionality, is also visible.

Figure 2 shows what you see using the new feature. The Happiness folder is present, but there’s no trace of the Drafts, Archive, Sent Items, or Junk Email folders. I realize that Microsoft didn’t set out to make all folders in a group mailbox available, but it would be nice to know why not, especially when it’s possible to leverage code that already exists (albeit for group owners only).

Curiously, you can only drag and drop a message from another folder to the inbox of a group mailbox. The other folders are there but OWA won’t move items to them. Instead, you move the item to the inbox and then move it from there to the desired folder.

Another oddity is that if you add a group as a favorite, OWA only displays the Inbox when you access the mailbox. This is likely by design because an OWA favorite is a folder rather than a complete mailbox, but it’s something that might confuse users.

Organization-Wide Settings

Several organization-level and group-level settings are available to control the new functionality. A tenant administrator can use the Set-OrganizationConfig cmdlet to update these settings:

• IsGroupFoldersAndRulesEnabled: Defines if the new functionality is turned on or off. The default is False, meaning that OWA does not exposes the support for folders and rules in Outlook groups. Run the Set-OrganizationConfig cmdlet to update the setting to True to enable the new features.
• IsGroupMemberAllowedToEditContent: Controls if group owners see a permissions toggle in group settings to control the ability of group members to move, copy, and delete messages and create and manage rules. The default is True, meaning that the toggle is available. If set to False, group owners don’t see the toggle and group members cannot move, copy, and delete items.
• BlockMoveMessagesForGroupFolders: Controls if the move option is available to group members. If True, they can move items to other folders. If False, they cannot. The reason why you might prevent group members moving items is to keep all received messages in the Inbox where they can be accessed by people using Outlook desktop and mobile clients.

Group owners can always delete, move, and copy items.

Group-Level Setting

After making sure that the organization IsGroupMemberAllowedToEditContent setting is True, we can move to group-level control. In my tenant, the permissions toggle (Figure 3) to allow group members to move, delete, and copy items is off for all groups, meaning that a group owner must go and switch the toggle before group members can edit content. It can take up to 20 minutes before the change becomes effective. This is probably due to caching and the need to publish the new settings to OWA.

Rules

Except that fewer actions are available, creating a new rule to process inbound email for the group works exactly like personal inbox rules in OWA. Go to group settings and select the Rules option. OWA displays the screen shown in Figure 4 to allow the input of:

• A rule name.
• Rule conditions.
• Rule actions. In Figure 4, you can see that the Move action is unavailable. This is because the BlockMoveMessagesForGroupFolders organizational setting is True.

One point to remember is that rules only apply to the copy of an inbound message delivered to the group mailbox. Group members that subscribe to the inbox to receive copies of messages sent to the group still receive those copies.

Progress But More to Do

There’s not much more to say about folder and rule support in Outlook groups. It’s progress because it enables more ways to work with email in Outlook groups. However, the nagging feeling is that most Microsoft 365 Groups created today are used with Teams. Quite how many Outlook groups are used to process real work is unknown, but presumably there’s enough for Microsoft to continue adding new features.

Learn more about how the Office 365 applications really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Time Slots from Five to Sixty Minutes

Although Microsoft has developed a good habit of announcing changes through notifications posted to the Microsoft 365 admin center, sometimes new features arrive in apps without much or any warning. Such is the case of the ability to select different time scales and display multiple time zones now available in OWA’s calendar.

I had never noticed these features (who goes looking for new ways to tweak a calendar display) until the What’s new icon in the OWA menu bar attracted my attention with an indication that something new was available. I suspect that many people are like me and don’t pay much attention to these notifications, but in this case (Figure 1), I discovered several recent changes. Users can:

• Choose the time scale (the increment between sections) for viewing the calendar from the default 30-minute slot used until now.
• Add multiple time zones for display in the OWA calendar.
• Select a color scheme for calendar events.

Making Events Easier to Read in the Calendar

The logic behind allowing users to choose a custom time increment for calendar is that they can select the time scale that works best for the kind of events that they schedule. For instance, selecting a smaller time increment allows the calendar to display more information about items that occur over a short period. If you’re in the habit of scheduling short meetings, then this works well. For instance, it’s common practice for corporate spokespeople to assign short periods to journalists after a product announcement. As shown in Figure 2, using a 10-minute increment (top) makes the calendar much easier to look at than the default 30-minute increment (bottom).

Of course, if you’re in the habit of scheduling multi-hour meetings, then switching to a 6—minute time increment will work better for your calendar. You can switch the time increment between different values until you find the choice that works best for you by clicking on the vertical timeline and selecting time scale from the options (Figure 3).

Documentation for the time increment feature is available online.

OWA Time Zones

Another of the items listed in what’s new list is the ability to add time zones to the OWA calendar. This feature has been available in Outlook desktop for many years and adding it to OWA was a popular user request. Adding a new time zone is easy, as shown in Figure 4.

You can set the label for the time zone to whatever value you want. For instance, I set the label for my default time zone to “Home.” You can see the effect of selecting multiple time zones and selecting a custom label for each zone in Figure 3.

Small but Important Changes

Some will consider these changes to the OWA calendar not worthy of note. At least, tweaking displays is not as important as adding “real functionality” like the Booking with me feature. That’s certainly a reasonable stance to take if you’re interested in other aspects of the Microsoft 365 ecosystem, but it ignores the fact that users have asked for these changes. With that in mind, it’s good to see the changes show up in the OWA calendar, even if you never alter a time interval, add a time zone, or even change the color scheme for your calendar. Little things can have big impact.

Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.

An Attempt to Make Scheduling Meetings Easier

According to message center notification MC375740 (updated Jun 21, 2022, Microsoft 365 roadmap item 93239), the deployment of Outlook’s Booking with Me feature is rolling out to targeted release tenants. The deployment to standard release tenants will start soon and be complete in mid-August. Any user with an Exchange Online license has access to Bookings with Me unless the organization disables the feature for the entire tenant or individual users.

Despite its association with Outlook, Booking with Me is a separate app that uses Exchange Web Services (EWS) API calls to interact with user calendars. The idea behind the app is to allow internal and external people to request time in the calendars of other users through their Booking with Me page. The app is separate to the Microsoft Bookings app, with the basic differentiation between the target audiences: personal (manage meetings in my mailbox) and group (manage appointments for a group of people, usually for a business purpose).

Using Booking for Me

If your account isn’t blocked, a Create bookings page link appears in your OWA calendar (Figure 1). A similar link is not available in Outlook for Windows or Mac. After creating a bookings page, the link changes to Edit bookings page.

Clicking the link brings up a draft bookings page for you to populate with meeting type. A meeting type defines the characteristics of a meeting you’re willing to accept, including:

• Public or private: Anyone with the link to your bookings page can select from the defined public meeting types to create a meeting in your calendar. Only those with the link to a specific private meeting event can create those events. You might have a private meeting type that can be scheduled immediately at any time by selected co-workers and a public meeting type for everyone else.
• When it can happen: By default, you use the working hours defined for your calendar, but you can amend the available hours. For instance, you might decide to reserve slots between 10 AM and 11 AM each morning for meetings.
• How long a meeting will be: The default is 30 minutes. It can be as short as 10 minutes
• Where the meeting will be: The default is to create online Teams meetings., but you can define a location such as your office or a conference room.
• Create buffer times before and after meetings so that you don’t end up with back-to-back events. The buffer time is defined in minutes.
• How long in advance someone can schedule a meeting. The default is one hour, meaning that someone can look for a time slot in your calendar an hour ahead of the current time. As many people like to review meetings to decide if they will accept them or reschedule as necessary, a longer lead time might be better.

Figure 2 shows how to populate the settings for a new meeting type.

Each meeting type has a separate link used to make bookings. You don’t have to define all the meeting types immediately as you can add more over time. Just one is needed to create your booking page, which can take ten or so minutes for the service to set up.

Sharing Meeting Types

When the bookings page is ready, you can share its link with other people. The Share option generates a link like Book time with Sean Landy, which expands to a link to the BookWithMe service running on Outlook.com:

https://outlook.office.com/bookwithme/user/7b111e2fc69a4d309725c9bb579256ba@office365itpros.com?anonymous&ep=pcard

The important point to understand is that anyone with a meeting link (public or private) can book a meeting with you, even if they don’t have a Microsoft account.

You can share the link to your bookings page by copying it to include in a document, email, or Teams message, or add it to your email autosignature. OWA greyed out the option to add the booking link automatically in the edit email signature dialog. This was probably because I defined two public meeting types and OWA couldn’t choose which of the links to the meeting types to insert. The problem is easily solved by pasting the link to the bookings page into your email signature.

Booking Meetings

To book a meeting, use the link to someone’s bookings page or the link to a private meeting time that’s been shared with you. Booking with Me displays the page. You can then select the meeting type from the set displayed on the page and then choose a meeting time (Figure 3).

When someone schedules a meeting through Booking with me, both the requester and the person who hosts the meeting (the meeting owner) receive email confirmation. The meeting owner receives email to tell them that someone set up a meeting through their bookings page. The requester receives a regular meeting invitation. If the meeting is online, the invitation includes any custom Teams meeting information defined by the organization. To make this happen, the Bookings service impersonates the meeting owner and creates a meeting in their calendar with the person who requests the meeting. The calendar event is like any other event and can be updated or cancelled as necessary. This includes changes made by the requestor, who can use a link in the meeting invitation to access meeting details to reschedule or cancel the event.

Likely to be a Popular Tool

Booking with me is a good example of how many can deploy its software toolkit to combine different elements drawn from across Microsoft 365 to create a new solution that people can use without installing any additional software. Users might need a little help to understand how to create good meeting types, but once people get the hang of it, I think Booking with me will be popular. Let’s face it: few people enjoy organizing meetings, and if Booking with me helps to reduce the pain a little, it will deliver value.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.

A New Mailbox Type to Appreciate

It’s always interesting when you discover something about an application that’s been around for a long time, like when I found some “scheduling” mailboxes in Exchange Online.

Get-EXOMailbox -Filter {RecipientTypeDetails -eq "SchedulingMailbox"} | Format-Table DisplayName

DisplayName
-----------
Professional Financial Advice
Office 365 for IT Pros
Sean Landy Medical Appointments

Scheduling mailboxes host the calendars used by the Microsoft Bookings app. Let’s explore how the app works and uses the scheduling mailboxes.

Note: the Microsoft Bookings app is very different to the Outlook Booking with me feature.

Controlling Access to Microsoft Bookings

Bookings is available in all Office 365 and Microsoft 365 plans unless it’s blocked at the organization level or for specific individuals. At the organization level, granular controls are available in the Microsoft 365 admin center (org settings) over different aspects of Bookings (Figure 1).

These settings can also be retrieved and updated using PowerShell:

Get-OrganizationConfig | Format-List Bookings*

BookingsEnabled                             : True
BookingsEnabledLastUpdateTime               : 21/07/2022 16:39:06
BookingsPaymentsEnabled                     : False
BookingsSocialSharingRestricted             : True
BookingsAddressEntryRestricted              : False
BookingsAuthEnabled                         : False
BookingsCreationOfCustomQuestionsRestricted : False
BookingsExposureOfStaffDetailsRestricted    : False
BookingsNotesEntryRestricted                : False
BookingsPhoneNumberEntryRestricted          : False
BookingsMembershipApprovalRequired          : False
BookingsSmsMicrosoftEnabled                 : True

To disable Bookings for an individual account, you remove the Microsoft Bookings app from the set of apps licensed to the account. This can be done by editing the account in the Microsoft 365 admin center, or with PowerShell. For example, here’s how to remove the Microsoft Bookings service plan (199a5c09-e0ca-4e37-8f7c-b05d533e1ea2) from an account licensed with Office 365 E3 (6fd2c87f-b296-42f0-b197-1e91e994b900):

$LicenseOptions = @{SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"; DisabledPlans = @("199a5c09-e0ca-4e37-8f7c-b05d533e1ea2")}
Set-MgUserLicense -UserID Terry.Hegarty@Office365itpros.com -AddLicenses @($LicenseOptions) -RemoveLicenses @()

See this article for more details about how to use the Microsoft Graph PowerShell SDK to manage licenses for Azure AD accounts.

Creating a New Booking Page

New Booking pages (and calendars) are created through the Bookings icon in the OWA resource bar. You can block the ability to create new pages with the BookingsMailboxCreationEnabled setting in the OWA mailbox policy assigned to a mailbox. By default, the setting is True, which allows users to create new Bookings pages. Set it to False to stop this. For example:

Set-OWAMailboxPolicy -Identity "No Signatures" -BookingsMailboxCreationEnabled $False
Set-CASMailbox -Identity James.Ryan -OWAMailboxPolicy "No Signatures

Users can create a new booking page (and calendar) by selecting the Bookings icon in OWA. Oddly, people blocked from creating new pages are allowed to open the app and go through the process of entering details of the new page. It’s only when the time comes to create the page that the block descends, and they’re informed that permissions are needed to create a new booking calendar. When you think about it, the block imposed in the OWA mailbox policy refers to mailbox creation, and that’s what the block prevents. It’s just a pity that the app doesn’t stop people sooner.

When a user creates a new booking page, a background process creates a scheduling mailbox to host the calendar to store booking appointments. User mailboxes are associated with Azure AD accounts, and a first-party Microsoft enterprise app called Microsoft Substrate Management (object identifier e6ff64fa-aad6-4944-8e6c-c746c7b613a6) creates the accounts for the scheduling mailboxes. You can see this in the audit record created for a new account.

RecordType   : AzureActiveDirectory
CreationDate : 21/07/2022 13:01:58
UserIds      : ServicePrincipal_e6ff64fa-aad6-4944-8e6c-c746c7b613a6
Operations   : Add user.
AuditData    : {
                 "CreationTime": "2022-07-21T13:01:58",
                 "Id": "d007ed08-2dd8-436c-a12b-bad7df04e51e",
                 "Operation": "Add user.",
                 "OrganizationId": "a662313f-14fc-43a2-9a7a-d2e27f4f3478",
                 "RecordType": "AzureActiveDirectory",
                 "ResultStatus": "Success",
                 "UserKey": "Not Available",
                 "UserType": "System",
                 "Version": 1,
                 "Workload": "AzureActiveDirectory",
                 "ObjectId": "SeanLandyMedicalAppointments@office365itpros.com",
                 "UserId": "ServicePrincipal_e6ff64fa-aad6-4944-8e6c-c746c7b613a6",
                 "AzureActiveDirectoryEventType": 1,

The person who creates the new booking page becomes its administrator. Once the page is ready, the administrator can define the services to offer, their cost, and the people (staff) who can provide the service. Each user can be assigned a role for the page, such as team member (the default), supervisor, and viewer. Guest accounts are supported, but they can’t open the scheduling mailbox to view the calendar, so all their interactions are via email.

I noted that users granted the administrator role have full permission over the scheduling mailbox. However, if a user’s role is subsequently downgraded (say, to team member), they don’t lose the permission.

Making a Booking

As an example, let’s assume that the Office 365 for IT Pros writing team wanted to offer an IT consulting service. To set this up, I added the writers as staff members, defined a couple of very attractive services, and assigned different people as responsible for delivery of each service. I then enabled the page so that it’s available on the internet, and we’re open for business. Anyone can make a booking with us, even if they don’t have a Microsoft account.

When customers go to the bookings page, they see the information displayed in Figure 2 and can choose the service they want, who they want to deliver the service (or “anyone” to get a random consultant), and a time slot.

After everything is ready, the customer saves the appointment. Bookings creates a new Teams meeting for the selected date and time and sends out meeting requests to the participants. When the appointed time arrives, everyone joins the Teams meeting and the service is delivered. The only thing that’s missing is an integration with an online billing service like Stripe to collect the cash (a payment system originally offered by Microsoft is retired).

Because everything is organized around a calendar, the process of checking the calendar to see who’s occupied or available, assign time off (an appointment in the calendar), and so on is straightforward. If you can use OWA, you can use Bookings. Another good thing is that because all the bookings are stored in scheduling mailboxes, their content is indexed and discoverable.

Bookings for All

The Microsoft Bookings FAQ includes a list of ideas for how Bookings might be used. There’s lots of other good information to assimilate in the FAQ before plunging into an implementation of Bookings. I’d also spend some time playing with a couple of dummy Bookings pages to understand how the app works and how it meets the needs of different scenarios. It’s an app that’s worth checking out.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Scripts Stop Working without Warning

In 2020, I wrote about how to create and apply corporate email signatures for use by OWA. Recently, things started go wrong and some people reported that the code didn’t work any longer. The issue is linked to the work Microsoft is doing to deliver Outlook roaming signatures, a much-anticipated feature that’s currently delayed until October 2022. The good news is that some progress is visible. The bad is that the development has caused problems for tenants that could have been avoided.

