Choice Remains Between Outlook Mobile and Exchange ActiveSync Clients

One of the most common questions I am asked concerns mobile email clients. Should Microsoft 365 tenants deploy and use Outlook Mobile or select a client based on the Exchange ActiveSync (EAS) API created by companies like Apple and Samsung instead? I’ve written about this topic before but it’s worth summarizing the current state of the art, so here goes.

OWA for Devices

Ten years ago, Microsoft jettisoned its focus on OWA as the premium client for mobile email connectivity. Trumpeted with some vigor at the 2014 Microsoft Exchange Conference in Austin, OWA for Devices, as the client was known, leveraged the engineering investment to create a high-quality browser-based client. Essentially, OWA for Devices was a wrapper around the full client to allow it to run using the native browser found in all mobile devices.

The OWA for Devices plan allowed Microsoft to bring a wide range of features to mobile devices that couldn’t be built on top of the EAS protocol. It’s worth remembering that Microsoft created EAS to compete with IMAP4 and POP3, so the feature set enabled through the EAS API is limited to basic email and calendaring.

The Acompli Effect

Technical difficulties, poor performance, and the feeling that Microsoft was trying to squeeze a heavyweight client designed for PC browsers into a mobile pot were the fault lines in the OWA for Devices strategy. If you can’t build technology, plan B is often to buy technology, and that led to the Acompli acquisition in late 2014.

Acompli’s signature feature was the focused inbox, or the ability to filter the most important messages into a separate Inbox (actually just a filtered view of Inbox contents). No mobile API supported the processing required to understand what messages were most important to a mailbox’s owner and filter those messages as new mail arrived in the mailbox. Acompli built the necessary infrastructure to copy mailbox contents from Exchange to build an online cache located in Amazon Web Services (AWS) to enable advanced email processing. The Acompli client connected to the processed cache and presented the filtered Inbox view to the user.

Acompli became Outlook Mobile for iOS and Android. The focused inbox became a feature loved or hated by hundreds of millions of users, and Microsoft replaced AWS with equivalent storage and processing based on Azure. Outlook Mobile still fetches cached mailbox content from Azure (now with a customizable synchronization period).

The new Outlook for Windows client exploits the same mechanism to deliver advanced functionality to users who connect to email servers via POP3 and IMAP4. These now-antique connection protocols don’t support many features used by modern email clients, so if the interim processing wasn’t done, the new Outlook for Windows would be restricted to a basic feature set. This simple but salient fact is ignored by those who protest when they discover that Microsoft synchronizes mailbox content to Azure for processing.

Outlook Mobile Continues to Lead

Coming back to the original question, I continue to recommend that organizations focus their mobile email client strategy on Outlook Mobile whenever possible. It’s a solid client for both iOS and Android that easily outpaces EAS-based clients in areas like email features and information protection. The client feature set continues to evolve, with the latest initiative being a new contact editor (MC746321, last updated 5 July 2024, Microsoft 365 roadmap item 384869). Apart from more reliable synchronization of contacts with Exchange Online, the new contact editor (Figure 1) supports enforcement of Intune policies such as preventing copy and pasting data in the editor. Outlook Mobile is better integrated into Intune device management too. In summary, from a corporate IT perspective, Outlook Mobile ticks many boxes. Its advantage over EAS clients in this area is unlikely to diminish.

But life isn’t always simple and corporate IT doesn’t always get to implement their choice. The era of BYOD means that an incredible number of devices connect to Microsoft 365, and it can be hard to move people from a native email client. Old habits die hard. However, I see an increased uptake in Outlook Mobile usage, possibly because features like sensitivity labels have rolled out in more tenants. My view is anecdotal and based on a limited set of data, but it seems like that’s the way things are going ten years after Microsoft choose Acompli as their new mobile email client.

Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.

Introducing Authenticator Lite

Without too much fuss, Microsoft introduced the preview of a new “surface” (way) for users to complete multi-factor authentication (MFA) challenges. The new method is a companion app for the Microsoft Authenticator app and is covered by Microsoft 365 roadmap item 122289 and is slated for roll-out in May 2023.

Azure AD already covers a variety of methods to satisfy MFA challenges. The methods are categorized from weak to strong in terms of their ability to resist attacks and conditional access policies can insist that a connection uses a certain strength of MFA response before it is accepted. “Authenticator lite” is rated as strong as the Authenticator app because it’s basically code taken from Authenticator and built into other Microsoft apps. In addition, Authenticator lite only supports push notifications with number matching and one-time codes, which are less likely to provoke MFA fatigue than the traditional “click here to approve” response.

Outlook Mobile Leads the Way

Outlook mobile (iOS 4.2309.0, Android 4.2308.0, or higher versions) is the first Microsoft 365 app to pick up the Authenticator Lite code. Some might ask why Microsoft choose Outlook as the test case. I think it’s because Outlook is likely the most heavily used mobile client. The last time Microsoft gave a number for Outlook mobile (April 2019), they reported that Outlook for iOS and Android had more than 100 million users. At that time, Office 365 reached 180 million monthly active users. Now Office 365 is up around 400 million monthly active users. Assuming Outlook mobile has kept pace, it has around 220 million monthly active users.

Building MFA responses into the most popular mobile client is a great way of making MFA easier for organizations to deploy. Microsoft wants customers to deploy MFA. They also want customers to use strong MFA responses and move away from methods like SMS text-based responses. The recent introduction of the Azure AD system-preferred authentication policy to force Azure AD to select the strongest available authentication method for a user when it issues a challenge is a pointer to the future. Who needs to resort to an SMS response when you can respond to a number challenge within Outlook? It makes absolute sense.

Update the Azure AD Authentication Methods Policy

If you’re interested in trying Authenticator Lite with Outlook mobile, the steps to make everything happen are covered in a Microsoft article. In summary:

First, use a Graph API PATCH request to update the Azure AD Authentication Methods Policy to update the companionAppAllowedState setting from disabled (the default) to enabled. The easiest way to do this is with the Graph Explorer (make sure to sign in with an administrator account because you’ll need to consent to the Policy.ReadWrite.AuthenticationMethod permission to update the policy. The relevant lines for the policy in my tenant look like those shown in Figure 1. The state is enabled and the policy is targeted at a group of users with an identifier of “all_users.” This is a special identifier that instructs Azure AD to apply the policy setting to all tenant users. If you want to limit the policy to a specific set of users, create a security group with those users as members and update the authentication methods policy with the group identifier.