The Broken Set-MailboxMessageConfiguration Cmdlet

I’m all for Outlook roaming signatures. It’s a nice feature that should have existed across the entire Outlook family long before now. One of the consequences of the move is that Microsoft deployed code to allow OWA (and the Monarch client) to support multiple signatures (Figure 1) instead of the previous situation where OWA supported just the one. The code is available in all tenants, except those who have asked for it to be removed (see below).

Outlook desktop has long supported multiple signatures, so getting the functionality in OWA is goodness. However, the change means that the SignatureHTML parameter of the Set-MailboxMessageConfiguration cmdlet now includes a warning that:

This parameter doesn’t work if the Outlook roaming signatures feature is enabled in your organization. Currently, the only way to make this parameter work again is to open a support ticket and ask to have Outlook roaming signatures disabled in your organization.

In other words, the scripts developed to create nicely-formatted HTML signatures for OWA won’t work. Existing signatures remain in place and will work, but the cmdlet might fail if you try to update a signature. Note the word “might.” The strange thing is that sometimes the cmdlet fails and sometimes it works. For instance, I just ran these commands to set and check a HTML signature for a mailbox, and everything worked:

Set-MailboxMessageConfiguration -Identity $M.UserPrincipalName -SignatureHTML $SignatureHTML -AutoAddSignature $True -AutoAddSignatureOnReply $False

Get-MailboxMessageConfiguration -id Terry.Hegarty | Format-List SignatureHTML


SignatureHtml             : <html>
                            <body>
                            <b>Terry Hegarty </b>Valued Employee<br>
                            <b>Office 365 for IT Pros</b> Terenure, Dublin, D18A42Z2 Ireland<br>
                            / Email: <a href="mailto:&quot;Terry.Hegarty@office365itpros.com&quot;">Terry.Hegarty@off
                            ice365itpros.com</a><br>
                            <br>
                            </body>

But I know that many other people have difficulties making the cmdlet work, so the behavior is inconsistent and unpredictable, which is just the kind of unhappy behavior no one likes in code.

The only bright spot on the horizon is that the beta channel builds of Outlook for Windows share the same signature information with OWA and the Monarch client (Figure 2). Outlook for Windows now reads the signature information from a hidden folder in user mailboxes instead of the system registry. The folder for signature information is ApplicationDateRoot\49499048-0129-47f5-b95e-f9d315b861a6, with a separate sub-folder used for each signature. An item inside the folder holds the signature text. It seems like roaming signatures are getting closer, even if their development has caused some upheaval.

Only One Fix (or Patience Required)

As those involved in tenant management know, living with change is a constant inside Microsoft 365. In this case, change is happening (slowly) to enable a good outcome (Outlook roaming signatures), but Microsoft overlooked the need to upgrade the Set-MailboxMessageConfiguration cmdlet (or an equivalent Graph API) to allow organizations to continue managing signatures for mailboxes. That’s more than regrettable, especially when it happened with a total lack of communication to tell customers what’s happening.

If you run into the problem, Microsoft suggests that you open a case with Microsoft Support to ask them to arrange for the roaming/multiple signatures feature to be removed from the tenant. This process is likely to take a few days to complete. The alternative is to ignore the issue and wait until Microsoft delivers Outlook roaming signatures as promised in October. That update might, or might not, happen on schedule. But that’s the way of the cloud…

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

Same Issue Exists for Teams and OWA

I’m still waiting for the arrival of Loop components in OWA. After writing about the announcement of Loop support for OWA in MC360766, I was asked about the eDiscovery and Compliance issue reported in the message center post and why some organizations might block the use of Loop components until Microsoft delivers a solution.

The same problem exists for Loop components created in Teams chat. Let me explain what the problem is by going through an example.

Creating a Problem in a Loop Component

First, we create a compliance issue in a Loop component posted in a Teams chat. In this case, it’s a conversation about potentially fraudulent activity (Figure 1) in a Loop paragraph. The physical storage for the component is in a fluid file stored in the originator’s OneDrive for Business account. Like other files shared in chats, the file is in the Microsoft Teams Chat Files folder.

It’s worth noting that Teams DLP policies do not currently check the content of Loop components. For instance, if the organization deploys a DLP policy to prevent users from sharing credit card numbers, it blocks this activity in regular chats, but not in Loop components.

Searching for Loops

I then opened the Microsoft Purview Compliance portal and created a new content search to look for any file or email containing the keyword “Arkana” as used in the Loop component. The search found three items, including one called “The Plan” (Figure 2).

As I note in a discussion about using Loop components in Teams chat, the Microsoft 365 substrate generates compliance records for messages posted in Teams chats. Although the substrate captures compliance records for messages containing loop components, they are empty apart from a link to the fluid file in their source OneDrive for Business account. For this reason, the compliance records do not appear in search results.

Accessing Loop Component Content

The content search preview does not support files containing loop components and displays the error:

“This document type is not supported by preview.”

To view the content, you can download a copy of the file from the search preview. This creates a file without an extension that cannot be opened. To solve the problem, I did the following:

• Gave the file the same fluid extension (e.g., The Plan.fluid) as used when Teams stores files containing Loop components in the Microsoft Teams Chat Files folder in OneDrive for Business.
• Moved the file into my OneDrive for Business account. Any folder will do.
• Double-clicked on the file. Office.com opened and displayed the contents (Figure 3).

The good news here is that an investigator can at least download Loop components from a content search preview to examine their contents. The bad news is that this needs to be done on a file-by-file basis.

Exporting Loops in Search Results

After using search preview to make sure that a search locates results that they want, the next step for compliance investigators is to export search results. A preview is just that: a snapshot of what to expect when a search runs. Before an export can happen, Microsoft 365 runs a full search. This might find items overlooked in the preview. In our test, the export included the fluid file containing the interesting content (Figure 4).

The problem now starts to become obvious. You can’t open a fluid file from exported search results. You can if you copy the file to your OneDrive for Business account, but not in its export location. I suspect that this is due to permissions. When you move or copy a fluid file into your OneDrive for Business account, you have full control over it. Left in the search export location, metadata containing permissions in the file likely stops someone from opening it unless they have permission to.

This causes a huge problem for investigators. It might be workable for internal investigators to copy discovered fluid files to their personal OneDrive for Business account to review the files there. It’s not feasible for external investigators and experts to do the same, especially if they don’t have access to OneDrive for Business or want to work offline.

I believe this is the reason why Microsoft is working on “an offline consumable export format.” In other words, as the search export process extracts copies of files containing Loop components from their source locations, it will create something like a PDF version of the files. If this doesn’t happen soon, more organizations will consider blocking Loop components for all Microsoft 365 apps, adding to Microsoft’s difficulties in convincing people that this method of collaboration is a real advance.

Same Issue for Emails

The same issue will occur in emails with embedded Loop components. These files will probably live in the sender’s OneDrive for Business account with permissions granted to all recipients to interact with the components. Microsoft will need to do the same magic to convert Loop content in emails to something consumable outside the tenant.

Of course, quite how this scheme works when external recipients are part of the addressee list remains to be seen. It might be that these recipients see a static version of the Loop content. I’ll let you know when OWA support for Loop components becomes available.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Just in Time for Outlook

Updated: March 22, 2023

Microsoft Loop components have been available in Teams chat since November 2021. I haven’t heard about widespread usage, but that might be because people need time to adjust their collaboration habits. Access to Loop components in other applications is also a gating factor, but availability in OWA and Outlook for Windows (current channel preview) should help to address this concern. According to MC360766 (April 18, Microsoft 365 roadmap item 93234), Microsoft will roll out this feature to tenants configured for targeted release in early May.

Update: It took a little longer than predicted, but Loop components are now available in OWA.

So far, there’s no sign of Loop components in Outlook desktop, but I’m sure the components will arrive in my email any day now to deliver the same kind of functionality as available in Teams chat (Figure 1). In a nutshell, if an email contains a loop component, it exists as a file in the sender’s OneDrive for Business account that is shared with the email’s recipients. We’ll report more when the software is available.

IsLoopEnabled

This brings me to MC371268 (May 2), where Microsoft announces that “in response to customer feedback,” they’re retiring the existing settings to control the availability of Loop components and introducing a new control called IsLoopEnabled.

The control is part of the SharePoint Online tenant configuration and is set using the Set-SPOTenant cmdlet. You’ll need to upgrade the SharePoint Online management module to version 16.0.22413.12000 or later. Microsoft posted this version in the PowerShell Gallery five days ago. You can install or update the module from the PowerShell gallery or download an MSI file from Microsoft.

The replaced control is IsFluidEnabled, which enables the Fluid Framework within a tenant. Microsoft plans to retire the IsFluidEnabled setting on November 25, 2022. Going forward, the relevant settings in the SharePoint Online configuration are:

• IsLoopEnabled: Controls if Teams can use Loop components. The default is True (Enabled).
• IsCollabMeetingNotesFluidEnabled: Controls if fluid components are available in OneNote collaborate meeting notes.

Update: Following the availability of the preview version of the Loop app, the control for the Loop app, Outlook, Whiteboard, and the Office Online apps is via settings in the Cloud policy.

eDiscovery and Compliance Issues

Although eDiscovery searches can find Loop component files stored in OneDrive for Business, Microsoft acknowledges “limited eDiscovery workflow support.” With the additional of Loop support in Outlook, this aspect might become more problematic. For example, today, the preview feature for search results can render the full content of emails. This isn’t possible when an email contains a loop component because the preview window needs a software upgrade to fetch the content from OneDrive and display it inline within a message.

Another issue is with exports of search results. Today, Microsoft Purview can export emails (and the compliance records captured for Teams chats) found by searches as individual message files or in PST files. Microsoft says that the export format is “not consumable by existing tools,” and that they’re working on “an offline consumable export format.” Taken together, these statements make me think that the exported emails contain references (links) to OneDrive files that aren’t accessible to investigators working offline or independent experts who review eDiscovery results without access to the source tenant.

Making the content of search results available offline probably involves replacing the embedded link in messages containing Loop components with a static version of the content extracted from OneDrive.

This topic deserves a more comprehensive test, which I will get to once Outlook support for Loop components is available. In the meantime, organizations that don’t want to run into potential eDiscovery problems should strongly consider disabling Loop components for both Teams and Outlook by setting the IsLoopEnabled control to False.

Set-SPOTenant -IsLoopEnabled $False

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Recipient Moderation Works for All Mail-Enabled Objects

A discussion about moderated distribution lists was a throwback to the past. You hardly hear much about recipient moderation these days, but it was a big thing when Microsoft added it to Exchange 2010. Moderation works for both on-premises and cloud recipients, and it works in hybrid deployments too (there’s a good write-up about troubleshooting moderation on the EHLO blog).

Moderation works for all kinds of mail-enabled objects: mailboxes, dynamic and normal distribution lists, mail users and contacts, public folders, and Microsoft 365 groups. It’s a good feature to use to protect sensitive recipients from receiving emails from all and sundry.

A typical deployment scenario is to moderate messages sent to senior executives by forcing a review by an executive assistant before Exchange can deliver the messages to the target mailboxes. Moderation supports bypassing, meaning that you can define sets of users or distribution lists whose messages are not subject to checks. When an email comes from bypass senders, Exchange delivers it directly.

Moderation in Action

When moderation happens, an arbitration mailbox sends details of the email to the designated reviewers (moderators), who can approve or reject the message (Figure 1).

The response goes back to the arbitration mailbox, which releases the message for final delivery if the response is positive. If the response is negative, the arbitration mailbox returns the email to the original sender with a note to tell them that a moderator rejected its delivery. If a moderator doesn’t process the message within two days, it’s returned to the original sender to tell them that moderation didn’t happen.

Moderators have full access to messages awaiting approval, even if sensitivity labels encrypt message content and they wouldn’t normally have the right to read it. Because it needs to be able to check messages as they pass through the transport pipeline, the Exchange transport service has super-user access to all encrypted content. The transport service can decrypt the protected message when it sends the copy for approval, which is how the moderator can review the email.

You can even have a situation where a moderator reads a message, approves it for delivery, and the final recipient can’t read the email because the sensitivity label doesn’t grant them the right to access it. This underlines the point that senders should always know what rights a sensitivity label applied to email grants to recipients.

The Problem with Outlook

Coming back to the problem under discussion, the query was about why OWA can expand the membership of a moderated distribution list and Outlook for Windows cannot. On the surface, there’s no good reason why this should be so. Unlike a dynamic distribution list whose membership depends on directory attributes, the membership of a moderated distribution list is static and known. Even the Outlook address book agrees and is perfectly willing to display a list’s members (Figure 2).

When a user asks OWA to expand the membership of a moderated distribution list, it’s happy to do so (Figure 3).

But Outlook refuses point-blank, even if the plus sign appears to show that the client supports the expansion of a distribution list (Figure 4). Normally, if you click the plus sign, Outlook warns that if you expand the list, Outlook replaces the distribution list with the individual addresses of its members. Once this happens, you can’t collapse the individual members back to the list. I don’t know what Outlook means by a moderated public group either (as noted in the comments, this turns out to be a Microsoft 365 group…)

For the record, Outlook mobile avoids the issue by not offering the option to expand the membership for any distribution list.

One Outlook

Inconsistencies like this in client families madden users. In this case, it’s probably a small issue that affects very few users and an obvious and viable workaround exists, all of which means that Microsoft is unlikely to fix whatever is causing Outlook to fail to deal with moderated distribution lists. Maybe the fabled Project Monarch (aka “One Outlook”) app, apparently due to enter public preview soon, will address the inconsistency. But I wouldn’t hold your breath!

Learn about protecting Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s importance and how best to protect your tenant.

Read Receipts Is a Very Old Email Feature

I haven’t thought about email read receipts for years. It’s a very old email feature that goes back to the days when unreliable SMTP and X.400 connections linked organizations together and you never quite knew if email got through to its destination. The reliability of computer networks today means that read receipts are less important, or maybe it’s just that other communication methods have replaced some email traffic, like Teams. The introduction of read receipts for Teams in early 2020 doesn’t count because the read receipt for chats is more of a “seen” indicator than a message returned to a sender to confirm that an addressee has opened an email (Figure 1).

Helping a Police Chief

Which brings me to a request from an Office 365 for IT Pros reader. Apparently, a police chief is sick and tired that their email sent to some recipients is not being responded to. They want to know when the addressees open the messages he sends. The request was to be able to turn on automatic read receipts for mailboxes and disable the ability of users to change the setting.

Read receipt is a message option, like delivery receipt (confirming the delivery of a message to a mailbox). When set, the read receipt shows up in the message properties as a Disposition-Notification-To header with the return address to receive the read receipt (Figure 2). A blast from the past EHLO blog post from 2011 explains more.

The presence of the Disposition-Notification-To header is what prompts clients to check if they should ignore the request, send the receipt automatically, or ask the user if they’d like to send the receipt. The immediate problem in satisfying the user request is that Exchange Online considers read receipts to be a client-side function. In other words, the action to respond to the sender is invoked when a recipient uses a client to open a message with a read receipt requested. Clients have different settings to control how to respond.

OWA Read Receipt Settings

Take OWA for example. It’s easy to configure the user settings for read receipts through the Message handling section in OWA settings (Figure 3).

There’s also an Exchange Online PowerShell cmdlet to do the job. For instance, let’s assume that we want a set of users to always send read receipts when requested. This code uses the CustomAttribute12 property to hold the value “RR” to indicate that a mailbox should be in the set. We can use a server-side filter to find the mailboxes and call the Set-MailboxMessageConfiguration cmdlet to update the read receipts setting.

# Find mailboxes to update and then update their read receipt setting to always send read receipts
[array]$Mbx = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited -Filter {CustomAttribute12 -eq "RR"}
If ($Mbx.Count -eq 0) {Write-Host "No mailboxes found"; break}
ForEach ($M in $Mbx) {
   Write-Host "Setting mailbox read receipt configuration for" $M.DisplayName
   Set-MailboxMessageConfiguration -Identity $M.UserPrincipalName -ReadReceiptResponse AlwaysSend }

Using RBAC to Remove Read Receipt Settings from OWA

Although administrators can update user mailbox settings to control read receipts, it does nothing to stop users changing the read receipt options through OWA settings. To block that happening, we need to remove the read receipt options from the GUI. Exchange Online has a well-developed role-based access control (RBAC) system to control features available to users. RBAC works through the user role assignment policy set on user mailboxes. These policies enable or disable features by controlling the cmdlets available to users. For instance, I’ve written in the past about how to use RBAC to stop people updating their OWA autosignature.