The updated policy might take a little time to become effective and people can respond to MFA challenges from Outlook. Only accounts enabled to use the Authenticator app (with the mode set to Push or Any) to respond to MFA challenges can use Authenticator Lite within Outlook, and responses are limited to number matching or one-time codes. It’s important to realize that if the Microsoft Authenticator app is present on a device, Outlook won’t attempt to use Authenticator Lite and instead refers all authentication challenges to the full Authenticator app.

It’s also important to realize that the code incorporated into Outlook supports fewer options than the full Authenticator app. For instance, it doesn’t support Self-Service Password Reset (SSPR). The Authenticator app is a more appropriate option for users who need functionality like handling MFA responses for other cloud services like Twitter and GitHub.

MFA Responses for the Masses

I like any action that reduces the friction of MFA deployment and operation for both organizations and users. Authenticator Lite falls into this category. Although I won’t use the new capability because I need the power of the full Authenticator app, I think that Authenticator Lite will meet the needs of most Microsoft 365 users when it comes to responding to MFA challenges.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Second Major Issue with Exchange Online Audit Data

On May 19, Microsoft published Microsoft 365 message center notification MC382148 to disclose that an eight-week hiatus in generating audit events for delegated email send activity had happened. According to Microsoft, between January 28, 2022, and March 26. 2022, “some audit log entries were not generated for the Send As and Send on Behalf of delegate scenarios.” These events are captured when people use the Exchange SendAs and SendOnBehalfOf permissions to send email for other mailboxes.

Microsoft says that the root cause is a change in logging telemetry within auditing services. A fix is now in place to “help us minimize the possibility of an event like this happening again and will expedite future investigations.” However, because Exchange Online never generated the events, the Office 365 audit log never ingested the data, and the information is not in the log. Microsoft says that the missing data is irrecoverable.

This isn’t the first time that Microsoft has had a longstanding problem with ingestion into the Office 365 audit log (or unified audit log) for Exchange Online events. In September 2018, the developers knew of a problem with truncated data for group creation events. Microsoft didn’t fix that problem until May 2019.

Checking SendAs Events

To check the current situation, I searched for SendAs audit events in my tenant and found some generated during the problem period. I also ran a script that I’ve used in the past to report on these events and found some “interesting” information in the audit events. Here’s an example of a message sent by me on May 16 using Outlook mobile:

CreationTime          : 2022-05-16T11:03:47
Id                    : b5c89d0a-bb88-4620-6df9-08da372bc089
Operation             : SendAs
OrganizationId        : b662313f-14fc-43a2-9a7a-d2e27f4f3478
RecordType            : 2
ResultStatus          : Succeeded
UserKey               : 1003BFFD805C87B0
UserType              : 0
Version               : 1
Workload              : Exchange
ClientIP              : 2a01:b340:63:7141:a5cd:a160:e805:aae7
UserId                : Tony.Redmond@office365itpros.com
AppId                 : 27922004-5251-4030-b22d-91ecd9a37ea4
ClientIPAddress       : 2a01:b340:63:7141:a5cd:a160:e805:aae7
ClientInfoString      : Client=OutlookService;Outlook-iOS/2.0;
ClientRequestId       : 5009
ExternalAccess        : False
InternalLogonType     : 0
LogonType             : 2
LogonUserSid          : S-1-5-21-458367025-2064581115-2950179075-392557
MailboxGuid           : 0370f354-2752-4437-878d-cf0e5310a8d4
MailboxOwnerSid       : S-1-5-21-458367025-2064581115-2950179075-392557
MailboxOwnerUPN       : Tony.Redmond@office365itpros.com
OrganizationName      : Office365itpros.onmicrosoft.com
OriginatingServer     : DB7PR04MB4410 (15.20.4200.000)
SessionId             : 3431534d-331e-4924-b324-cbfa9cc55e24
Item                  : @{Id=LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQA3tTkMTDKYRI6zB9VW59QNAAVriOkWAAAJ; InternetMessageId=<DB7PR04MB4410C9FC675493950D68FE668BCF9@DB7PR04MB4410.eurprd04.prod.outlook.com>; ParentFolder=;Sensitivity=2fe7f66d-096a-469e-835f-595532b63560; SizeInBytes=4428; Subject=Phone number}
SendAsUserMailboxGuid : 0370f354-2752-4437-878d-cf0e5310a8d4
SendAsUserSmtp        : Tony.Redmond@office365itpros.com

Three Properties with the Same Value

The problem with this audit record is that the User, MailboxOwnerUPN, and SendAsUserSmtp properties all have the same value. When a delegate impersonates another user to send a message, Exchange Online logs the delegate’s name in the User and MailboxOwnerUPN properties and captures the SMTP address of the impersonated user in the SendAsUserSmtp property. Having the same value in the three properties doesn’t make sense.

A closer examination of the SendAs events in the audit log revealed multiple cases where the three properties had the same value. Most of the events originated using the Outlook mobile client and, in all cases, the mailbox owner sent the message. There’s no reason why Exchange Online should consider this message to be a SendAs event because the mailbox owner sent the message. A common feature of all the messages logged erroneously as SendAs events is that they were addressed to external recipients.

Tests revealed that audit events for delegate messages sent using the Send As permission from the OWA and Outlook desktop clients capture the correct information. However, despite being present in the Exchange Online mailbox audit log, messages sent using delegate access from Outlook Mobile didn’t show up in the Office 365 audit log.

Interestingly, SendAs events also appeared for messages sent by mailbox owners from the preview version of the One Outlook client for Windows (Monarch). This client uses the same Microsoft sync technology connection as Outlook mobile does, so perhaps that’s where the issue lies. Figure 1 shows Exchange SendAs events from the audit log. The instances were owners sent messages rather than delegates are highlighted. All instances used the Outlook Mobile or Monarch clients.

In summary, two problems were found:

• Messages sent using delegate access from Outlook Mobile are not captured in the Office 365 audit log.
• Exchange Online captures messages sent by mailbox owners to external recipients using Outlook Mobile and Outlook Monarch in the Office 365 audit log as Send As events..

It’s an odd situation that appears to go back to at least February 2022. I guess no one noticed because we all accepted the validity of SendAs events in the audit log.

Problems Persist With Exchange SendAs Audit Data

Organizations depend on audit data to know what happens inside their tenants. Delegate email action are often examined to answer questions like “who sent that message,” and can make important contributions to compliance investigations.

Microsoft needed several attempts to fix the truncated audit record problem in 2018-2019. Now we have another instance where a longstanding problem with audit events generated by Exchange Online results in data loss and some odd results in audit data generated by Outlook mobile and Monarch clients. Testing software in the age of the cloud certainly appears to be a lost skill.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the ultimate eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Wow! Where Did All Those Unread Items Come From?

Last Tuesday, I checked for updates for the Microsoft 365 apps for enterprise (Office click to run) and duly downloaded the available update to upgrade to version 2009 (build 13231.20200). Nothing strange happened and the upgrade proceeded without any issues. I was a happy camper.

That is, until I noticed that the unread count for my Outlook Groups suddenly displayed much higher numbers (Figure 1). Usually these groups have a very low number of unread items, especially those marked as favorites because I check them at least once daily.

The History of Groups

The reason why this happens is clouded in history. When Microsoft introduced Office 365 Groups (now Microsoft 365 Groups) in November 2014, they were characterized as a new way for email-centric collaboration. Teams didn’t exist at that point and although Microsoft’s marketing muscle was pushing Yammer (bought in June 2012) as the future for collaboration and a replacement for email (that strategy really worked out), the bulk of interpersonal electronic collaboration occurred over email.

In the on-premises world, many Exchange organizations combined distribution lists with public folders to give people an archive for discussions. Groups introduced a group mailbox to host discussions and a shared calendar and came with a SharePoint Online team site for document storage, including a shared group OneNote notebook. Given that the bulk of work that had been migrated to Office 365 at that point was email, Groups looked pretty good. In April 2017, Groups (now called Groups in Outlook) had 10 million active users, or roughly 10% of the Office 365 user count at the time. The latest figure for Office 365 is 258 paid seats (April 2020). It’s unlikely that Outlook Groups have kept pace and now has 25 million active users, but it’s possible.

The collaboration landscape within Office 365 changed upon the general availability of Teams in March 2017. Since then, Teams has taken the lead and Groups have concentrated on a new mission of delivering a membership and access service to applications like Teams. Usage of Outlook Groups as a fulcrum for email-based collaboration is much less important to Microsoft now, but Groups are still actively used in this way in many Office 365 tenants.

Choosing a Simpler Unread Count Model for Groups

When Groups were added to Outlook in 2015, the developers decided not to use the standard item read/unread model as used in other mailbox folders like the Inbox. This model depends on the unread status of items and operates on a per-user basis. In other words, in a shared resource like a group inbox or public folder, each user has a separate unread count generated by the number of items they have not read in the folder.

Instead, the group developers chose a “more simple triage model for the groups conversations list, where all the conversations would be marked as seen as you moved away from the group.” Apparently, the decision was based on user feedback that many groups contain conversations unimportant to some members, so you couldn’t expect them to read everything. As implemented in Outlook, the group seen/unseen model allowed users to scan a group for new items and then set the unread count to zero once the user moves from the group. The new item count for a group then becomes the number of items delivered to the group since the last access by the user.

By comparison, new messages delivered to an inbox are personal and the mailbox owner is expected to deal with them. The new item count for the inbox is therefore very important for the mailbox owner and is adjusted up and down as the unread status for messages change (you can mark a read item as unread).

OWA and Outlook Mobile Use Normal Unread Counts

At the time, the developers accepted that the difference in how folders reported unread counts caused user confusion and said that they were working on implementing an item read/unread model for Groups. That model was implemented by OWA in early 2019 and is in use today (Figure 2).

For whatever reason (prioritization, lack of resources, more pressing features, etc.), Outlook desktop is a long way behind OWA in moving to the item read/unread model. The latest builds of Outlook have switched to the item read/unread model, which is the reason why the unread counts for my groups suddenly exploded from their normal low levels. Outlook Mobile has also used item unread counts since early 2019.

Resetting the Unread Count for an Outlook Group

Another piece of good news is that the Outlook developers have included a Mark All as Read option to reset the unread count for a group. Select the group you want to reset, right-click, and select the option. Processing to reset the unread status for items occurs in a background thread, so it doesn’t stop you working while the unread count is reset. Depending on the number of unread items in the group, the option can take a little while to complete.

Unhappily, Outlook’s Mark All as Read option might not be able to update the status for all unread items. At least, it didn’t for me. My solution was to open the group with OWA and use its version of Mark All as Read, which worked flawlessly.

The good news is that as you open unread items in in a group using one client, the read status for the item and unread count for the group is updated and shown correctly across all Outlook clients.

Hindsight Always Best

The benefit of hindsight tells us that the decision of the Groups developers to go with the simpler read/unread model for their Outlook implementation was flawed. The change made in the other clients in 2019 is now showing up in Outlook desktop. A little preparation and user communication should be enough to get everyone over the shock of seeing elevated unread counts for their groups.

This one-time change will probably warrant a line or two in the Office 365 for IT Pros eBook. It’s an example of a small change that’s important for some users for a period. Once the change is done, it’s done. But change persists inside Office 365, which is why we keep updating the book.

Outlook Mobile Is So Much Nicer Than Those Other Clients…

Office 365 Notification MC207028 posted in March announced that users in some markets would see a notice in OWA to tell them that their license covers Outlook Mobile and they can get Outlook on their phone. Microsoft released MC219490 on July 29 to say that the change now applies worldwide, except to government cloud users. I hadn’t seen this before because Microsoft had excluded European Union customers up to now.

MC207028 says: “Many customers are not aware they can get additional functionality and commercial use rights to Outlook mobile as part of their Office 365 and Microsoft 365 services at no extra cost.” This is probably true, but the real meaning of the message is “Hey stupid! Why would you ever use anything but Outlook Mobile to connect to Exchange Online” (said in a much nicer way).

The plan is to start showing notices in OWA and progress to Outlook desktop in the future. If users dismiss the notice it won’t reappear. If they decide to action it, they’ll get a link or scannable code to download Outlook Mobile.