To stop users changing the read receipt setting, we need to:

• Create a new RBAC role based on the regular set of user options.
• Remove the entry in the role for the cmdlet used to update read receipt settings (Set-MailboxMessageConfiguration).
• Remove the entry in the role for the cmdlet used to fetch add display the read receipt settings (Get-MailboxMessageConfiguration).
• Create a new user role assignment policy containing the roles usually granted to users with the exception that we replace the base options with the edited version which blocks the ability to update the read receipt settings.

All of this sounds complicated, but it’s a system that worked well since its introduction in Exchange 2010. Here’s the PowerShell code to do the work listed above:

New-ManagementRole MyBaseOptions-NoRR -Parent MyBaseOptions

Set-ManagementRoleEntry MyBaseOptions-NoRR\Set-MailboxMessageConfiguration -Parameters ReadReceiptResponse -RemoveParameter

Remove-ManagementRoleEntry MyBaseOptions-NoRR\Get-MailboxMessageConfiguration

New-RoleAssignmentPolicy -Name PolicyWithNoRR -Roles MyContactInformation, MyRetentionPolicies, MyMailSubscriptions, MyTextMessaging, MyVoiceMail, MyDistributionGroupMembership, MyDistributionGroups, MyProfileInformation, MyBaseOptions-NoRR -Description "User Role Assignment Policy to block users updating read receipt settings"

The last thing to do is to assign the user role assignment policy to the mailboxes we want to block. This is done with the Set-Mailbox cmdlet:

Set-Mailbox -Identity Chris.Bishop -RoleAssignmentPolicy PolicyWithNoRR

Thirty minutes or so later, the new policy will take effect. You’ll know that it works if you go to OWA settings and don’t see the options to update the read receipt settings (Figure 4).

To bring the solution together, you can add the Set-Mailbox command to the code described above to update the read receipt setting and assign the user role assignment policy for the set of target mailboxes.

ForEach ($M in $Mbx) {
   Write-Host "Setting mailbox read receipt configuration for" $M.DisplayName
   Set-Mailbox -Identity $M.UserPrincipalName -RoleAssignmentPolicy PolicyWithNoRR
   Set-MailboxMessageConfiguration -Identity $M.UserPrincipalName -ReadReceiptResponse AlwaysSend }

Controlling Read Receipts in Outlook

Our problem is solved if OWA is the sole client in use. Unhappily, that’s probably not the case. Clients like Outlook for Windows, Outlook for Mac, and Outlook mobile might be in use, as might third-party clients. Every client has its own method to control the processing of read receipts. For instance, Figure 5 shows the settings in Outlook for Windows (click to run version).

For historic reasons, most Outlook for Windows settings are stored in the system registry. A check of the settings available in the administrative templates for Outlook reveals that the read receipts are controlled by the receipt response  DWORD value at HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Options\Mail. The values are:

• 0: Always send a response.
• 1: Never send a response.
• 2: Ask the user before sending a response.

You can update the value manually by editing the registry (Figure 6), which is fine for a test case. In production, you’re likely to use a group policy object (GPO) or other technique to deploy the policy setting to client workstations.

Once the policy is in place, Outlook greys out the options to control read receipts.

Client-Side Feature Dependant on Client-Side Controls

In summary, read receipts are a client-side feature invoked by the presence of the Disposition-Notification-To message header. Because it’s a client-side feature, any attempt to force the client to process read receipts in a particular manner depends on the controls available in a client. We can satisfy the police chief’s request for OWA and Outlook for Windows. I see no way to do this for Outlook mobile and didn’t investigate Outlook for Mac or any of the many other email clients which can connect to Exchange Online using Exchange ActiveSync (EAS), IMAP4, or POP3 (hopefully without using basic authentication). Now you know what you should look for, checking how to deal with other clients is an exercise for the reader!

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

Previous Moca Boards Still Available

The July 20 announcement (MC271629) to move Project Moca boards to the OWA calendar board view was not a surprise. Given the dates on Microsoft 365 roadmap item 80213, it seems like Microsoft made the decision in May, soon after rolling out the calendar board view to OWA, which at the time we pointed out seemed like a Moca board (or space, for Moca was also referred to as “Outlook spaces”) tailored for the calendar.

Moca’s Lack of Identity

It’s a sensible call, I don’t think Moca got much traction with customers after Microsoft introduced it as a preview feature in October 2020. A separate component within OWA must have its own identity to stand alongside mail, calendar, people, and tasks. Moca delivered boards onto which people could post a collection of different bits of data, but that’s hardly the same as a fully developed OWA component. I used Moca for a couple of months and then gave up, not least because no mobile client exposed Moca boards (I found a workaround using the To Do mobile client, but it was never satisfactory).

In any case, all the Moca boards created using the preview are now safe and sound and available through the calendar (Figure 1). Everything seems intact, even if some objects appeared to have moved on the board (this could be just me).

The Project Moca icon is still present in OWA’s left-hand navigation rail and opens the Moca page, but I bet this will disappear soon.

Outlook Desktop

For now, only OWA supports the board view. The thought going through my mind is whether Microsoft will use the OCX/WebView2 technology to bring the board view to Outlook desktop as part of their One Outlook initiative, just like they recently did for the Room Finder. It would be logical if they did this to bring boards to Outlook, especially now that the WebView2 runtime component is included with Microsoft 365 apps for enterprise updates. Time will tell.

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

A Banner Notification Difficult to Ignore?

I’m unsure what to make of the news in MC264090 (updated July 1) telling us that Outlook (and OWA) users on Windows 10 will soon see a clickable recommendation to install the Outlook in Edge extension (currently in preview). The recommendation will appear in “any Windows browser” (if using OWA) or in Outlook desktop (presumably Outlook click to run rather than Outlook perpetual). The recommendation is dismissible but annoying and can appear a maximum of three times “in each app” before it is “suppressed permanently.” Those who use both OWA and Outlook can therefore see the banner six times, which is something to look forward to.

If you succumb and install the extension, an Outlook icon appears in the Edge menu bar (Figure 1). It has access to the site because the user grants consent to access their mailbox.

Bringing the Power of Outlook to an Edge Icon

According to Microsoft 365 roadmap item 82036, “The Microsoft Outlook browser extension brings you the power of mail, calendar, contacts, and tasks using an icon in Microsoft Edge. Quickly access your Outlook work account or your Outlook.com or Hotmail account without switching to another tab or app. The extension will be available in the Chrome Store soon as well.”

Apart from anything else, the roadmap item tells us that the Outlook extension will also be available for Chrome users, presumably again on Windows 10 (and likely Windows 11, since that appears to be Windows 10 with a new skin).

The reason why I am conflicted is that I don’t see the point in the extension. If I want to use OWA (and I do), I open a tab in the browser for OWA and keep that tab open. I can then do whatever I want with email, tasks, contacts, and the calendar. It’s like using the “peeks” available in Outlook desktop to get an insight into data. Being able to overlay the calendar when processing email (Figure 2) is mildly interesting and enough to convince me to keep the extension, but it’s not something I use heavily.

Apart from the calendar, the extension can peek into your mailbox, tasks (including any To Do list), and contacts. Within the mailbox, you can select any folder, but you cannot select another mailbox, including your archive mailbox. The extension allows you to select different calendars to view. However, this part doesn’t work so well in the preview and was inclined to freeze. You can also access a limited selection of OWA settings. For instance, you can set an auto-reply message. And if you want access to the full functionality of a section of OWA, the extension can open into a tab. Just about the only thing which is missing is Project Moca.

Blocking the Clickable Recommendations

Although the Outlook extension doesn’t float my boat, I can see how it will work for others. The real question for tenant administrators is if they want to block the display of the recommendation banner by using the Office Cloud Policy Service (OCPS) to set “Recommend the Microsoft Outlook Extension” policy to ‘Disabled’ (Figure 3). OCPS settings affect both OWA and Outlook for Windows.

According to MC264090, a future update to Group Policy templates will support the block too in Outlook by setting the RecommendOutlookExtension system registry (DWORD) value at HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\outlook\options to 0 (disabled).

Good for Some

Targeted release is due in July and tenants need to act before July 30, 2021, if they don’t want users to see the clickable banners. Before deciding, try the extension yourself to see if you think people will find value in its use. If not, go ahead and block. If you do, let people see the banners and install the extension if they wish.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

A New Way to View What Needs to be Done

Microsoft 365 message center notification MC248428 published on April 3 announces a new calendar view for OWA. The board view, which is now rolling out to tenants, is “an expanded view where users can manage workloads like calendar, tasks, goals, flagged emails, and files.” According to roadmap item 70746, “people can organize and manage their time, beyond the hour to hour time slots in a redesigned free-flow view of the things that are important.”

The Moca Variation

This all sounds wonderful until you realize that the new view is a variation on Project Moca (aka Outlook spaces), a “new productivity module” launched in preview in October 2020. I have both Project Moca and the new board view available in OWA and it’s hard to tell the two apart. Both feature a rearrangeable board where users can position and resize items of interest, including notes, to-do items, people cards, goals (all-day calendar events), documents, collections (Moca used to call these buckets but now uses the same term), and weather items. The idea is that you can assemble different pieces of information and keep them together in an accessible space. It’s a reasonable idea.

The big difference between a Moca board and the calendar board is that OWA includes the user’s calendar (Figure 1).

Putting Email on the Calendar Board

Another big difference is the lack of a search feature to find information in your mailbox to pin to the board. This is a pity because a lot of information is in email, a fact acknowledged by OWA’s Add to Project Moca option (Figure 2).

I experimented with different ways to add an email to the calendar board including cut and paste of message text into a note and drag and drop. These didn’t work. What did is to create a link item and insert the deeplink shown in the browser bar when a message is selected in OWA. The URI is like:

https://outlook.office.com/mail/inbox/id/AAQkADMxZTJlY2U0LTU0MjYtNDhlMC04Y2UyLWE5NmRmN2MzMTZiMwAQABlNJsx1SbRGu79e8dP2k2I%3D

The same approach works for inserting a deeplink pointing to a Teams message.

The OWA Calendar Board View is a Customized Moca Board

OWA’s new calendar board view is a Moca board customized to highlight the calendar and associated items. Like other Moca boards, the assets (items) for the OWA calendar board are in a folder in the non-IPM part of the user’s mailbox (in my case, the folder is OutlookSpaceAssetsf4ff9062-1465-41f4-80dc-35f63b43b1fa).

Project Moca continues as a separate part of OWA because it allows users to create multiple boards, each dedicated for a different purpose. Whether Moca ever leaves preview to become generally available is a decision Microsoft must make. I haven’t heard of many people using Moca, but this might be simply due to lack of awareness. Perhaps when people use the board view to organize their calendar, they’ll want to create their own boards and can do so through Moca. Time will tell.

For more insightful comment presented in an always up-to-date format, subscribe to the Office 365 for IT Pros eBook. We refresh the book monthly because the Microsoft cloud keeps on evolving.

That is, if Meeting Attendees Cooperate…

Research commissioned by Microsoft says that your brain needs breaks when working over sustained periods and points to back-to-back video meetings as a problem. The article goes on to point to new calendar settings in Outlook (Windows and OWA for now, the other platforms are coming) to help users to shorten Outlook meetings to create breaks when they schedule events. The idea is that these breaks give users the opportunity to decompress a little before plunging into the maelstrom of their next meeting. It’s a nice idea, but one that can only work if everyone attending meetings cooperates to begin and end meetings on time, which is something that human beings fail to do.

Making Outlook Shorten Meetings

Outlook has been able to suggest shortened meeting durations for two years (here’s an article by MVP Brian Reid from 2019), with the idea being that people could gain some time back in their day by scheduling 30-minute meetings for 25 minutes and hour-long gatherings for 50 minutes (or whatever you choose). What’s different now is:

• An organization-wide default setting is available to complement the client-side settings. The change is described in message center notification MC251866 published on 21 April and Microsoft 365 roadmap item 72215.
• People can choose to shorten meetings at the start or end of a period by starting late or ending early.
• The organization defaults or user-selected settings apply to the full range of Outlook clients for Microsoft 365 (after Microsoft upgrades the software). Perpetual clients like Outlook 2019 don’t respect the settings.

For instance, I used version 2104 of Outlook for Windows (the option should be in version 2102 or later of Microsoft 365 apps for enterprise) to choose my preferred options (Figure 1).

On the basis that people always turn up late to my meetings, I choose to create a time barrier to my next meeting by ending early. The corporate culture in your organization might be different, but I hazard a guess that most meetings can focus on finishing by a defined meeting end time where they might struggle to begin on time. Of course, the period allotted to a meeting and the actual time consumed by the meeting can be two very different values. The behavior of people in a meeting might be affected by a shortened time, but when business or personal needs dictate, people will continue until they achieve the purpose of the meeting.

The periods available to shorten meetings of less than one hour are 5, 8, and 10 minutes, while for meetings of one hour or longer they are 5, 10, and 15 minutes. As we’ll see, more granularity is available when setting organization defaults with PowerShell. Figure 2 shows how to configure the event shortening settings in OWA. It’s interesting that Outlook desktop refers to meetings and appointments while OWA refers to generic “events.”

Shortening a Meeting

My calendar settings call for a default meeting duration of 30 minutes. After selecting my event shortening options, new meetings start off with a 25-minute duration set (Figure 3). If the default meeting duration is an hour or longer, Outlook shortens it by 10 minutes.

The new setting does not affect any meeting already in the calendar. And of course, because the owner has full control over an event, I can select other durations for the meeting as I like. The shortening feature is an advisory guide rather than a mandatory restriction.

When scheduling a meeting with OWA, users might see a MailTip saying: “Your organization shortens events by default.” This only applies when the user has not configured event shortening and an organization policy is active (see below). Microsoft says that the same MailTip will be visible in other Outlook clients in the future.

Shortening Teams Meetings

Given the multitude of Teams meetings occurring today, effective event shortening must apply to these events. Neither Teams calendar app nor the Teams channel calendar app respect organization-wide or personal event shortening settings at present. Events created by Outlook synchronize with the Teams calendar app, so Teams meetings created through Outlook will pick up the shortened times. According to Microsoft, an update is coming for the Teams calendar app to respect the shortening settings.

Configuring Shortening Events Settings with PowerShell

While users can decide on their personal event shortening settings and set these values through Outlook or OWA, organizations might want to apply default settings. This is done by updating the Exchange Online organization configuration with PowerShell. It’s critical to understand that once a user selects their own settings, the organization defaults do not apply to them.

Three organization-wide settings are available to control event shortening:

• ShortenEventScopeDefault: Sets whether event shortening is in effect (0 or none) or applies to ending meetings early (1 or EndEarly) or starting later (2 or StartLate). This parameter must be set to 1 or 2 before you can amend the periods.
• DefaultMinutesToReduceShortEventsBy: The number of minutes to shorten events by if they are scheduled for one hour or less. The default is five.
• DefaultMinutesToReduceLongEventsBy: The number of minutes to shorten events by if they are scheduled for over one hour. The default is 10.

To turn on event shortening for the organization using my preferred end early option, run:

Set-OrganizationConfig -ShortenEventScopeDefault EndEarly

Using Get-OrganizationConfig to examine the settings afterwards shows the current configuration:

Get-OrganizationConfig | fl defaultmin*, short*

DefaultMinutesToReduceShortEventsBy : 5
DefaultMinutesToReduceLongEventsBy  : 10
ShortenEventScopeDefault            : EndEarly

Like any organization-wide setting, some time is necessary to allow clients and servers to pick up new values (it can take up to 24 hours for the setting to reach all the mailbox servers used by a tenant). For now, there’s no way for administrators to use PowerShell to update settings for individual mailboxes as Microsoft hasn’t upgraded the Set-MailboxCalendarConfiguration cmdlet.

Putting the Best Face on Every User

Updated 3 October 2023

Update: Microsoft announced (MC678855) the deprecation of the Exchange Online management cmdlets used to manage user photos (Set-UserPhoto, etc.). These cmdlets will be removed from use on 30 November 2023. You should upgrade scripts to use the cmdlets from the Microsoft Graph PowerShell SDK instead.

In April 2020, Microsoft introduced a policy to stop users being able to update their photo through the Teams client. More accurately, Teams adopted the SetPhotoEnabled setting in the Exchange Online OWA mailbox policy to control if a user can update their photo. Since then, I have noticed a flood of questions (or complaints) from people asking why their attempts to upload a photo is “blocked by policy.” Of course, the answer is that it is, and they should talk to their tenant administrator to have their photo updated, but that’s seldom a welcome response.