Undoubted #1 Mobile Client for Exchange Online

There’s no doubt that Outlook Mobile is the premier mobile email client for Exchange Online. Apart from supporting the widest degree of email functionality available to any mobile client, Outlook mobile includes deep integration with other components of the Microsoft 365 ecosystem, including Microsoft Search, Microsoft 365 Groups, and OneDrive for Business.

Over the last year, Microsoft has added features like support for sensitivity labels, shared mailboxes, and delegate access to increase the functionality gap with other email clients, like the native mail apps bundled with iOS and Android. These clients use Exchange ActiveSync (EAS) to communicate with Exchange Online, and although EAS was a solid connectivity protocol ten years ago, it has aged badly recently. The simple fact is that EAS will never support the necessary API calls to allow third-party mobile mail clients to attain feature parity with Outlook Mobile. Soon you’ll be able to make Outlook Mobile the default email client for iOS 14, but that doesn’t mean that everyone needs to use Outlook Mobile.

Personal Choice

Personal choice is important. In April 2019, Microsoft said that over 100 million people used Outlook Mobile. At that time, Office 365 has 185 million active users. That figure is closer to 270 million today (my estimate) and the growth in the Outlook Mobile base probably tracks Office 365 closely. Even so, some people choose to use EAS- or IMAP4-based clients. This might be because they prefer how those clients work or they like a specific feature, such as the ability to connect to accounts in multiple Office 365 tenants, which is something Outlook Mobile currently can’t do.

It’s reasonable for Microsoft to make tenants aware that Outlook Mobile is included in their licenses, but you’ve got to question why they feel the need to highlight this to end users. From a customer perspective, this is a bad idea. It will cause end users to ask why they see the message and what they should do; it might generate extra demand for support services, and it’s yet another example of Microsoft seeking to communicate directly with end users.

Disabling Outlook Mobile Notices with MobileAppEducationEnabled

Fortunately, Microsoft has provided a way for tenants to suppress the notices with a simple update to the Exchange Online organization configuration to set the MobileAppEducationEnabled switch to $False.

Set-OrganizationConfig -MobileAppEducationEnabled $False

The name of the switch is indicative of a feeling that Microsoft needs to educate the Office 365 user base about the goodness of Outlook Mobile. It would be better if Microsoft concentrated on developing functionality that solved real problems for customers instead of pushing their software through all possible means.

Keep up to date with Office 365 developments by subscribing to the Office 365 for IT Pros eBook. It’s updated monthly to keep you ahead of the game.

Using Delegate Permissions to Manage Mailboxes

Office 365 Notification MC203923 published on Valentine’s Day gives the welcome news that Outlook mobile clients are gearing up to be able to use the Exchange Online delegate permissions to manage another user’s mailbox. This work builds on the shared mailbox support delivered for Outlook mobile last August. The net is that Outlook Mobile Delegate Access for Exchange Online mailboxes is now available.

The associated Microsoft 365 roadmap items (53666 for iOS and 53667 for Android) are somewhat obscure in what they say: “Delegates can access and manage messages within an owner’s inbox folder.” This is what shared mailbox support is all about. Fortunately, the notification is more helpful when it tells us that: “Delegates who have been granted full access permissions to send email and respond to calendar invitations on the behalf of another person will soon be able to do so from Outlook for iOS and Android.” Delegate access is described in this Microsoft support article.

Deployment Done by mid-April

Microsoft says that they are deploying the feature now. The minimum supported versions are Outlook mobile 4.25.0 for iOS (available in Testflight) and Outlook mobile 4.1.31 for Android. As always with Outlook mobile features, it takes a little time to get the new software everywhere. Microsoft says that worldwide deployment should be done by mid-April.

Full Access Permissions Needed

Delegate access only works when the user and the delegate both have Exchange Online mailboxes. The delegate must be assigned full access permission for the target mailbox before Outlook mobile can add it as a delegate mailbox. Permission is granted by editing the mailbox with the Microsoft 365 Admin Center. Open the mailbox properties and select the manage mailbox permissions tab. Then add the user to whom you want to grant access. Figure 1 shows the assignment of Full Access permission, referred to by the Admin Center as “Read and manage permission.”

Alternatively, run the Add-MailboxPermission PowerShell cmdlet. This example gives James Ryan full access to the mailbox owned by Kim Akers. The automapping parameter is set to false to stop Outlook desktop including the mailbox in the set of resources automatically opened by the client.

# Add full access permission to mailbox but don't automap
Add-MailboxPermission -Identity Kim.Akers -AccessRights FullAccess -User James.Ryan@Office365itpros.com -AutoMapping $False

Full Access grants a delegate the ability to open the mailbox and interact with its content. It grants the delegate access to every folder, meaning that they can manage the calendar. The delegate can also read every message in the mailbox. Outlook mobile doesn’t use the set of granular folder-level permissions supported by Outlook desktop to grant delegate access to specific folders.

Permission to Send Email Needed Too

Full Access doesn’t allow a delegate to impersonate the mailbox owner when sending messages. A second permission is needed, and the delegate needs to be assigned either Send On Behalf or SendAs permission. These permissions can be added through EAC or by running the Add-MailboxRecipientPermission (SendAs) or Set-Mailbox (Send On Behalf) cmdlets. For example:

# Add permission for a user to send as another user
Add-MailboxRecipientPermission -Identity Kim.Akers -AccessRights SendAs -Trustee James.Ryan
Set-Mailbox -Identity Kim.Akers -GrantSendOnBehalfTo James.Ryan

It takes a few minutes to ensure that the new permissions are fully respected across Office 365.

Adding the Mailbox to Outlook Mobile

Open Outlook mobile and go to the Settings section. Select Add Email Account and then Add Shared Mailbox. Input the SMTP address of the mailbox you want to add. If your account has delegate permissions for the mailbox, Outlook mobile lists it in the set of mailbox resources accessible in the client (Figure 2).

You can also add a delegate mailbox from the list of mailboxes displayed by Outlook mobile (left-hand navigation) by selecting the mailbox add icon at the bottom of the list.

Processing Email

After adding the delegate mailbox, you should be able to see all the folders in the mailbox including the calendar. You can interact with any of the messages in the delegated mailbox as if you are the owner, meaning that you can delete messages, move them between folders, and so on.

To send a message, click the New message icon and compose the message ad normal. The name of the mailbox being used is displayed under the New Message label (Figure 3). Note that in this case my signature is included in messages created for the delegated mailbox.

If you’re using delegate mailboxes, you’ll want to create a separate signature for each mailbox. Do in Settings by selecting Signature and then enabling per-account signature. You can then enter a signature for each account.

Another way to send from a delegated mailbox is to compose a message and then select the mailbox to use from the drop-down list of accounts under the New Message label (Figure 4).

Delegate Access is Another Reason to Use Outlook Mobile

Adding functionality like delegate access to mailboxes underscores the advantage of using Outlook mobile with Exchange Online compared to clients based on the ActiveSync protocol. ActiveSync is a very successful protocol that helped Microsoft evangelize mobile connections to Exchange across a wide range of email clients, but it’s an aging protocol now and just doesn’t have the same functionality as the newer Microsoft sync technology. If you’re not using Outlook mobile now, maybe now’s the time to consider switching?

The Office 365 for IT Pros eBook covers clients in some detail, including how delegate access works. It’s another reason why you should be a subscriber.

OWA or Mobile Outlook

I don’t know many Office 365 users who like accessing their email with OWA on a mobile device when Outlook mobile is available, but obviously some do. Perhaps they don’t like installing apps on their phone or use a non-standard mobile device that Outlook mobile doesn’t support, or they hark back to the days when OWA for Devices was the cornerstone of Microsoft’s mobile email strategy. In any case, folks in this category should note the news in Office 365 Notification MC202145 that the new OWA is becoming the only option for mobile browsers. This switchover happened for other browsers last July.

You can use the new OWA today with mobile browsers. What’s changing is that Microsoft is removing the toggle that allows users to switch between the new old and the older version (Figure 1). When this happens, users will only be able to access the new OWA. The changeover starts in February 2020 and should be complete by the beginning of March.

The change is a roadmap item (59334) and will relieve Microsoft from the need to maintain a separate code base for OWA for mobile browers.

Missing Features in New OWA

The list of not supported and won’t ever be supported features for the new OWA on mobile browsers is a lot more interesting than the loss of a toggle swatch. OWA is the fastest evolving of all the Exchange Online clients so there’s pressure to add new features and drop old features for the client in general. Mobile browsers introduce another decision point, which is the set of features available in the mainline versions of OWA to exclude because they are inappropriate in a mobile environment, won’t work, or can’t fit into the browser UI.

For example, in the list of unsupported features, there’s going to be no option to set message sensitivity and importance or assign retention policies. I assume that the way OWA handles sensitivity labels, especially when labels invoke encryption for messages, is one of the factors driving why sensitivity labels won’t be supported. Outlook mobile supports assigning sensitivity labels to new messages, but the processing is done on the server rather than in the client, which is what OWA does. Perhaps there’s no way to call the code to process encryption in a mobile browser context. Although I am surprised that OWA on mobile browsers won’t support retention labels, this is probably because most users don’t assign retention labels and leave it retention to organizational policies that execute in the background.

Other notable exclusions are that you can’t access Outlook add-ons in mobile browsers, or view shared folders or mailboxes, or shared calendars.

Use Outlook Mobile

The list of missing features underlines the argument to use Outlook Mobile (if possible). The iOS and Android variants both work well, are highly functional, and much faster than using OWA in a mobile browser. And with a 100+ million user base (as of May 2019), Outlook Mobile is the most popular choice for mobile email access for Office 365 users. Even if I can’t use some of Outlook Mobile’s party tricks (like Play My Emails), it’s still the best choice for most users.

Need to know more about Exchange Online email clients? Look no further than the Office 365 for IT Pros eBook, which covers all the major clients in depth.

Deploying Technology to 100-plus Million Users

After the note about the launch of shared mailbox and dark mode support for Outlook mobile appeared, several people commented that they had the latest client but couldn’t access the shared mailbox feature. This prompted me to have a conversation with Microsoft to find out how they deploy new features to what is now a very large (100+ million as of May 2019) installed base.

Outlook Mobile has both consumer and commercial (Office 365) users. Some features, like dark mode, are available to both sets while others, like shared mailboxes, are only available to commercial customers. The deployment mechanism needs to take account of these factors.

Random Selection During Roll-Out

When Microsoft releases a new Outlook mobile feature, they select a random percentage of the worldwide installed base as the initial roll-out target. For features like dark mode intended for use by any Outlook mobile user, the random selection is formed of individual commercial and consumer users. Commercial-targeted features like shared mailboxes begin deployment to a random selection of Office 365 tenants. If the selection is user-based, selected users can access the new feature immediately while others in the same tenant must wait until the roll-out reaches them. If the select is tenant-based, everyone in the selected tenants can access the new feature once the tenant is enabled.

Eventually the roll-out reaches 100% and everyone who has the latest version of the Outlook mobile app (iOS or Android) can access the new feature. The exact timing from start to finish of a roll-out varies across features and depends on factors such as bug reports or problems detected in the telemetry Microsoft gathers from Outlook clients.

No Control for Office 365 Tenants

Office 365 tenant administrators can’t influence the selection of their tenant or users within their tenant to receive new Outlook mobile features early. There’s no equivalent of the Targeted Release capability that exists for Office 365 features. There’s also no way for a tenant administrator to know who in the tenant might have been randomly selected to receive early access to a new feature. One way of looking at this is to say that random selection is fair to everyone; another is to say that Microsoft should give tenants some control over how new client technology is deployed to their users. On balance, it seems to me that Microsoft should provide some way to control deployment of commercial features, perhaps as a setting available through the Office 365 Admin Center.

There’s also no way to disable one or more Outlook Mobile features on a selective user-by-user basis. This might be useful for commercial features where some tenants don’t want people to use certain capabilities (like shared mailboxes) on mobile devices.

Testflight Makes a Difference

Those who sign up for the Outlook Insiders program and use the Testflight version of Outlook for iOS are not restricted by the random selection process and can use new features as Microsoft deploys them to Testflight. This can lead to an interesting situation where a tenant account can access a new feature through Testflight while another account in the same tenant can’t when using the production version of Outlook for iOS.

Need to know more about Outlook Mobile and other Office 365 clients? The Office 365 for IT Pros eBook covers this topic in some detail!