Given that user photos show up in places as diverse as the GAL, the Microsoft 365 user profile card, and avatars in applications like SharePoint Online and Teams, it’s a good idea to make sure that appropriate photos are available for users. For example, if a user photo is available, Teams meetings show the photo on a user’s attendee card when their video feed is turned off instead of the more generic “two-initials in a circle” card (Figure 1).

Two Strategies

Organizations usually consider two approaches before deciding on a strategy for user photo management.

• User-driven. While this strategy involves less work for administrators, it exposes the danger that some users might make less than suitable photo choices. It’s a poor choice for schools and other educational establishments.
• Organization-driven. This strategy usually means that some tool updates user photos based on a repository such as HR data. The upside of the strategy is the high standard of user photos. The downside is the need to either write a tool or find one to do the job (like Code Two Software’s Photos for Office 365).

Of course, given that control is exerted by OWA mailbox policies, you can run a hybrid strategy where some users can update their photos, and some cannot through the simple step of deploying multiple OWA mailbox policies, some of which enable photo updates and the others which don’t.

The Role Played by Exchange Online

Exchange Online plays a key role in user photo management for other Microsoft 365 applications. The SetPhotoEnabled setting in the Exchange Online OWA mailbox policy assigned to the mailbox controls the ability for users to update their photo. By default, this setting is $False, meaning that users are unable to upload a photo from apps and their Office profile. Users barred by policy see a message such as “picture options are disabled by policy” if they try to change their photo. To allow users to upload and update their photos, either:

• Update the OWA mailbox policies so that SetPhotoEnabled is $True in all policies, or:
• Create or update an OWA mailbox policy with SetPhotoEnabled set to $True and assign this policy to the mailboxes of accounts you want to allow to upload photos.

For example, to update an OWA mailbox policy, run the Set-OWAMailboxPolicy cmdlet:

Set-OWAMailboxPolicy -Identity OWAFullAccess -SetPhotoEnabled $True

To assign an OWA mailbox policy to a mailbox, use the Set-CASMailbox cmdlet:

Set-CASMailbox -Identity Chris.Bishop -OWAMailboxPolicy OWAFullAccess

Changes to an OWA mailbox policy take up to 30 minutes before they are effective.

OWA mailbox policies in Exchange Online obviously don’t affect users with an on-premises Exchange mailbox. These users are therefore able to update their photos in apps like Teams.

Updating User Photos Programmatically

Several PowerShell cmdlets are available to administrators to update user photos.

• The Exchange Online Set-UserPhoto cmdlet updates the photo data in a mailbox. Set-UserPhoto can also update a photo for a group mailbox (be sure to specify the GroupMailbox switch). You cannot use Set-UserPhoto to update other mail-enabled objects, like distribution lists or mail contacts. Photos loaded into Exchange Online are synchronized to other workloads, including SharePoint Online and Teams.
• The Teams Set-TeamPicture cmdlet updates the image for a team. This is analogous to running Set-UserPhoto to update the photo for a group mailbox. In most cases, it’s best to use Set-UserPhoto to avoid the need to load another module. It’s a good idea to highlight important teams with an appropriate image which conveys the purpose of the team.
• The Azure AD Set-AzureADUserThumbnailPhoto cmdlet writes photo data to an Azure AD user account. Use this cmdlet when you wish to update photo data for an Azure AD account which doesn’t have an Exchange Online mailbox, like guest accounts. As the cmdlet name suggests, the cmdlet processes thumbnail (small) photos. It does not generate the larger size photos which look better in Teams meetings. For this reason, always use Set-UserPhoto to upload photos for tenant accounts.

Update: With the deprecation of the Azure AD PowerShell module, you should upgrade scripts to use the Set-MgUserPhotoContent cmdlet from the Microsoft Graph PowerShell SDK to update photos for guest accounts.

Exchange Online and Azure AD synchronize photo data to make sure that user accounts have the latest picture. After a short delay to allow the apps to refresh their caches, an updated photo will be active across the ecosystem.

Teams owners can change the picture for a team by clicking the existing picture and uploading a new file (Figure 2). Group owners can do the same for Microsoft 365 groups by editing group properties in OWA’s Manage groups section. In both cases, the picture data is in the group mailbox and will synchronize to other apps.

Image files for user photos can be JPEG or PNG format and should be:

• Resolution: 648 x 648 pixels. This is the largest resolution supported. Behind the scenes, Exchange Online generates smaller 64 x 64 and 96 x 96-pixel thumbnails for apps to use when small thumbnails are appropriate. Most digital photos are much larger (in pixels) so some resizing is needed. Square photos are best as they won’t be cropped. Usually, best results are obtained when the user faces directly into the camera.
• Size: Less than 500 KB.

Although it can take 30 seconds or more to update a picture for a mailbox, running Set-UserPhoto is simple:

Set-UserPhoto -Identity Chris.Bishop@office365itpros.com -PictureData ([System.IO.File]::ReadAllBytes("c:\Temp\ChrisBishop.jpg")) -Confirm:$False

If you want to check if a mailbox already has a picture (to avoid overwriting it), use the Get-UserPhoto cmdlet. This cmdlet returns $Null if the mailbox has no photo. Remember to include the GroupMailbox switch if checking a group mailbox (including team-enabled groups).

If (Get-UserPhoto -Identity Chris.Bishop@Office365Itpros.com) {Write-Host "Chris has a photo"}

If you make a mistake and upload the wrong image, you can restart by removing the image with the Remove-UserPhoto cmdlet:

Remove-UserPhoto -Identity Chris.Bishop@office365itpros.com -Confirm:$False

An example of how to scan user mailboxes to update photos if none are found can be downloaded from GitHub.

The Personal Side of Users

User photos are extremely personal, and it should come as no surprise that people should be upset when they cannot change their image. If you decide to clamp down on user-initiated photo updates, perhaps it might be a good idea to create a process to allow users to request photo changes. It might just keep people happier.

Edge WebView2 Enables Reusable OWA Features

Last October, I wrote about Microsoft’s One Outlook vision, essentially a plan to rationalize the many forms of Outlook around a more rational approach to development. The Edge WebView2 control is a big part of the plan because it enables Outlook desktop to consume web-based features developed for OWA. That’s why Microsoft now distributes the WebView2 control with Microsoft 365 apps for enterprise (desktop Office click to run).

Room Finder Now Used in Outlook Desktop

In the article, I mentioned OWA’s revamped room finder (to locate a conference room for an in-person meeting – something we all hope will resume soon) as an example of the functionality which would turn up in Outlook desktop. With version 2103 (the current channel preview), Outlook desktop now uses OWA’s room finder. Figure 1 shows the room finder in OWA while Figure 2 shows it in Outlook desktop.

As you can see, it’s the same component, and sometimes when Outlook first loads the component, you see the OWA sign-in screen.

Looks Like a Win-Win Approach

The advantages of this approach to Microsoft are obvious: they can write a component once, deploy it in OWA to shake down any bugs, and then reuse the component in Outlook desktop. Apart from saving engineering effort to create code for multiple clients, it reduces the cost of ongoing sustaining engineering.

It’s good for customers too. Apart from experiencing the same feature behavior across the Outlook family, new features should appear faster. The Outlook desktop user interface as always been much slower to evolve than its web counterpart, largely because of the legacy of almost twenty-five years of development. With the new model, Outlook desktop can refresh its capabilities more rapidly. Of course, the proof will be seen as Outlook evolves, but at least the process is now moving.

Relax. It’s an Outlook Component

Microsoft published message center notification MC242585 (Microsoft 365 roadmap item 70699) on March 3 to bring the news that devices running the Microsoft 365 apps for enterprise (aka Office click to run) will get the Edge WebView2 runtime along with version 2101 (or later). I’m running version 2102 (Current channel -preview) and never noticed the arrival of WebView2. Those in the current channel not using the preview should see the change in April, unless your Office 365 tenant is hosted in a sovereign cloud or GCC (including High and DoD) where this action won’t happen.

Only Windows PCs are affected and only those which have Microsoft 365 apps for enterprise. Other devices can get the runtime by installing the Edge browser. Edge is a nice browser, even if its sleeping tabs sometimes cause disruption for SharePoint, and I have nearly broken my Chrome habit to use Edge exclusively.

Getting back to the point, installing the WebView2 runtime is like installing the Visual C++ 2008 redistributable, a much beloved inclusion in Windows updates. It’s a non-event.

No Cunning Plan

People became upset when they read the announcement and wondered if this was another cunning plan from Microsoft to force everyone to use Edge. It’s not. Edge isn’t installed and your choice of default browser remains intact. Instead, it’s using the Office distribution channel as a convenient way to make sure that the WebView2 component is available on PCs.

WebView2 is a critical part of OWA Powered Experiences (OPX). In a nutshell, Microsoft wants to be able to write software once and use it in multiple Outlook clients. New features like the Room Finder and Meeting Insights built for OWA use WebView2 as a rending engine, and the presence of the WebView2 runtime allows Outlook desktop to use the features without any changes (Figure 1). If WebView2 isn’t available, the features can’t work. Microsoft benefits by writing a feature once for multiple clients. Users benefit because clients behave the same way and features arrive faster.

Administrative Control for Edge WebView2

There’s no reason that I can think of not to allow Edge WebView2 runtime to be installed, but you can block it through the Customization section of the Apps Admin Center. Go to Device Configuration, then Modern Apps settings, and disable the automatic installation (Figure 2).

For more information, read Microsoft’s instructions.

Sharing is Caring, Unless You Can’t

Software has a nasty habit of making people feel incompetent when they don’t understand why functionality doesn’t work as expected. Maybe it’s age, but I become increasingly frustrated when software doesn’t work as I want it to. Which brings me to the OSE204 error signaled by SharePoint Online when I tried to share a document (Figure 1).

The first question is why SharePoint insists on acting as if it’s mainframe software of the mid-1980s by issuing cryptic error codes. Fortunately, SharePoint includes some intelligible text to explain why it complained about an action, which makes it even stranger why OSE204 appears. It must be a SharePoint thing, just like Exchange people can explain the finer points of why DMARC is important.

Microsoft publishes a page to explain SharePoint and OneDrive sharing errors and helpfully asserts that the reader must be a SharePoint administrator to resolve the underlying problems. Reading through the text, we discover that users can encounter eleven different sharing errors from OSE202 to OSE404, which seems like a lot. Then again, sharing is a complicated business when you consider the permutations of sharing with people inside your tenant, guest users, external users, and so on.

Why OSE204 Happened

The page says: ”Error OSE204 indicates that sharing is turned off for the site that you’re trying to share from” and explains that an administrator can fix the problem by updating the sharing capability of the site. Unfortunately, it doesn’t cover what I did to provoke the problem, which was to change the sensitivity label assigned to the site. Sensitivity labels used for container management can control the sharing capability for a site. When I updated the assigned label, SharePoint applied the label settings and blocked sharing to external users. What happened is very logical and an excellent example of how powerful policy-based management through sensitivity labels is. But figuring out what had happened didn’t make me feel any less incompetent.

A SharePoint administrator isn’t needed to fix the problem. Because the sensitivity label assigned to the site controls the sharing capability, a site owner can restore sharing with external users by selecting a sensitivity label which permits this action.

Removing the Outlook Sharing Option

Message center notification MC237377 (updated February 19) says that the Outlook sharing option (send the sharing link via email) shown in Figure 1 is being withdrawn in March 2021. The logic is that the option adds no value. It works by creating a sharing link that’s inserted into an OWA compose window with a message addressed to the recipient entered in the Send link dialog. Microsoft says that much the same happens if you go through the normal process of creating and sharing a link. However, some differences do exist:

• The sender can change the message title. Instead of receiving a message with a subject like “Tony Redmond has shared SharePoint Sharing Errors with you,” the sender can change the subject to make it more impactful.
• The sender can enter more text to set context for the sharing link. SharePoint limits the text that a sharer can insert to 500 characters. When a link is inserted into an OWA message, the sharer can use the full editor available in OWA to insert whatever text, graphics, objects, and formatting they choose. Or even make sure that their carefully-crafted corporate autosignature is in the message (Figure 2).
• The sender can set message properties. OWA offers many possibilities for a sender to set properties of a message. For instance, they could use the Encrypt-only feature or add a sensitivity label to protect its contents.

The workaround is to copy the sharing link to the clipboard and paste the link into a message. The advantage of this is that no dependency exists on OWA. You can use the email client of your choice to format the message to sharing recipients in whatever way you choose.

Debatable Choice to Remove the Outlook Option

It’s understandable that Microsoft would want to rationalize functionality. In this case it’s debatable if removing a convenient option is justifiable. Perhaps Microsoft’s telemetry informs them that people make little use of the Outlook option. If that’s so, the removal is appropriate, but Microsoft isn’t saying.

I think it’s a pity that Microsoft plans to remove the Outlook option for sending sharing links. Although I normally use the default method to share links with people, the option to compose a message of more than 500 characters with a full editor is useful when sharing specific documents. I guess the folks who made the decision never feel the same need.

Update March 11: In a triumph for good sense, Microsoft said “Based on learning’s from our early rings and your feedback we have made the decision to not proceed as outlined below. The Send link to Outlook sharing option will remain until further notice. Thank you for your feedback.”

The Office 365 for IT Pros eBook includes extensive coverage of using sensitivity labels for container management. We don’t cover error OSE204 or the other ten errors you can see when sharing SharePoint or OneDrive content. Something must be left out to keep the book to a reasonable size.

Delegate Access to Calendars is Popular Exchange Feature

Delegate access to a mailbox is a popular feature supported by Outlook desktop, OWA, and Outlook Mobile. In some cases, you only want to allow access to a specific folder rather than the complete mailbox. Calendar access is often granted to delegates to allow other people to deal with someone’s schedule. It’s easy for users to assign delegate access to their calendar. For instance, in OWA, go to the calendar, click the […] beside the calendar you want to share, select Sharing and permissions, and then add the new delegate. In Figure 1, we’ve elected to give the delegate the ability to view private calendar events too.

Once applied, the delegate will be able to open the delegator’s calendar and Exchange will send calendar invitations and responses to the delegate for their attention.

Behind the Scenes

Delegate access usually works without a hitch, but when things go wrong administrators will probably need to resort to PowerShell to understand what’s happening. The first thing is to establish what kind of access someone has to a problematic calendar. The Get-MailboxFolderPermission cmdlet shows the permissions set on a folder. In this case, we pass the user principal name of the account we want to check and “:\Calendar” to indicate the folder name.

Get-MailboxFolderPermission -Identity Jane.Sixsmith@office365itpros.com:\Calendar

FolderName           User                 AccessRights          SharingPermissionFlags
-------------           ----                 ------------       ----------------------
Calendar             Default              {AvailabilityOnly}
Calendar             Anonymous            {None}
Calendar             Ken Bowers           {Editor}              Delegate, CanViewPrivateItems

Common Delegate Access Issue

According to Microsoft, the most common error met with delegate access happens when a user cannot add a new delegate or remove an existing delegate from their mailbox. The root cause is usually a corrupted hidden item in the mailbox which stores the delegate information. Microsoft publishes a comprehensive support article outlining the steps to take to recreate the hidden item. The steps work, but assume that:

• You have a working knowledge of the MFCMAPI utility or the Exchange Web Services editor. I prefer using MFCMAPI and consider it an extremely useful program for any administrator, but I acknowledge that the interface is “interesting” and non-intuitive. In other words, it’s easy to make mistakes.
• You can run these utilities on a Windows workstation to access the problem mailbox.

Because of the multi-step recipe to fix the problem and the need to use an unfamiliar program, some people never manage to get to the end and resolve the issue. This is a classic example of where software can help.

Automating the Rebuild with a New Cmdlet Parameter

Microsoft has released a new switch parameter for the Remove-MailboxFolderPermission cmdlet called ResetDelegateUserCollection. When you run the cmdlet with the parameter, Exchange Online essentially does all the work outlined in the support article to replace the potentially corrupted mailbox items. For example:

Remove-MailboxFolderPermission -Identity Jane.Sixsmith@office365itpros.com:\Calendar -ResetDelegateUserCollection

Confirm
Are you sure you want to perform this action?
Using ResetDelegateUserCollection changes existing calendar Delegate permissions. You will need to re-assign the
Delegate flag to these recipients using Set-MailboxFolderPermission -SharingPermissionFlags Delegate. It is suggested
that this ResetDelegateUserCollection option is only used when you believe there is corruption that is preventing
managing calendar permissions.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y
WARNING: Resetting DelegateUserCollection...
WARNING: DelegateUserCollection is reset.

Note the warning. If we run Get-MailboxFolderPermission again, we’ll see that the sharing permission flags which make someone into a delegate are gone.

Get-MailboxFolderPermission -Identity Jane.Sixsmith@office365itpros.com:\Calendar

FolderName           User                 AccessRights             SharingPermissionFlags
----------           ----                 ------------             ----------------------
Calendar             Default              {AvailabilityOnly}
Calendar             Anonymous            {None}
Calendar             Ken Bowers           {Editor}

To complete the fix, we need to add delegate permissions again. You could ask the user to do this by updating the permissions assigned to their calendar, but it’s easier and more polite for the administrator who’s just reset the delegate information to do the job for the user by running the Set-MailboxFolderPermission cmdlet. If you don’t do reset permissions, delegates will have editor permission for the calendar folder, but they won’t be able to process calendar invitations on behalf of the mailbox owner. Here’s how to reset the permissions for Ken Bowers:

Set-MailboxFolderPermission -Identity Jane.Sixsmith@office365itpros.com:\Calendar -User Ken.Bowers@office365itpros.com -SharingPermissionFlags Delegate, CanViewPrivateItems -AccessRights Editor

After the cmdlet completes, you can run Get-MailboxFolderPermission again to verify that the delegate sharing permission flag is present once again (and optionally the flag allowing the delegate to view private items too).

Of course, it’s fine if you’d prefer to follow the MFCMAPI recipe to fix the delegate issue, but it’s a lot easier and faster to run a couple of lines of PowerShell!

Cmdlet Availability

The upgraded version of Remove-MailboxFolderPermission is rolling out now. If your RBAC configuration is higher than 15.20.3722, the cmdlet should be available in your tenant. To check, run the Get-OrganizationConfig cmdlet to check the value of RBACConfigurationVersion:

Get-OrganizationConfig | Select RBACConfigurationVersion

RBACConfigurationVersion
------------------------
0.1 (15.20.3763.11)

This is just the kind of detailed how-to information we love reading about. It might only end up as a line or two in the Office 365 for IT Pros eBook, but that’s no reason not to share the knowledge with you.

For Both Teams and Skype for Business Online Meetings

In May, Microsoft published Office 365 notification (MC213856) to say that OWA and Outlook Mobile would soon make online meetings the norm. This is now the case.

The calendar settings for OWA include whether an online meeting should be created for all meetings (Figure 1). By default, the setting is controlled by the OnlineMeetingsByDefaultEnabled setting in the Exchange Online organization configuration, which can be examined using the Get-OrganizationConfig cmdlet. Here we see that the setting is true, meaning that all meetings created by OWA are online:

Get-OrganizationConfig | Select OnlineMeetingsByDefaultEnabled

OnlineMeetingsByDefaultEnabled
------------------------------
                          True

Mailbox-Level Control

You can also control the setting on a mailbox basis by updating its calendar configuration with the Set-MailboxCalendarConfiguration cmdlet. The mailbox-level setting takes precedence over the organization setting. For example, this command disables online meetings by default for a mailbox:

Set-MailboxCalendarConfiguration -Identity James.Joyce –OnlineMeetingsByDefaultEnabled $False

OWA uses the Teams configuration to figure out if Teams or Skype for Business Online is the current provider of online meetings to the tenant. The provider is noted in the calendar configuration of each mailbox. We can check which provider is used by running code like this to report the provider and if online meetings are enabled. Fetching calendar configuration can take some time to complete for more than a few mailboxes:

$Mbx = Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize 50
$Mbx | Get-MailboxCalendarConfiguration |Select Identity, DefaultOnlineMeetingProvider, OnlineMeetingsByDefaultEnabled

Identity       DefaultOnlineMeetingProvider OnlineMeetingsByDefaultEnabled
--------       ---------------------------- ------------------------------
Andy.Ruth      TeamsForBusiness
Ben Owens      TeamsForBusiness
Ben.James      TeamsForBusiness
Brian Weakliam TeamsForBusiness
Imran Khan     TeamsForBusiness
James.Joyce    TeamsForBusiness             False
Kim Akers      TeamsForBusiness             True

Different Approach Used by Outlook Desktop

Outlook desktop takes a different approach to OWA. Outlook doesn’t use the calendar configuration settings stored in user mailboxes; its settings are in user profiles stored in the system registry. Currently, Outlook doesn’t have a setting to control whether all meetings should be online and instead loads an add-in to allow users to decide if a meeting should include Teams or Skype for Business Online.

When you create an online meeting, Outlook populates several properties for the meeting item stored in the mailbox containing links and other information about the online space for the meeting. The link allows users to join the online meeting at the appointed time. Apart from the link and the list of meeting attendees, Outlook has no connection to the online event, so items such as the meeting chat, participant list, and so on must be accessed through the online provider.

Microsoft 365 Roadmap item 58132 promises that Outlook for iOS will allow third-party online meeting providers like Zoom and WebEx to be the preferred provider. Microsoft was supposed to deliver the capability in August 2020, but there’s no sign of it still.

Who knows when you might need a nugget of information like this? We don’t know, so we find and document interesting bits of insight in the Office 365 for IT Pros eBook. Subscribe today to stay abreast of what happens inside Office 365.

API in Preview Revealed at Ignite 2020 Conference

The advent of support for roaming signatures for Outlook desktop caused some to question if the case to use third-party email signature management products had weakened. As it turned out, Microsoft delayed the deployment and the latest information published in Office 365 notification MC215017 on September 22 says:

• We will begin rolling this out to Microsoft 365 Monthly Channel, Targeted, in late September (previously July). (This is Insiders Slow Channel which will soon be called Microsoft Beta.)
• We expect to roll this out to the Monthly Channel, Production, in late October (previously August).

Update: According to Microsoft 365 roadmap item 60371, the latest date for the general availability of roaming signatures is July 2022.

Not Easy to Manage Outlook Signatures

My experience of using PowerShell to create and update signatures for Outlook desktop convinced me of the complexity of the task. By comparison, the signatures used by OWA are much easier to manipulate. Messages generated by Outlook mobile and other email clients connected to Exchange Online are typically handled by routing the email through an Azure-based cloud service and then back to Exchange Online for onward delivery. In a nutshell, managing corporate email signatures is not easy, especially when multiple client types are involved.

A New Signature API for ISVs

Still, ISVs need to improve their software to convince potential customers that it’s best to use their products instead of relying on what Microsoft delivers. What might surprise some is that Microsoft helps ISVs, as evident in the Build Outlook Add-ins that integrate your solution seamlessly into your users’ Outlook experience session​ (yes, that’s a mouthful) from Ignite 2020.

The session features Szymon Szczesniak, the genial CEO of Code Two software (Figure 1), discussing his company’s experience of using a new Signature API to create web add-ins which work for Outlook desktop (Windows and Mac) and OWA (now), and Outlook mobile (in the future).

As you might expect, Code Two created a web add-in to add a corporate signature to a message before it is sent. This has been possible in the past, but only by creating something like a COM add-in that had to be installed on individual workstations or distributed to sets of workstations using Group Policy Objects. The COM add-in worked by updating Outlook settings with the signature, which Outlook then applied to new messages.

What’s Possible with Signature Web Add-ins

The Signature API and web add-ins are a dramatic step forward. Signatures inserted by add-ins based on the API can be dynamic, meaning that they can be intelligent enough to detect the type of message to insert an appropriate signature. For instance, a new message might get the full treatment with a corporate slogan inserted along with user details while a reply or forward might have a cutdown signature inserted or none. If the company publishes multiple types of signature available (for instance, signatures with different graphic layouts), users can select which they’d like to use.

Finally, because the processing is done on the client before email is sent, protection applied by sensitivity labels or Office 365 message encryption works properly and solve the issues highlighted in this article, at least for Outlook clients. Challenges remain for dealing with mail traffic generated by Outlook mobile (until it supports the web add-ins) and non-Microsoft email clients, which will still need to be processed en route.

Expect December Developments

Although Code Two Software get the kudos for publicizing the new Signature API, they won’t be the only ISV to exploit the API (LetsSignIt announced that they have also been working with Microsoft to develop an add-in). I expect a batch of new products and offerings to appear soon after Microsoft makes the API generally available, expected before the end of this year. Overall, the new API will make email signature management easier to deploy and manage, and that can’t be a bad thing.

Update March 22, 2021: Code Two has released their “modern web add-in” for Outlook and OWA. Like many software developments, it took a little longer to get the add-in from early development to full production.

Update May 25, 2021: Announced at the Build 2021 conference, Code Two Software’s modern signatures add-in for OWA and Outlook for Windows is now generally available. Not to be outdone, Exclaimer has support for an OWA add-in too (but not Outlook desktop yet). Expect all the major email signature vendors to follow suit in the near future.

We don’t cover much about ISV software in the Office 365 for IT Pros eBook. In this case, email signature management has been such a pain for so many organizations for so long that we’re delighted to see progress in the space.

Edge Now the Preferred Microsoft 365 Browser

Even if you spend time reading all that’s posted to the Microsoft Technical Community, you might have missed the August 17 post announcing that Microsoft 365 will soon end support for Internet Explorer 11. In a nutshell, support in Teams finishes on November 30, 2020 while August 17, 2021 is when support ceases in other Microsoft 365 browser apps like OWA, Planner, To Do, and Yammer plus all the administrative portals.

Microsoft’s advice is unambiguous: use Edge (the Chromium-based version). The legacy (original) version of Edge stops getting security updates on March 9, 2021. Curiously, Microsoft refers to legacy Edge as a “desktop app” instead of a browser, but I guess that’s just a matter of semantics.

Teams First to Dump Internet Explorer

While the other Microsoft 365 apps have a year left to support Internet Explorer, Teams stops in just over a quarter. Microsoft doesn’t explain why they want to accelerate deprecation of IE11 support in Teams, but it might be linked to the lack of calling and video support in IE11 for Teams meetings. Given the massive upswing of demand for Teams meetings since the pandemic started, it’s unsurprising that Microsoft would want to make sure that Teams users avoid Internet Explorer.

I doubt the demise of IE11 will cause many problems for Teams users. Mac users are more concerned about Safari support for Teams (audio is supported in meetings, but video is not). Linux users who don’t use the Teams Linux client have Chrome and Firefox browsers to choose from.

Another point to consider is that Teams uses a three-week update cycle to make new functionality available to clients. The longer IE11 remains supported, the further it falls behind in terms of the new meeting functionality recently introduced for Teams.

IE Gets More Time in Other Microsoft 365 Apps

Microsoft 365 has a bunch of browser clients, some of which are refreshed almost as quickly as Teams is (OWA is an example). The longer time allowed before the Microsoft 365 apps stop supporting IE11 might be linked to the relatively straightforward nature of the apps. SharePoint Online and Stream both support IE11 only in document mode, perhaps because of the video playback capabilities available in both clients. Forms, on the other hand, also supports video playback, but proclaims itself to be optimized for IE11.

Move Now

No matter what the reason is, the simple fact is that IE11 has a limited lifetime inside Microsoft 365. It’s time to move any IE11 diehards to one of the supported browsers, unless they enjoy discovering just what Microsoft means by “customers will have a degraded experience or will be unable to connect to Microsoft 365 apps and services on IE11.”

Degraded could be anything from “a feature just doesn’t work” to “a feature works slowly.” Being unable to connect is more fundamental but could come about through something like a change in conditional access policies which IE11 can’t handle. In either case, the experience is unlikely to be anything to write home about. Time to move. And soon.

The September 2020 update for the Office 365 for IT Pros eBook will remove most mentions of IE11 (there are twelve right now). It’s one of the nice things about having a book that’s updated monthly. When Microsoft changes, we do too.

Don’t Mess with Your Corporate Autosignature

On February 20, I wrote about the topic of generating corporate auto-signatures for OWA. It is easy to create good-looking autosignatures and store them in user mailboxes for OWA to apply (Outlook is a different proposition). The logical question that follows is how to stop users changing their corporate-generated autosignature?

Historically, Role-based access control (RBAC) has been the go-to method when control is needed over an OWA feature. Microsoft introduced RBAC to Exchange 2010 as the control mechanism for access to features. RBAC is used today in both Exchange Online and Exchange on-premises and variations are used to control access to options in admin portals like the Microsoft 365 admin center and Microsoft 365 compliance center.

OWA and RBAC

Settings in a user role assignment policy control the elements of the user interface OWA displays to mailboxes covered by the policy. Basically, if the policy allows OWA to display the user interface for users to edit and save their autosignature, they see the option in OWA settings (Figure 1). But if we change the policy to remove the ability to update signatures, they won’t.

User Role Assignment Policies

Office 365 tenants come with an out-of-the-box user role assignment policy (called “Default Role Assignment Policy”) which enables access to all OWA settings. Mailboxes are assigned this policy by default unless an administrator changes the assignment.

You can edit the default role assignment policy to remove access to autosignatures, but it’s usually a better idea to create a new role assignment policy and edit that, just in case you make a mistake and remove access some features that you want to keep.

Tailoring Roles

Before we create a new policy, we must create a new RBAC role to block autosignatures. Exchange breaks down the ability of users to access OWA features into a set of roles, assembled to form a policy. Each role is composed of a set of role entries. Think of a role entry as a definition of a PowerShell cmdlet and its parameters. Once a user is assigned a role, they can run the cmdlets defined in the role entries. For instance, if a role entry includes the Set-Mailbox cmdlet and some (but maybe not all) of its parameters, the user can run Set-Mailbox and use the set of allowed parameters. They run the cmdlet by using an OWA option or in PowerShell.

The connection between RBAC and cmdlets means that we must know what cmdlet is used to update autosignatures if we want to block it. As explained in my previous article, the Set-MailboxMessageConfiguration and several of its parameters are used to manipulate autosignatures. To stop users updating autosignatures, we must remove their access to those parameters.

Creating a Customized Role

The two commands shown below create a new management role based on the out-of-the-box MyBaseOptions role (which control many OWA settings). The new management role inherits all the settings from MyBaseOptions, so we then amend the settings by removing the parameters used by Set-MailboxMessageConfiguration to update autosignatures.

New-ManagementRole MyBaseOptions-NoSignatures -Parent MyBaseOptions

Set-ManagementRoleEntry MyBaseOptions-NoSignatures\Set-MailboxMessageConfiguration -Parameters AutoAddSignature, AutoAddSignatureOnReply,AutoAddSignatureOnMobile, SignatureTextOnMobile, SignatureText, SignatureHtml, UseDefaultSignatureOnMobile -RemoveParameter

When users are assigned a policy containing the customized role, they will be unable to update signatures. However, we need to take one more step to stop OWA displaying the user interface for signatures. We do this by removing the right to run the Get-MailboxMessageConfiguration cmdlet. Without this cmdlet, OWA can’t fetch details of existing autosignature settings from the mailbox. Here’s the code to remove the entry from the role:

Remove-ManagementRoleEntry MyBaseOptions-NoSignatures\Get-MailboxMessageConfiguration

Creating a New User Role Assignment Policy

To make the new role effective, we must include it in a user role assignment policy and assigned to mailboxes. This code creates a new policy composed of our customized role and all the other default roles normally assigned to users through a policy. For instance, the MyProfileInformation role allows users to edit details of their profile while MyDistributionGroups allows users to create and edit distribution lists.

New-RoleAssignmentPolicy -Name PolicyWithNoSignatures -Roles MyContactInformation, MyRetentionPolicies, MyMailSubscriptions, MyTextMessaging, MyVoiceMail, MyDistributionGroupMembership, MyDistributionGroups, MyProfileInformation, MyBaseOptions-NoSignatures -Description "User Role Assignment Policy to block users editing autosignatures"

Assign to Mailboxes

We can now apply our new user role assignment policy to mailboxes for testing. This is done by running the Set-Mailbox cmdlet:

Set-Mailbox -Identity Kim.Akers -RoleAssignmentPolicy PolicyWithNoSignatures

To check the set of mailboxes assigned the new policy, run:

Get-Mailbox |? {$_.RoleAssignmentPolicy -eq "PolicyWithNoSignatures"}

Testing that OWA Respects the Block

The block should become effective 15 minutes or so after the mailbox is updated with the new role assignment policy. Log into the mailbox with OWA and open the options pane. Select the View all Outlook settings link to open the fly-out window with access to all settings and go to the Compose and reply section. You should see that OWA can no longer edit the autosignature settings (Figure 2).

The Downside of Removing the Get-MailboxMessageConfiguration Cmdlet

Eagle-eyed readers will notice that some other settings have disappeared from the Compose and reply section. This is because the Get-MailboxMessageConfiguration cmdlet returns many settings like the message format to use for new messages, the font and font size to use, and the color of text. Settings are also affected in other sections, like Layout (message organization). When you remove the ability of a user to run Get-MailboxMessageConfiguration, they lose access to everything the cmdlet returns, not just autosignatures.