Outlook Mobile Shared Mailboxes in IOS and Android – Sharing is Caring!

August 29 note: The current versions of Outlook mobile include support for shared mailboxes. See this post for details or read on to learn how to add shared mailboxes to Outlook mobile.

Last week, we learned that Microsoft will soon roll out support for shared mailboxes in Outlook Mobile. Well, some people already have access to the feature through Apple’s Testflight for iOS program. Testflight allows developers to offer test versions of applications like Outlook mobile to people who don’t mind running beta software. The upside is that you see new features sooner. The downside is that the new features might not work or might change before the final version is released. With those caveats in mind, let’s explore how to add a shared mailbox to Outlook mobile using Testflight version 3.27.0.

Add Shared Mailboxes to Outlook Mobile

Before you can add a shared mailbox to Outlook mobile, you should meet these criteria:

• The shared mailbox must already exist on Exchange Online. Outlook mobile can only access existing shared mailboxes; it can’t create a new shared mailbox.
• Your primary mailbox must be in Exchange Online. Users in a hybrid organization whose mailbox is on-premises can’t add shared mailboxes to Outlook mobile.
• Your account has access to the shared mailbox. This means that an administrator assigns your account full access to the shared mailbox. In addition, if you want to send from Outlook Mobile as the shared mailbox, your account must hold SendAs permission for the mailbox.
• You must know the primary SMTP address of the shared mailbox. Why? Because you need to input the mailbox’s SMTP address when you add the shared mailbox.

With everything in place, go to the list of resources available to Outlook mobile and click the + icon and then choose Add Shared Mailbox (Figure 1).

Now input the primary SMTP address of the shared mailbox and click the Add Shared Mailbox button.

That’s all you need to do. Outlook Mobile adds the shared mailbox to its resource list and you can access the contents like any other mailbox.

One big benefit of native support in Outlook mobile for shared mailboxes is that it removes the need for people to use outdated protocols like IMAP4 to access shared mailboxes. From a Microsoft perspective, it gives customers another good reason to move to Outlook mobile and away from apps like the native iOS mail app that use the Exchange ActiveSync protocol to interact with mailboxes (ActiveSync doesn’t support shared mailboxes, which is why people end up using IMAP4).

Outlook Insiders and Testflight

If you want to test shared mailboxes with Outlook Mobile now, you can sign up for the Outlook Insiders program (limited slots are available). You’ll also need to download and install Testflight from the iOS app store. You can then download the test version of Outlook.

One side effect of using the test version is that Office 365 automatically provisions your tenant to use the Microsoft Sync Technology (if it didn’t, you wouldn’t be able to test new features). This process takes about 24 hours. When it’s done, you’ll be able to add shared mailboxes to your heart’s content, but only with iOS clients for now. According to a tweet from Outlook Mobile development last Friday, support for Android is coming “soon.”

Need more information about Office 365 clients, including Outlook Mobile? Read the Clients chapter in the Office 365 for IT Pros eBook!

Removes Need for IMAP4 Workaround

Office 365 notification MC181641 posted on June 5 includes the good news that Outlook mobile (iOS and Android) will soon support connections to Exchange Online shared mailboxes. This will remove the need for the IMAP4 connection currently used as a workaround to access shared mailboxes. Apart from the general kludginess of the IMAP4 workaround, if you log onto a shared mailbox with IMAP4., that mailbox should technically have an Office 365 license.

The development also addresses a huge feature gap that Microsoft has acknowledged to exist for years. This update relates to Office 365 Roadmap items 32571 (iOS) and 32572 (Android) and not the two listed in the announcement.

The announcement says: “You will be able read, write and send emails from the Exchange Online Shared Mailboxes in Outlook for iOS and Android. If you are part of the Office Insider program for iOS and using the Microsoft sync technology (MC165218), you will be able get an early preview of the capabilities via TestFlight this week. It is anticipated that we will start to roll out Shared Mailboxes in Outlook for iOS and Android (using Microsoft sync technology) for general availability in the next several weeks.”

In other words, expect to see shared mailbox support appear in July 2019. That is, if support for the Microsoft Sync Technology is deployed to your Office 365 tenant. To check, look at the settings for your account (Figure 1), or use the PowerShell script in this article.

Microsoft Sync Technology is the new connection protocol for Outlook mobile clients that Microsoft has deployed to Outlook.com and the Government Cloud (GCC) and is now rolling out to commercial tenants. Hopefully, the advent of shared mailbox support serves as a spur for Microsoft to complete the deployment of the new sync technology.

Updated Files, Calendar Events in Search, and Calendar Sync

Microsoft includes some other updates in MC181641. These are:

• Updated Files: The way Outlook mobile presents files will become more coherent with the rest of Office 365 and include a list of recently used files plus cloud sources (like OneDrive for Business or Google Drive). You’ll be able to add a link to share a file that complies with default tenant sharing permissions.
• Calendar Events in Search: When you search for someone or use a keyword, the results returned will include any matching events found in your calendar. This feature also depends on Microsoft Sync Technology.
• Calendar Sync: Outlook for Android now supports syncing calendar events from the native calendar app. This is a one-way sync and Microsoft says that the ability to sync from Outlook to local calendar apps is still in development.

Lots Happening in Mobile

Mobile apps tend to evolve quickly. Outlook mobile is no different. These changes, particularly shared mailbox support, will make many people very happy.

Need more information about Outlook clients? Or Office 365 clients in general? We have a complete chapter on the topic in the Office 365 for IT Pros eBook.

Feature Supported in Both Outlook for iOS and Android

Being able to schedule Teams (and Skype for Business) meetings has always been a popular feature in Outlook desktop and OWA. The feature is now supported in the latest builds of Outlook for iOS and Android and turned up in my client this week when I installed build 3.21.0. The feature was originally announced in Message Center update MC173895 on 20 February, and the roll-out was due to start at the beginning of April, so it’s a little delayed.

Outlook mobile and Teams are both on a roll recently. According to data released with Microsoft’s Q3 FY19 earnings, Outlook mobile is used by more than 100 million people. A reasonable proportion of that set are likely found in the more than 500,000 organizations using Teams. Bringing the two apps closer together adds a lot of value, especially in a mobile-first world.

Skype for Business Online Co-Existence Setting is Important

MC175147 issued on March 2 describes how the Skype for Business Online co-existence setting for the tenant affects if Outlook mobile offers the ability to schedule Teams or Skype for Business Online meetings. if the co-existence mode is set to be “Teams Only” or “Skype for Business” with Teams Collaboration and Meetings, you’ll see the option to schedule Teams meetings.

No Tenant Dependency

Unlike Outlook desktop, the Teams client on your mobile doesn’t have to be connected to your home tenant to be able to create a meeting. Outlook mobile can happily create a meeting in your home tenant while the Teams client is connected to a guest account in another Office 365 tenant.

Exploiting the New Outlook Synchronization Technology

Being able to schedule Teams meetings is not dependent on the new Outlook connection/synchronization architecture. My client still connects to Office 365 using the older REST-based synchronization (my Outlook.com account uses the new technology). Given that Outlook.com and Exchange Online share the same infrastructure, it might seem odd that business accounts persist with the older synchronization when a consumer account benefits from the change, especially when some features (like one-click join of Teams meetings from Outlook mobile described in MC175147) depend on clients using the new technology.

Ross Smith IV of Microsoft explained the situation on 12 March in a response posted in the Microsoft Technical Community saying ” For Outlook mobile, major feature deployment operates with a staggered rollout where we begin with consumer accounts (if applicable) and then deploy to commercial accounts like Office 365. Our primary focus for commercial accounts was moving Government Community Cloud. Now that’s complete, we’ll be focusing on the remaining Office 365 tenants.”

You can discover what synchronization is used by Outlook by looking at the properties of an account. If you see “Microsoft Sync Technology” (as circled in Figure 2), you know that Outlook connects using the new architecture.

Like everything else inside Office 365, it’s likely that the deployment of the new Outlook connection architecture varies from datacenter region to region and even from country to country. I’ll look forward to seeing the new synchronization

We cover Outlook mobile among other Office 365 clients in Chapter 10 of the Office 365 for IT Pros eBook.

Introducing a Camera to Outlook Mobile for iOS

According to Microsoft’s Q3 FY19 results, Outlook Mobile is now used by over 100 million users. The iOS app gets even better with Version 3.21.0 with the integration of Microsoft’s Office Lens technology to give users the chance to take and include photos in messages. This is Office 365 roadmap feature 34352.

It’s not just a case of including camera capture capability. Office Lens, which began life as a Microsoft Research project, is turning up in multiple Microsoft iOS apps. Outlook, OneNote, and soon (or so we hear), Teams. The big selling point for Office Lens is its ability to sharpen and clarify captures of documents and whiteboards.The standalone app can then save the resulting capture in a PDF, PowerPoint, Word, OneNote, or an image file.

Using Office Lens to Capture Photos

The new capability shows up as a new camera icon in Outlook’s create message screen (Figure 1).

Clicking the icon brings you to Office Lens to capture the image you want to include in the message. Once you’re finishing capturing and editing the photo and exit Office Lens, the image is copied automatically into the message (Figure 2). It’s all very easy and natural.

This is a super-useful feature that I’m sure will be very popular with Outlook mobile users. I don’t have an Android phone to test and I couldn’t find a similar feature listed on the Office 365 roadmap (Office Lens is available for Android), so maybe there’s some added complexity that needs to be solved before the same feature appears in Outlook for Android.

Clients are covered in Chapter 10 of the Office 365 for IT Pros eBook. We like the Office Lens technology, but we don’t get down to that level of detail in the book, which is why it’s here.

Reduced Confusion as Everyone Waits for Native Support in Office Clients

As is the nature of the Microsoft cloud, the preview version of the Azure Information Protection client (unified labeling edition) has been replaced by the generally available version, now available for download and deployment. Microsoft’s April 16 announcement on the topic was upbeat but I still find considerable confusion in the field about labels, Azure Information Protection, Office, encryption, and rights management. Let’s see if we can clarify the situation.

Rights Management

Rights management is the technology that allows content owners (authors) to protect documents and files by stamping them with a template. The template defines the rights given to recipients to interact with the content such as the ability to edit or print. Rights management is automatically enabled for all Office 365 E3 and E5 tenants.

Azure Information Protection

Azure Information Protection (AIP) is a suite of technology built by Microsoft to control and help secure email, documents, and files. Reflecting their original name of “classification labels,” AIP labels are used to classify material inside or outside Office 365 with different degrees of sensitivity to reflect the confidentiality of the content. Labels are associated with rights management templates but also include other features like content marking. Labels used for the most sensitive information are likely to invoke encryption to protect the information against unauthorized access. AIP labels and templates are managed in the Azure Information Protection blade of the Azure portal. An AIP license is needed to assign AIP labels to files.

Office 365 Sensitivity Labels

Sensitivity Labels are like AIP labels except that they are managed through the Security and Compliance Center. Both sets of labels share a common base in rights management and if a tenant started with AIP labels, they can migrate the set of AIP labels to become sensitivity labels and thereafter continue managing the labels through the Security and Compliance Center.

Sensitivity Labels are designed to protect content like email and documents stored inside Microsoft 365. Office 365 E3 and E5 plans include the licenses to use sensitivity labels, including the ability to encrypt email and documents. Figure 1 shows an Outlook message protected by a sensitivity label. You can also see the protection bar, which shows the current label applied to an item, and the sensitivity button, to expose the set of labels available to the user.

Although Exchange Online, SharePoint Online, and OneDrive for Business support sensitivity labels today, it will take some time before sensitivity label support is picked up in other workloads, like Teams.

AIP Client (s)

Two versions of the AIP clients are available. The standard version reads its policy and label information from the Azure portal. The unified labeling version reads equivalent information from the Security and Compliance Center. Both versions integrate with the Office desktop applications. You should use the AIP unified labeling client with Office 365, making sure to use the latest version whenever possible.

If you see a Protect button in the Office desktop apps, you know you’ve installed the older version of the AIP client. The unified labeling client installs a Sensitivity button (as shown in Figure 1).

Although the unified labeling version of the AIP client is not quite as functional as the older client. Microsoft expects it to reach close to feature parity with its older counterpart by the end of 2019. Microsoft’s blog post also makes the important point that “going forward new features will be included in the Azure Information Protection unified labeling client whereas we’re not planning to add new features to the Azure Information Protection client”. In other words, future development efforts are focused on the unified labeling version, so tenants starting deployment projects today are strongly advised to use this version.