The same problem would not arise if OWA used Set-MailboxMessageConfiguration to control the display of the autosignature setting. Set-MailboxMessageConfiguration is a granular cmdlet with individual parameters to control different settings, so you can trim parameters to control access to specific settings.

OWA Mailbox Policy Solves the Problem

Although RBAC doesn’t work as well as expected, OWA mailbox policies are another way to tackle the problem. OWA mailbox policies control many (but not all) aspects of how the client work. You can work with OWA mailbox policies through the Permissions section of the Exchange admin center (EAC) or PowerShell. Figure 3 shows how to disable autosignatures by unchecking the email signature box in the features section of a policy. You can either update an existing OWA mailbox policy or create a new one (better for testing).

If you want to use PowerShell, you need to set SignaturesEnabled to $False in the policy. Here’s how to create and update an OWA mailbox policy with PowerShell:

New-OWAMailboxPolicy -Name "Block Access to autosignatures"
Set-OWAMailboxPolicy -Identity "Block Access to autosignatures" -SignaturesEnabled $False

Whether you use EAC or PowerShell to block signatures in an OWA mailbox policy, don’t forget to assign the modified policy to the mailboxes you want to control. You can assign the policy by updating mailbox properties with EAC, but it’s likely that you’ll want to update multiple mailboxes and that’s when PowerShell shines. The command to assign an OWA mailbox policy to a mailbox is:

Set-CASMailbox -Identity Kim.Akers -OWAMailboxPolicy "Block Access to autosignatures"

Again, wait for 15 minutes to allow the Exchange Online servers to pick up the new policy and then test that the block is effective.

The OWA mailbox policy is enough to block users from changing autosignatures. You don’t need to update RBAC role assignments unless you also want to stop users running the Set-MailboxMessageConfiguration cmdlet in a PowerShell session. You can make your mind up how likely it is that users will decide to master PowerShell to mess with corporate autosignatures.

RBAC Fails but Another Method Succeeds

RBAC is a powerful mechanism for controlling user access to individual features. In Exchange Online, RBAC depends on the underlying cmdlets and parameters. Usually, RBAC is the best way to stop user access to features, but in this situation, the limitations of the Get-MailboxMessageConfiguration cmdlet created some unfortunate side-effects when implementing a block on autosignatures. Fortunately, OWA mailbox policies came to the rescue and implemented the block we wanted.

This is an example of how the probing minds of the Office 365 for IT Pros writing team tease out issues. Benefit from their work by subscribing to the Office 365 for IT Pros eBook!

Including a Nice Bricks Theme

We all need a little levity in our lives right now…

In June 2019, I reported the introduction of three new themes (Ribbon, Rainbow, and Unicorn) to brighten the lives of Office 365 users. Microsoft has gradually built out the set of available themes to 49 at today’s count. I must admit that this fact utterly escaped my attention until I noticed a Microsoft presenter using a nice Lego(tm) -like theme called “Bricks” (Figure 1). And because the world has been a crazy place recently, I decided that this topic needed some attention.

Choosing Your Theme

Some of the themes are simple colors like Black, Watermelon, and Dark Orange. Others appeal to the more artistic side of users and include:

• Balloons.
• Beach sunset.
• Cats.
• Circuit.
• Comic book.
• Crayon.
• Cubanism.
• Far, far, away.
• Jelly fish.
• Mountain peak.
• Primary.
• Robot.
• Strawberry.
• Super Sparkle Happy.

I’m not sure that I could cope with looking at the Super Sparkle Happy theme on a daily basis, but no doubt some will like it. Figure 2 shows how to select a theme from Office 365 settings. In this instance, it’s Super Sparkle Happy!

Theme Used Across Office 365 Online Apps

You can occupy a couple of minutes browsing the available themes and deciding which one satisfies your aesthetic viewpoint. Once selected, the theme should be picked up by all the Office online apps like OWA, SharePoint, OneDrive, Stream, Yammer, Planner, and the Microsoft 365 admin center. The Teams browser client will ignore your choice on the basis that such an important app can’t be concerned with such trivial detail, but the Teams admin center is happy to comply.

Spreading happiness is part of what we do at the Office 365 for IT Pros eBook. A little laughter goes a long way when the world seems to be crazier by the day.

Delegate Access and Mailbox Permissions Bring Us to Folder Permissions

Two recent posts about Outlook Mobile supporting delegate access to Exchange Online mailboxes and reporting mailbox permissions bring us to the topic of folder permissions. Outlook Mobile uses full access permission to access delegate mailboxes and the report captures this information. But Exchange Online has supported folder-level permissions for many years (here’s a 2006 blog based on Exchange 2003 SP2) and it’s common to find these permissions in use, especially with Outlook desktop.

Outlook Delegate Access

Folder-level permissions have been core to Outlook’s ability to satisfy the traditional manager-assistant work model where the assistant takes care of the manager’s inbox and calendar. This capability is still supported and documented today for Outlook ProPlus and Outlook 2019.

The option to assign delegate access to mailbox folders in Outlook ProPlus is in the backstage area (Figure 1). Alternatively, you can search for “delegates” and Outlook will find it for you.

Setting Outlook Delegate Permissions

Figure 2 shows delegates (left – none are listed because I’m in the process of assigning one) and folder permissions (right). In this case, I’ve selected a user to act as a delegate and chosen the permissions I wanted to assign. When ready, click OK to save the delegated permissions.

When someone assigns folder permissions to a delegate, Exchange Online creates and sends an automatic notification to the delegate to inform them that they can now open the folders (Figure 3).

The support article emphasizes that you should grant Folder visible permission on the root folder of the your mailbox to delegates. This is especially important if the delegate wants to access the delegated folders as shared folders in OWA. In Outlook, delegates should add the mailbox to their profile.

Steps to Script a Folder-Level Access Report

Just like it’s good advice to run a periodic check of mailbox permissions, it’s good to validate that everyone who is assigned permission over folders outside their own mailbox still need that permission. Exchange Online doesn’t come with a report to tell us what folder permissions are in place, so we need to do this with PowerShell.

The Get-MailboxPermission cmdlet fetches permissions for a mailbox. Its counterpart, Get-MailboxFolderPermission, does the same for a folder. Conceptually, the steps to create a report are straightforward:

• Find a set of mailboxes to check.
• Find the folders in each mailbox to check. Exchange Online mailboxes often hold hundreds of folders. We only need to check folders that are commonly delegated, like the Inbox, Sent Items, and Calendar.
• Fetch the permissions for each folder and extract delegated assignments to users who aren’t the mailbox owner.
• Report any delegated access to the selected folders.

You could use the Get-Mailbox, Get-MailboxFolderStatistics, and Get-MailboxFolderPermission cmdlets to create the report. To be a little different, I used the new REST cmdlets because an equivalent is available for each of the three cmdlets listed above (Get-ExoMailbox, Get-ExoMailboxFolderStatistics, and Get-ExoMailboxFolderPermission).

Differences in REST Cmdlets

Using the REST cmdlets means that things run faster, especially when you’re dealing with hundreds or thousands of mailboxes. This is important, especially when the cmdlets are all quite demanding in terms of system resources.

It’s also true that the Exchange Online Management module (which holds these cmdlets) is easier to use with modern authentication, which helps the transition away from basic authentication. Remote PowerShell will no longer support basic auth connections after October 13, 2020.

The downside is that sometimes the REST cmdlets return data in different formats to their Remote PowerShell counterparts. For example, after retrieving permissions for a folder with Get-MailboxFolderPermission, you might want to fetch the name of the delegated user. If the variable $Permission holds the retrieved permission, the name of the user is available as $Permission.User.DisplayName, but it’s $Permission.User with Get-ExoMailboxPermission. It’s the detail that counts when you move from one set of cmdlets to another!

CSV Output

You can grab a copy of the script from GitHub. Its output is a CSV file (Figure 4) that might reveal some interesting delegations. For instance, I found an entry for a user (Michael Harty) that no longer exists in my tenant.

Outlook Mobile to Support Folder-Level Permissions

Microsoft says that Outlook Mobile will support folder-level permissions in the future to remove the need to grant complete access to everything in a delegate mailbox. This is a good step forward that will be welcome by those who don’t really want to expose everything they have just to let someone else manage part of their email.

Using PowerShell like this proves that it’s a great skill for any Office 365 administrator to have. You can find out a lot more about using PowerShell to manage Office 365 in the Office 365 for IT Pros eBook. Join our happy band of subscribers today!

Outlook.com, Google, and TeamSnap Calendars

Office 365 Notification MC201582 published on January 17 announced that users could add personal calendars and TeamSnap accounts to OWA. This capability first surfaced in November 2019 when Microsoft tested it with selected accounts. This early testing was to validate the functionality prior to commencing deployment in production.

Deployment began to targeted release Office 365 tenants in January, was halted briefly to make some adjustments, and has now reached my tenant. Microsoft anticipates that deployment to standard release tenants will begin in April and worldwide availability will be achieved in July.

Update 4 May: Microsoft now says that the deployment will begin in mid-May and be finished in July 2020.

Just One Personal Calendar

A personal calendar means a calendar belonging to an Outlook.com or Google account. TeamSnap is a U.S.-based service to organize calendars for recreational clubs, such as soccer or hockey clubs.

To add a personal calendar, open OWA’s calendar module and select Add personal calendars (Figure 1) The use of the plural term here might lead you to believe that you can add multiple personal calendars. However, OWA currently limits users to choosing either an Outlook.com or Google calendar, and you can only add a single calendar of the chosen type.

Shared Calendar Views

You’ll need to authenticate to open and add the selected calendar. I was already signed into my Outlook.com account, so OWA added it automatically instead of asking which account to use.

After OWA opens the calendar, it includes events from the personal calendar in its view. In Figure 2, you can see events from my work and personal calendar shown in the same view. This is like the way that events appear when you choose to display several work calendars, such as those belonging to delegated, shared, or group mailboxes.

You can create new events in the personal calendar from OWA. One slight problem I noted is that OWA displays “Calendar” twice in the new event screen (Figure 3). The work calendar is the top calendar while the personal calendar is below, but it’s not obvious at first glance.

Microsoft says that the calendar selection issue will be alleviated when they ship a new calendar picker (soon, apparently).

You can’t add new TeamSnap events from OWA as access is limited to read-only. Also, calendars added by OWA are unavailable in Outlook desktop or Outlook mobile.

Availability

When you include a personal calendar in OWA, you can synchronize information from that calendar to Exchange Online to allow personal commitments to be included in their free/busy map. This means that when someone else tries to schedule a meeting with you using the Scheduling Assistant, your personal commitments are blocked out as busy.

If you don’t want to synchronize personal events to Exchange Online, toggle this option off in the Accounts section of Calendar options (Figure 4).

PowerShell Controls for Personal Calendars

Microsoft enables support for personal and TeamSnap calendars by default and there’s no obvious reason why you might want to disable these features, but you can with PowerShell. The features are controlled by the PersonalAccountCalendarsEnabled and TeamsnapCalendarsEnabled settings in the OWA mailbox policies assigned to mailboxes. To block access, update these settings to False. Here’s how to do it for all OWA mailbox policies in the organization:

Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -PersonalAccountCalendarsEnabled $False -TeamsnapCalendarsEnabled $False

Like any change to OWA mailbox policies, the update won’t be effective until it is distributed across the tenants and clients refresh their settings. Updating the settings does nothing to remove access to personal or TeamSnap calendars from mailboxes where they are already configured.

Small but Good Change

Enabling access to personal calendars is an example of a feature that doesn’t seem important to tenant administrators while adding value to users. The demarcation between personal and work lives is increasingly blurred. Adding personal calendars to OWA reflects that fact and allows users to organize their time better, which is surely the reason to have calendars in the first place.

Finding it difficult to keep up to date with the details of changes within Office 365? Consider subscribing to the Office 365 for IT Pros eBook and let us investigate the changes for you.

Moving on From Outlook Signatures and the System Registry

With Microsoft’s intention to support cloud signatures for Outlook desktop (for Windows), I’ve been working through the challenges of generating and maintaining corporate email signatures for Office 365 users. Previously, I discussed what needs to be done to update the system registry settings for Outlook signatures and explained why the current situation works well for individual users but is a real pain for central management. Today, I want to turn my attention to OWA signatures.

OWA and Outlook Have Different Signatures

It seems weird that after nine years of Office 365, OWA and Outlook desktop still use different signatures. It’s a pain for many reasons, including duplication of administrator effort to maintain signatures.

This situation might change (at least, I hope so) if Microsoft’s new cloud signatures for Outlook pick up some of the framework that exists to allow administrators update OWA signatures centrally. One thing that won’t go away is the absolute necessity of accurate directory information. If the directory doesn’t hold good data about users, it’s going to be much harder to generate good-looking (and useful) signatures.

The Set-MailboxMessageConfiguration Cmdlet and Signatures

OWA stores its signature information as mailbox settings. Two signatures can be defined: plain text and HTML and mailbox settings determine which is used for new messages and replies/forwards.

The Set-MailboxMessageConfiguration cmdlet is the core component in OWA signature management. Its important parameters are:

• SignatureHTML:. This signature is used for HTML messages.
• SignatureText: This signature is used for plain-text messages.
• AutoAddSignature: Controls if OWA applies signature to new messages.
• AutoAddSignatureOnReply: Controls if OWA applies signatures to replies and forwards.

You can ignore the SignatureTextOnMobile, UseDefaultSignatureOnMobile, and AutoAddSignatureOnMobile parameters. They only apply to the old OWA for Devices client and aren’t used by the Outlook Mobile client.

With these parameters in mind, a simple command to manage signatures for a mailbox is:

Set-MailboxMessageConfiguration -Identity James.Ryan -AutoAddSignature $True `
 -AutoAddSignatureOnReply $False -SignatureText "From the desk of James Ryan" `
 -SignatureHTML "<h2>From the desk of James Ryan</h2>"

Users pick up the amended signature the next time they refresh OWA.

Scripting Mailbox Signature Updates

We can reuse some of the code in the script to update Outlook signature settings in the system registry to serve the same function for an OWA signature. To generate and apply a individualized corporate signature to multiple mailboxes, we need to:

• Call Get-Mailbox to fetch the mailboxes. The call might fetch all mailboxes or use a filter to find mailboxes for a specific department, country, or location.
• Loop through each mailbox to retrieve information about its mailbox owner from the directory.
• Merge user properties with some HTML code (to add some formatting, insert icons, and so on) to build the signature, Once again I am indebted to Code Two’s Free email signature generator for help in figuring out some of the HTML. It’s a lot easier to amend HTML that you know works than to compose it from scratch.
• Optional code might add text to the signature based on mailbox properties, such as language-specific text for a country.
• Call Set-MailboxMessageConfiguration to update the mailbox with a command like this:

Set-MailboxMessageConfiguration -Identity $M.UserPrincipalName `
 -SignatureHTML $SignatureHTML -AutoAddSignature $True `
 -AutoAddSignatureOnReply $False

You can download a working script that illustrates the principals of how to go about centralized management for OWA signatures from the Office365ITPros GitHub repository.

Optional Features

To complete the solution, you could schedule a monthly run of the script to process mailboxes and update signatures. Perhaps every month the script could be updated to allow corporate PR to insert a new cheery catchphrase (or graphic about the latest corporate initiative) into signatures. Or maybe that’s a bad idea.

Another idea is for the script to create a report of missing directory properties and email the report to administrators when the script finishes to help improve the quality of the information in the directory.

Blocking User Edits to Signatures

Users can edit the signature created for their mailbox through OWA options. However, if you make the signature attractive enough, they’ll probably leave it alone. There’s no out-of-the-box method for administrators to block the option to update signatures, but you could try doing this with a user role assignment policy to remove user access to the Set-MailboxMessageConfiguration cmdlet.

What Microsoft Might Do with Cloud Signatures

OWA signatures prove the value of holding user signature information in the cloud. It’s so much simpler when administrators can run a PowerShell script to update signatures across an Office 365 tenant on a periodic basis. This doesn’t mean that the ISV market for autosignature products will go away because those products include a heap of functionality that I haven’t touched upon here. And those products are engineered by people who think about nothing but how to manage email signatures.

However, for those who would like to write and maintain their own signature generation code, it would be nice if Microsoft builds on what exists for OWA to have Outlook use the same signature information held in user mailboxes. And it would be even better if Outlook Mobile joined the party too. That might be too much to ask in the first round.

Worried that you can’t quite get your head around using PowerShell to manage Office 365? Subscribe to the Office 365 for IT Pros eBook and learn from the hundreds of examples in the book.

Engaging with Yammer While Reading Email

February 13 brought news (MC203778, Microsoft 365 roadmap 61055) that OWA could now display interactive Yammer notifications. Making Yammer more accessible through email is part of the “Year of Yammer” functionality highlighted at the Microsoft Ignite 2019 conference last November. It’s intended to make Yammer conversations more accessible and useful to people who prefer to communicate through email.

More Functionality Exposed in New Format Notification

Traditional Yammer notifications contain a View Conversation button with a link to take a reader to the relevant conversation in a Yammer community. The new format (Figure 1) displays a “fully-interactive Yammer thread” offering several improvements, including the ability to:

• See the complete Yammer conversation.
• Like a comment in the conversation.
• Share the conversation to another Yammer community.
• Know how many people have already seen the conversation.
• Add people to a conversation.
• Post a comment to the conversation from OWA, including attaching files and images or @mentioning people in a comment.

Microsoft also says that you can vote on polls from OWA, but I didn’t test that.

Comments posted from OWA show up in Yammer like any other comment, with the only sign being that Yammer indicates the post was from “O365 Exchange Online” (Figure 2).

Switching Views

At the bottom of the message, a Hide Yammer conversation link allows the reader to switch to the traditional view of a notification., which is what Outlook desktop and mobile clients can see.

In MC203778, Microsoft says that the link allows the new notification to be “toggled off at the user level on an email-by-email basis.” Going to the original format notification allows people to click the link to open Yammer, but there’s no way for a user to select a default preference for how they’d like to receive notifications.

Yammer and SharePoint

Also in Yammer news, Microsoft announced on 12 February that all new photos and files posted to Yammer are stored in SharePoint Online. This applies to Yammer communities connected to Office 365 Groups because that’s how the link works to SharePoint Online. When you upload a file to Yammer, it is stored in the Documents\Apps\Yammer folder in the document library of the site belonging to the Office 365 group.

More Interaction Coming

Microsoft is very keen about connecting different parts of Office 365 together at present. Teams is due to get its Share to Teams and Share to Outlook features soon. These were originally announced for deployment in January (MC198124) but have been delayed. When they come, you’ll be able to handle email, Teams, and Yammer communications in OWA.

If we’re truthful, we don’t devote much space to Yammer in the Office 365 for IT Pros eBook. But if this progress is maintained, we might have to reconsider…

Quickly Find Attachments in Primary Mailbox

In the run-up to the Christmas holidays, you might have missed Office 365 notification MC198342 posted on 17 December to announce the advent of the OWA Files view. According to Microsoft 365 Roadmap item 59643 this is “a view of all the files sent and received as attachments in your inbox.” In reality, the Files view enables quick access to every sent or received attachment in every folder in your primary mailbox.

The feature is now rolling out to tenants and should be available throughout Office 365 by the end of March. You’ll know if it’s available when the Files icon shows up in OWA’s module switcher (Figure 1). Clicking the icon takes you to https://outlook.office.com/files/.

Microsoft hasn’t said if they will add this feature to OWA for Exchange on-premises. My feeling is that this is doubtful.

The Files View

The Files View presents attachments found in a mailbox in five columns, each of which is sortable. The default sort is by received date (newer to older), while Figure 2 shows attachments sorted by name (Z to A).

Newly received or sent attachments don’t show up immediately in the view.

If you select an attachment, OWA opens it and the message it belongs to in a viewer. You can hide the message if you want to concentrate on the attachment.

Types of Attachments

By default, all types of attachment are shown. OWA differentiates between Files (Office documents, PDFs, text, email, and other non-graphic types) and Photos (files in graphic formats like JPEG or PNG). When browsing photo attachments, choosing Tiles rather than a list can help locate the right attachment faster (Figure 3).

Filtering Attachments

You can choose to see all attachment types or switch between Files and Photos using the options in the left-hand navigation pane or the Filter drop-down (Figure 4), which allows you to select exactly what you want to see. The date range part of the filter is very useful when you want to find attachments sent in a specific period. You can combine a date range with filters for specific file types.

To refine the view further, you can input search terms into the search box. OWA will apply the search to the items in the view and display what it finds.

No Archived Attachments

OWA’s Files view only shows attachments stored in the primary mailbox. Attachments moved into archive mailboxes (not to be confused with the Archive folder in mailboxes) are not shown in the Files view. You’ll have to open the archive mailbox and use a search to find information stored there. This isn’t surprising because archive mailboxes are intended to hold information that is not needed very often.

The Substrate is the Key

Microsoft dipped their toes into a Files view for OWA with “group files” for Office 365 Groups in 2016. That feature is less functional than the generalized Files view now being introduced. In both cases, the features depend on the capture and storage of information by the Office 365 substrate. Hidden folders in user mailboxes (like GraphFilesAndWorkingSetSearchFolder) hold metadata and copies of attachments. OWA uses this data for fast access to information and to avoid the need to scan a mailbox looking for messages with attachments.

Poking around the folders in the “non interpersonal messaging” (aka Non-IPM subtree) part of an Exchange Online mailbox with a tool like MFCMAPI reveals that cloud mailboxes hold a lot more information than their on-premises counterparts. The overall size of these mailboxes is much larger than you’d expect. Features must be paid for with resources, and cloud storage is cheap (except for SharePoint Online).

OWA Files is an example of a new feature that may or may not make a difference to you. But it’s good to know about stuff like this, which is why we keep an eye on Office 365 developments for you and document the most important in the Office 365 for IT Pros eBook. Subscribe today to stay informed.

OWA or Mobile Outlook

I don’t know many Office 365 users who like accessing their email with OWA on a mobile device when Outlook mobile is available, but obviously some do. Perhaps they don’t like installing apps on their phone or use a non-standard mobile device that Outlook mobile doesn’t support, or they hark back to the days when OWA for Devices was the cornerstone of Microsoft’s mobile email strategy. In any case, folks in this category should note the news in Office 365 Notification MC202145 that the new OWA is becoming the only option for mobile browsers. This switchover happened for other browsers last July.

You can use the new OWA today with mobile browsers. What’s changing is that Microsoft is removing the toggle that allows users to switch between the new old and the older version (Figure 1). When this happens, users will only be able to access the new OWA. The changeover starts in February 2020 and should be complete by the beginning of March.

The change is a roadmap item (59334) and will relieve Microsoft from the need to maintain a separate code base for OWA for mobile browers.

Missing Features in New OWA

The list of not supported and won’t ever be supported features for the new OWA on mobile browsers is a lot more interesting than the loss of a toggle swatch. OWA is the fastest evolving of all the Exchange Online clients so there’s pressure to add new features and drop old features for the client in general. Mobile browsers introduce another decision point, which is the set of features available in the mainline versions of OWA to exclude because they are inappropriate in a mobile environment, won’t work, or can’t fit into the browser UI.

For example, in the list of unsupported features, there’s going to be no option to set message sensitivity and importance or assign retention policies. I assume that the way OWA handles sensitivity labels, especially when labels invoke encryption for messages, is one of the factors driving why sensitivity labels won’t be supported. Outlook mobile supports assigning sensitivity labels to new messages, but the processing is done on the server rather than in the client, which is what OWA does. Perhaps there’s no way to call the code to process encryption in a mobile browser context. Although I am surprised that OWA on mobile browsers won’t support retention labels, this is probably because most users don’t assign retention labels and leave it retention to organizational policies that execute in the background.

Other notable exclusions are that you can’t access Outlook add-ons in mobile browsers, or view shared folders or mailboxes, or shared calendars.

Use Outlook Mobile

The list of missing features underlines the argument to use Outlook Mobile (if possible). The iOS and Android variants both work well, are highly functional, and much faster than using OWA in a mobile browser. And with a 100+ million user base (as of May 2019), Outlook Mobile is the most popular choice for mobile email access for Office 365 users. Even if I can’t use some of Outlook Mobile’s party tricks (like Play My Emails), it’s still the best choice for most users.

Need to know more about Exchange Online email clients? Look no further than the Office 365 for IT Pros eBook, which covers all the major clients in depth.

Improve the Readability of Teams Messages

From time to time, I check the settings in Teams policies to see if anything new has turned up or to pick up on something that I previously missed. Recently, I noticed the Immersive reader setting in the Teams Messaging policy (in PowerShell, it’s the AllowImmersiveReader property set with the Set-CsTeamsMessagingPolicy cmdlet). The description in the documentation says:

Allow immersive reader for viewing messages Turn this setting on to let users view messages in Microsoft Immersive Reader. Immersive Reader is a learning tool that provides a full screen reading experience to increase readability of text.

The Microsoft Immersive Reader is a free tool built into many Office programs to make it easier for people to read text. As you’d expect, the implementation differs across the apps. For instance, in Outlook desktop, the Read Aloud button reads the text of the message in the preview pane or when a message is opened. By comparison, the implementation in Teams and OWA is more “immersive” because the message opens in a full-screen window and the text is enlarged.

Using the Immersive Reader in Teams

You can read messages in personal or group chats or channel conversations with the Immersive Reader. Click the […] menu and select Immersive Reader (Figure 1).

Teams opens the message in full-screen mode. You can scroll through the text or have it read to you, with options to select a Male or Female voice and different speeds (Figure 2). I have not tried the reader in languages other than English, and the English reader doesn’t do so well if it meets non-English text. Perhaps people who use Teams in other languages can check and report back on their experience.

Using the Immersive Reader in OWA

OWA takes much the same kind of approach as used in Teams. Select a message, lick the […] menu, and choose Show in immersive reader (Figure 3). The same kind of controls and display seen in Teams are available when you open email with the immersive reader.

Most tenant administrators probably haven’t given much thought to message readability because there are many other things to worry about when managing Teams or Exchange Online. However, it’s nice to see technology like this available in the Office apps. A small but pleasant way to make Teams and email more accessible to all.

Although we don’t cover the Microsoft Immersive Reader in any depth in the Office 365 for IT Pros eBook, there’s lots more to discuss about Teams, Exchange Online, OWA, and other bits of Office 365. About 1,200 pages and counting…

Editor’s Note 12 December: Microsoft published Office 365 Notification MC197736 to say that OWA can be installed as a progressive web app (PWA) in Chromium-based browsers (Office 365 roadmap item 59250). As it turns out, this is exactly what I describe here. I asked Microsoft about this and was told that the ability to install OWA as a PWA was made available to some users to allow Microsoft to assess the impact. Once they were happy that OWA works well as a PWA, Microsoft moved the feature to be generally available, which is now the state. Documentation is even available!

Creating Apps from Web Sites

Normally people run OWA in a browser tab because this is the way that OWA has always functioned since its introduction in Exchange 5.0 in 1997. With the latest browsers, it’s possible to create desktop shortcuts and pin websites to the Windows taskbar. Apart from giving you fast access to the website, you can run browser-based applications like they are desktop apps (well, nearly).

I’ve been using the Chromium-based version of the Edge browser (aka, “Cheedge”) for a number of months and am impressed; so much so that I have largely moved over from Chrome and now use Chredge almost exclusively. Several months ago, Microsoft introduced the ability to create apps from web sites. It’s easy to do. Open the web site, click the […] menu, select Apps and then Install this site as an app (Figure 1).

In this case, the chosen web site was OneDrive for Business. I had the chance to change the name of the desktop shortcut before confirming that I wanted to create the app. Once done, Chredge closed the tab where OneDrive for Business was running and opened it in another window that looks and feels like a desktop app (for instance, you can ALT-Tab to move to it). Behind the scenes, the apps are running as they would in a browser tab; but the look and feel and ease of access are nicer.

OWA

Some people prefer using OWA to desktop Outlook, especially after the improvements made in its most recent iteration where Microsoft seems to be throwing the full kitchen sink of artificial intelligence at OWA in its intelligent technology initiative. I use both clients, but I much prefer to run OWA when connected over flaky Wi-Fi networks like those you get on most airlines, especially on transatlantic or transpacific flights. OWA is a less demanding application than Outlook desktop is when it comes to network consumption, so it makes a heap of sense to use OWA (Figure 2) as the primary client in these circumstances, especially when it’s available as a desktop shortcut and on the taskbar.

Using OWA in this manner is as secure as using it in browser tab. For example, my account uses multi-factor authentication (as you should all do). When the access tokens expire, you’ll be prompted to reauthenticate. Figure 2 shows how OWA prompts for authentication by looking for a response from the Microsoft Authenticator app (on a smartphone).

In addition to OWA, I have other apps like Stream, the Office 365 Admin Center, Twitter, Planner, To Do, and LinkedIn set up for easy access. After using apps like this for several months, I prefer having separate windows for each instead of hunting them down in multiple tabs within the browser.

I do not have Teams as I constantly switch between tenants and the single-window nature of the Teams app doesn’t facilitate having one window open for one tenant and another for a different tenant, unless you use different browsers or private sessions.

Chrome Steps

Those who prefer Chrome can create the same type of desktop shortcuts and taskbar entries by clicking the […] menu, selecting More Tools, and then Create shortcut. I don’t know why Chredge calls pinned sites apps and Chrome refers to them as shortcuts, but am sure someone knows a good reason.

The Office 365 for IT Pros eBook includes many tips for how to work with the wide range of clients that connect to Microsoft’s cloud office system. All based on real-world experience, just like this.

Bit by Bit, Office 365 Sensitivity Labels Reaching Applications

On September 24, I published an article about the support of Office 365 Sensitivity Labels in the Office ProPlus for Windows desktop apps. At the time, I noted that Microsoft still had work to do to add support for sensitivity labels to the Office online apps, including OWA. Microsoft had published Office 365 notification MC191074 to say that Office 365 tenants now with worldwide roll-out complete by the end of October. Well, OWA “manual” support for Office 365 Sensitivity Labels has turned up in my tenant to satisfy roadmap item 44921.

Manual Labeling

Manual support for Office 365 Sensitivity Labels means that OWA users must decide what messages to label and the labels to assign to messages. Automatic labeling is what happens today with Office 365 retention labels when conditions in a policy control what items labels are applied to by a background process. Similar facilities are likely for sensitivity labels in the future.

Apply Sensitivity Labels in the OWA New Message Window

Because OWA runs in online mode, it always uses the current set of sensitivity labels published for a user. This doesn’t mean that a new or updated label is available to OWA immediately a change is made. The Security and Compliance Center must publish the change to all Office 365 workloads and clients. It can therefore take some time before a change is available to OWA.

The Sensitivity button is available as an option in the OWA new message window. After a label is applied to a message, its name is shown in the banner above the message recipients. In Figure 1 we can see that the selected label invokes encryption because of the padlock icon beside the label name. A label that only applies marking or does nothing but act as a visual indicator uses a plain label icon.

OWA also displays these icons for labelled items in the read message window. Like Outlook, the protection applied to a message also applies to any of its attachments

Labeling Replies

Sensitivity labels can also be applied to replies to messages that aren’t previously labelled. In this case, the Sensitivity option to apply a label is in the […] menu of the reply message window (Figure 2).

When you assign a sensitivity label to a reply, it does not apply to the previous messages in the thread. However, Exchange automatically assigns the same label to future messages in the thread.

Encrypt-Only and Do Not Forward

The default Office 365 Message Encryption Encrypt-Only and Do Not Forward templates can also be used to protect messages with OWA. Click the […] menu and you’ll find Encrypt in the list of menu choices. Using these templates for protection does not assign a sensitivity label to the protected messages.

Still Work to Do

Now that OWA supports Office 365 Sensitivity Labels, it’s reasonable to expect that the other Office online apps will offer support soon. After that, eyes will turn to the SharePoint Online and OneDrive for Business browser interfaces to see how Microsoft will introduce sensitivity label support there.

For more information about Office 365 Sensitivity Labels and the underlying Azure Information Protection technology, read Chapter 24 of the Office 365 for IT Pros eBook.

Filtered Email Views for Your Most Important Contacts

Over the years, Microsoft has made many attempts to help people access Inbox contents more intelligently, mostly by applying views to isolate and highlight important messages. The Clutter feature appeared in 2014 only to be replaced by the Focused Inbox in 2016. Now we have Outlook People Favorites.

Favorites have been around for years. Folder favorites give fast access to the most important parts of a user’s mailbox while favorite categories allow users to find messages tagged in particular categories. Outlook does this by creating a view within the mailbox to find all messages in the selected category. People favorites are like categories in that when you add someone (an email address) as a favorite, Outlook creates a view to find all messages from that person. It’s as simple as that.

Creating and Managing People Favorites

People favorites are designed to give quick and simple access to messages from those who are important to you, like your direct manager or critical customers. To mark someone as a people favorite, use OWA to select a message where they are a recipient or sender and click their email address to expose their people card. In Figure 1, I’ve selected David Los, who works on OWA (seems appropriate). To make David one of my people favorites, I clicked the star beside his name in the people card.

You can manage the set of people favorites through OWA’s People section. People and Groups are managed together (Figure 2). Favorite categories are managed through OWA options. To remove someone from the set of people favorites, deselect the star opposite their name.

Behind the scenes, Exchange Online creates a folder in the non-IPM section of the mailbox to hold pointers to items relating to the favorite. The folder is stored under the FavoritePersonas root. We can see details of the folders by running these PowerShell commands:

$Folders = Get-ExoMailboxFolderStatistics -id mailboxi-id -FolderScope nonipm -IncludeOldestAndNewestItems | Select Name, Itemsinfolder, NewestItemReceivedDate, FolderPath
$Folders | ?{$_.FolderPath -Like "*FavoritePersonas*"}|  sort  {$_.NewestItemReceivedDate -as [datetime]} -desc | Format-Table ItemsInFolder, Name

ItemsInFolder Name                                                   NewestItemReceivedDate
------------- ----                                                   ----------------------
          209 James Redmond_b4b30d32-ba9a-4d9b-ad76-7bdb3b6b6c51     09/12/2019 15:20
          222 Thomas Bowers_6701c170-5c66-4ded-ac00-5e083d2ab648     03/12/2019 14:33
           37 Mary-Jo Smith_589ac9ce-da38-45e2-b2b4-24950fb1c270     05/12/2019 09:55
           59 Brad Jones_9607102f-465a-48d9-846b-a3dd7cb9cdb8        01/11/2019 11:00
           40 David Los_078e789e-fa0a-4e98-bb83-ca81ff9a54ca         07/11/2019 23:15
            0 Steven Phillips_9a81d5c0-055e-400e-a0cb-9b43e21c93e7

The items in the persona folders are not updated in real-time. Instead, a background mailbox assistant processes the mailbox to find matching items and creates items for display when the favorite is accessed. The items in the favorite folder might therefore be a little behind. The folder listed above with zero items is just added and hasn’t yet been processed by the assistant.

Using People Favorites

People favorites show up in the set of resources available to OWA users, just like favorite folders and categories. In Figure 3, you can see that my favorites include some categories, groups, and people. Because Exchange Online generates views for favorites, we see unread counts for groups and people where unread messages exist in the mailbox. Selecting a people favorite displays the messages from that person inside the mailbox.

Mobile People Favorites

OWA boasts the most complete implementation but the favorites also appear in Outlook mobile. Figure 4 shows how people favorites appear in Outlook for iOS. You can also create new people favorites in Outlook mobile, but although the favorite is created I have found that Exchange Online sometimes doesn’t generate the view, so when you select the favorite created in Outlook mobile, you see no messages.

Outlook mobile clients don’t use the hidden mailbox folders to reveal items for about people favorites. Instead, these clients search the mailbox and synchronize items on an on-demand basis, an implementation which is more in line with the synchronization model used to update folders for other Outlook mobile resources.

No People Favorites for Outlook Desktop

Outlook desktop doesn’t support people favorites. This isn’t surprising. The Outlook desktop UI is notoriously difficult to change, which is why features that need UI updates invariably appear in OWA and Outlook mobile first.

Need help to keep track of changes in Office 365? It can be really hard to track small but important changes in client user interfaces, which is why Office 365 for IT Pros can help. We’ve been tracking changes like this for six years and are pretty good at it by now.

AdditionalStorageProvidersAvailable Setting Replaces Two Deprecated Settings

In April, I wrote about the ThirdPartyFileProvidersEnabled setting in OWA mailbox policies. The setting controls if OWA users can access third-party storage providers like Dropbox and Google Drive. At the time, I said that the setting wasn’t well known. Maybe that was for the best because now we learn from Office 365 Notification MC186732 that Microsoft has decided to expand the set of third-party providers to include Facebook and OneDrive personal. As part of the change, they have deprecated the ThirdPartyFileProvidersEnabled and OneDriveAttachmentsEnabled (to control access to OneDrive personal accounts) settings and replaced them with AdditionalStorageProvidersAvailable, a new setting for OWA mailbox policies to control access to all storage providers, both first-party (like OneDrive) and third-party.

Access Enabled by Default

The new setting is now in OWA mailbox policies. This is easily checked with PowerShell:

Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
               
Name                       AdditionalStorageProvidersAvailable
----                       -----------------------------------
OwaMailboxPolicy-Default                                  True
Restricted Download Access                                True
OWAFullAccess                                             True
NoOfflineAccess                                           True

As you can see, the default setting is True (as Microsoft says, it is “on by default”), which means that any OWA user can access storage providers to browse for files to attach to messages (Figure 1).

Adjusting Access for Some OWA Mailbox Policies

The new setting becomes active for Targeted Release users on August 15 and Standard Release users on August 30. Before then, you might want to turn the AdditionalStorageProvidersAvailable setting to Off in the OWA mailbox policies where ThirdPartyFileProvidersEnabled is currently set to Off so that users see no change in behavior. Again, this is easily done with PowerShell.

Get-OWAMailboxPolicy | ? {$_.ThirdPartyFileProvidersEnabled -eq $False} | Set-OWAMailboxPolicy -AdditionalStorageProvidersAvailable $False

A Matter of Policy

There’s goodness and badness in allowing users to access third-party file providers. It’s good that they attach files stored in the providers to bring them into Exchange Online and so expose the content to Office 365 data governance. It’s bad if it encourages the long-term use of third-party file providers for business information. Each organization will have to make up its mind how to handle the situation and decide if they want to enable access to other file services.

For more information about using OWA mailbox policies, see the Office 365 for IT Pros eBook.

The new OWA has been generally available since February 2019. Office 365 Notification MC184484 brings the news that Microsoft will start the process of making the new OWA (Outlook on the Web as Microsoft Marketing insists on calling the browser client; most normal people call it Outlook Web Access) the default from July 22. Apparently, removing the toggle switch to allow people to move back and forth between the old and new interfaces counts as an added feature, so it’s on the Office 365 Roadmap (Figure 1).

New OWA Still in Development

Since first introducing the new OWA, Microsoft has gradually rolled out new functionality like dark mode, a new Office 365 Groups management interface, and supporting categories as favorites. On July 3, Microsoft posted a list of what they consider to be highlights in the new OWA together with some things that are coming. One new feature that struck me is “expressions” or the ability to past graphics into email to clutter up mailboxes even more. I guess we need some more help to fill Exchange Online’s massive 100 GB mailboxes.

Before being too critical about features like expressions, you must always remember that OWA serves both business (Office 365) and consumer (Outlook.com) users and features that seem odd in a business context often make absolute sense for consumers. “Joyful animations” is an example of a consumer-centric feature that probably wouldn’t influence a CIO (but it might make them happy on their birthday).

Development continues to add new features and because there are still parts of the old OWA that don’t appear in the new, such as being able to see address lists and the ability for users to manage their own distribution lists [update: this feature was due to be available to targeted release tenants on July 3 but some provisioning issues stopped the code being delivered to all. The problem is now fixed.]

Another gap, but one likely to affect fewer users, is that the new OWA doesn’t load the add-in needed to process messages captured for review by Office 365 supervision policies. In this case, the easy (and better) answer is to process these items in the Security and Compliance Center.

Timing

In terms of when all this happens, Microsoft says: “We will start rolling out the new Outlook on the web as the default experience on July 22nd to Targeted Release customers, and following with non Targeted Release customers on August 3rd, the roll out will be completed for all customers by the end of September 2019.”

The one caveat is for Tasks, where people who use the older form of Tasks (aka “the classic Tasks experience“) will continue to see that for now. Those who moved to the new To-Do based Tasks interface will continue to use it (Figure 2). Apart from the UI, the giveaway is the URL https://to-do.office.com/?fromOwa=true. Apparently, a “later communication” will bring news about the toggle that moves users back and forth between the other OWA components and To-Do. Stay tuned for developments on this front.

Too many Office 365 changes giving you a headache? Take the strain away by subscribing to the Office 365 for IT Pros eBook and let us do the heavy lifting.

Manage the Settings of Office 365 Groups through OWA

Given the attention Microsoft dedicates to Teams, it’s sometimes difficult to remember that many people use Outlook Groups via OWA or Outlook as their collaboration platform. An Outlook group is an Office 365 Group that stores conversations in the group mailbox instead of Teams or Yammer. Although more people tend to use Outlook than OWA as their full-time client, the restricted nature of the Outlook user interface makes it difficult to introduce new Outlook Groups features. On the other hand, OWA is in a perpetual state of development and evolution, and every time you look at the browser client, it seems to have changed slightly.

OWA group management has never been particularly strong, but now it’s been revamped in the new version of OWA. The new Groups management UI is revealed through the Manage Groups section in OWA’s email tab or in the Groups section of OWA’s People tab.

Group members and owners can see details of the groups they belong to (including group membership), perform actions like leave the group, and access the different resources associated with a group. Members can also create invitations for others to join a group. Invitations to public

Owner Settings

Owners have additional options as they can edit the group settings and take care of any issues that need action to maintain the group. For example, in Figure 1 we see that the group is under the control of the Office 365 Groups expiration policy (explained in Chapter 10) and that it is due to expire in 18 days. The owner can renew the group or, if the group has served its function and is no longer needed, allow it to expire and go into the removal cycle. During the cycle, owners have 30 days during which they can recover a deleted group. To do this, open the Deleted link under Groups, select the group you want to restore, and click the Restore button.

Notice that OWA puts groups with outstanding actions at the top of the list. We can see that one of the flagged groups has a pending join request while the others are awaiting renewal.

Other Ways of Managing Group Settings in OWA

The group management interface isn’t the only place you can edit group settings. If you open a group in the Mail section of OWA and click the member link, you see the UI shown in Figure 2 and the option to edit group settings is in the […] menu.

You can also click on a group’s card to expose the Edit group option. The same UI and capabilities are displayed in both cases.

Although you can’t do everything to manage group settings through OWA, the new group management UI is a major improvement to the previous interface. You still have to use PowerShell for some management operations for Office 365 Groups, but not as many as you had to before.

Need to know more about Office 365 Groups? We dedicate two chapters of the Office 365 for IT Pros eBook to Office 365 Groups, and even more if you count the chapter on using PowerShell to manage Office 365 Groups and Teams.

Connecting Internet Client Protocols to Exchange Online

Most people I know who use Office 365 for email use a mixture of Outlook clients (desktop, browser, or mobile). These clients use Microsoft and internet protocols to connect to Exchange Online (MAPI over HTTP, Exchange Web Services, Outlook mobile synchronization), and Microsoft takes care to make sure that clients and server connect together smoothly.

Some prefer not to use a Microsoft client and prefer software based on internet standards, or choose to look for a non-Outlook client because their Office 365 license doesn’t include Office, or they prefer the simplicity of a client that purely concentrates on email. Often, this means looking for a client based on IMAP4 or POP3 for mail access and SMTP to send messages. The basic difference is that IMAP4 stores messages on a server while POP3 downloads them to the client and removes them from the server. POP3 is the older protocol and is now pretty antiquated. IMAP4 also dates back to the early days of the Internet but has been upgraded many times since, so it’s the more preferable protocol if you go down this road.

Exchange Online supports both the IMAP4 and POP3 protocols and the connection settings for Office 365 are available online. Some clients are able to configure settings automatically, while others take a little more effort to make sure that the right ports and encryption are used.

A wide range of IMAP4 and POP3 clients are available, including Thunderbird by Mozilla, which has been around for a long time and supports Windows, Mac, and Linux, and the eM client (for Windows and Mac), my current favorite (Figure 1). Although the protocols might limit some of the functionality available to clients (there’s no trace of the Focused Inbox, for instance), a client like eM is still feature-rich and more than meets the needs of someone who just wants to process some email.

Configuring IMAP4 Access

By default, the mailboxes for new Office 365 accounts are not enabled for IMAP4 or POP3 access. Before an account can connect, an administrator must enable access by editing the mailbox properties through the Exchange Administration Center (Figure 2) or by running the Set-CASMailbox cmdlet. The reason why this cmdlet is used instead of Set-Mailbox is that Exchange moved control of protocol-related settings to a separate cmdlet when the Client Access Server role was introduced in Exchange 2007. That server role is integrated in the main server in modern versions, but the separation between protocol and other mailbox settings still exists.

For example, this command enabled the Kim Akers mailbox for IMAP4:

Set-CASMailbox -Identity Kim.Akers -IMAPEnabled $True

When the account is enabled for IMAP4, Exchange sets some default values for the properties that control IMAP4 access, which we can see with the Get-CASMailbox cmdlet:

Get-CASMailbox -Identity Kim.Akers | Format-Table IMAP*

ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat  
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

Handling Calendars

In most cases, these settings don’t need adjustment. However, if you have clients that can handle iCalendar format meeting notifications, you might want to set the ImapForceICalForCalendarRetrievalOption to $True so that clients receive meeting notifications in iCAL format instead of a link that forces them to open OWA to process the request. OWA settings include an option to allow a user to opt for iCalendar (Figure 3 – the options only appear if the mailbox is enabled for POP3 or IMAP4).

Some reports in the past say that when this option is taken OWA sets ImapForceICalForCalendarRetrievalOption correctly, it doesn’t updateImapUseProtocolDefaults to $False, which is needed to make the option work correctly. Checking this over the last day or so shows that everything happens as expected.

PowerShell to Set IMAP4 Options

But if you want to be sure that your IMAP4 or POP3 settings are correct, we can handle the situation through PowerShell. One approach is to look for any mailbox enabled for IMAP4 and set the iCalendar option correctly on the basis that most IMAP4 clients use iCAL today. Here’s a quick and dirty script to do the job.

$Mbx = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox)
ForEach ($M in $MBX) {
     If ((Get-CASMailbox -Identity $M.Alias).ImapEnabled -eq $True) {
       Write-Host "Processing" $M.DisplayName
       Set-CASMailbox -Identity $M.Alias -ImapUseProtocolDefaults $False -ImapForceICalForCalendarRetrievalOption $True
       Start-Sleep -m 200 }
}

The code fetches a list of user mailboxes and then steps through each to find IMAP4-enabled mailboxes before setting the right values for the control properties. The same approach can be taken to adjust the properties controlling POP3 access.

It’s a good idea to check how many accounts are enabled for these older protocols and limit access to the accounts that really need to use IMAP4 or POP3 and to make sure that mailbox properties are set as expected when the protocols are enabled. It’s the kind of good housekeeping that an admin should do, if only time was available.

For more information about Exchange Online clients and how to configure settings for POP3 and IMAP4, see Chapter 10 of the Office 365 for IT Pros eBook.

Do You Really Want OWA Users to Access Third Party File Providers?

Those who browse the deep recesses of Microsoft documentation often find unannounced pleasures awaiting their delight. Such is the case of Set-OWAMailboxPolicy, where the ThirdPartyFileProvidersEnabled setting is documented. Despite the best efforts of Vasil Michev (the esteemed technical editor of the Office 365 for IT Pros eBook), the setting seems to be not well known. It deserves more.

By default, the setting is false, which means that OWA users can’t access third-party file providers like Box, Google Drive, or Dropbox to upload attachments. Before users can access a third-party file provider, they must authenticate their account (including an MFA challenge if MFA is enabled for the account) and give access to OWA.

Once the connection is made between the third-party file provider and OWA, the user can browse for attachments. Here’s what it looks like for a Dropbox account.

Goodness and Badness

There’s goodness and badness in allowing users to access third-party file providers. It’s good that they attach files stored in the providers to bring them into Exchange Online and so expose the content to Office 365 data governance. It’s bad if it encourages the long-term use of third-party file providers for business information. Each organization will have to make up its mind how to handle the situation and decide if they want to enable access to other file services.

Discovering Who Can Use Third-Party File Providers

To check what OWA mailbox policies allow access to third-party file providers, use the command:

Get-OwaMailboxPolicy | Format-Table Name, ThirdPartyFileProvidersEnabled

Name                       ThirdPartyFileProvidersEnabled
----                       ------------------------------
OwaMailboxPolicy-Default                             True
Restricted Download Access                          False
OWAFullAccess                                        True
NoOfflineAccess                                      True

We can see that three of the OWA mailbox policies allow third-party file providers. To discover the mailboxes covered by these policies, use the command:

Get-Mailbox -RecipientTypeDetails UserMailbox | Get-CasMailbox |? {$_.OWAMailboxPolicy -ne "Restricted Download Access"} | Format-Table DisplayName

We use Get-Mailbox to feed a filtered list of user mailboxes (excluding room, shared, discovery, and resource mailboxes) to Get-CasMailbox, check what OWA mailbox policy applies to each , and output a list of names. Simple!

For more information about OWA (but not third-party file providers), see Chapter 10 of the Office 365 for IT Pros eBook.