Encryption

One of the big features of rights management templates is the ability to protect content through encryption. The keys used for the encryption can be tenant-provided (BYOK or HYOK) or Microsoft-managed (MMK). In either case, the AIP client is responsible for encrypting content after an AIP or sensitivity label is applied to a message, document, or file. This is why you need to deploy AIP clients to workstations.

Native Support

It’s obviously inconvenient to have to deploy yet another client to user workstations. To make things easier, Microsoft is building native support for sensitivity labels (and encryption) into the Office ProPlus (click-to-run) desktop apps and the Office Online apps. Office mobile apps (Word, PowerPoint, Excel) also support the application of sensitivity labels today. Outlook Mobile can read protected content and will be able to apply sensitivity labels to new messages soon.

When the Office apps include native support for sensitivity labels, you won’t need to deploy the AIP client to get this functionality unless you intend applying labels to content stored outside Office 365, in which case you need an AIP license (available in P1 and P2 plans and as part of the Enterprise Mobility + Security suite or Microsoft 365 Enterprise plans).

Summing Up

Most organizations have a mixture of content that needs to be protected inside and outside Office 365. The unified labeling version of the AIP client delivers this functionality today. In the future, native support in the Office apps will create a more integrated solution for Office content, but you’ll still need to deploy an AIP client to handle content stored in file servers and other non-Office 365 locations.

Still confused abut AIP, labels, encryption, and Office 365? We suggest you read Chapter 24 of the Office 365 for IT Pros eBook where this topic is covered in detail.

Little Things (Like MailTips) in Exchange Cause Irritation

Sometimes Office 365 drives me up the wall. It’s usually when little things don’t work like they should rather than problems with big pieces of functionality. The different ways that Exchange Online and clients handle MailTips is a current irritant.

Usually I don’t think too much about MailTips. They’ve been part of the product since Exchange 2010 and usually don’t cause any fuss or bother. Recently, Microsoft introduced a new tip in Outlook Mobile to warn users when they add a recipient to a message who’s outside the tenant. It’s a good idea that isn’t dependent on the transition to the new connection protocol for Outlook mobile, unlike many of the new mobile features Microsoft hopes to deliver in the future.

But curiously, Outlook for iOS shows different warnings depending on how the MailTips settings in Exchange Online’s organization configuration are set. On the left, we see the warning shown when the setting to disable MailTips is set, on the right, the different warning that appears when the setting is enabled.

The external recipient warning is the only one of the MailTips supported by Exchange Online displayed by Outlook Mobile.

Organization MailTips Configuration

The controls to turn MailTips on or off are in the organization configuration and can be set by running the Set-OrganizationConfig cmdlet. In this case, the settings of interest are:

• MailTipsAllTipsEnabled: Enable or disable Mail Tips. The default is True.
• MailTipsExternalRecipientsTipsEnabled: Enable or disable the tip that a message is going to an external addressee. The default is True.

Although I can’t think of any good reason to disable the warning for external recipients, it doesn’t seem right for Outlook Mobile to ignore a perfectly good setting. After all, if a setting can be set to False, then the clients that are supposed to respond to the setting should do so. The reason might lie in the fact that Outlook Mobile supports a setting to control the display of the external recipient tip in its application configuration policy. That is, if you use Intune.

Another setting (MailTipsLargeAudienceThreshold) allows an organization to set a threshold for a large recipient list (25 is the default) to warn someone when they’re about to send a message to a large group. The original idea was to warn people when they addressed messages to large distribution lists. And another (MailTipsMailboxSourcedTipsEnabled) controls whether warnings appear when people are out of the office or their mailbox quota is exceeded.

Outlook’s MailTips Settings

Possibly for historic reasons (because these settings go back to Outlook 2010), Outlook has its own controls for MailTips. Go to Options, Mail, and find the MailTips section. You can choose to never see MailTips or the selection of MailTips you want Outlook to display.

Neither OWA nor Outlook Mobile offer the same degree of control over the display of MailTips.

Differences in OWA

OWA doesn’t offer the same control over MailTips as Outlook does. Apart from this, the only issue I have with OWA is that the “new” version of OWA doesn’t display a warning if a message exceeds the 25 “large audience” threshold. Given that we’re in the middle of a transition between client versions, this is probably an oversight that Microsoft will address before they switch everyone to the new version.

Commonality Across Outlook Family

I’ve no doubt that some will be unaffected or won’t care about the variation in treatment of MailTips that exists across the Outlook clients. The fact that Outlook has its own set of controls doesn’t bother me, but I am irritated that the clients don’t all handle MailTips in the same way. It seems that Microsoft could do a better job of smoothing the differences across the different clients.

Note that it can take some time before changed settings in a tenant’s Exchange Online organization configuration become effective. OWA usually picks up changes first followed by Outlook and Outlook Mobile.

We try not to show irritation in the Office 365 for IT Pros eBook. That’s why we have this blog – to share some of the feelings that we otherwise hide.

Outlook Mobile by Insiders

Microsoft is running a series of five seminars delivered by the Outlook Mobile team starting March 14. The aim of the seminars is to increase customer knowledge about how to exploit the functionality of Outlook Mobile and all manner of interesting tips and tricks are promised.

As always, those running seminars like this have their own purpose. Microsoft wants Exchange customers, especially those with Exchange Online mailboxes in Office 365, to use Outlook Mobile instead of the free email apps from companies like Apple and Samsung. These clients use ActiveSync to connect to Exchange.

Reasons to Use Outlook Mobile

I don’t disagree with this aim. If you use Office 365, you should use Outlook Mobile. The reasons are:

• Outlook Mobile uses a more modern connectivity architecture than ActiveSync-based clients do.
• ActiveSync is not under active development. Microsoft will deliver new functionality for mobile clients, including the much-anticipated access to shared mailboxes, in Outlook Mobile rather than in ActiveSync.
• Office 365 Groups are integrated into Outlook Mobile
• Even if Microsoft upgrades ActiveSync, there’s no guarantee that vendors like Apple will update their mail clients to take advantage of new features enabled in the ActiveSync protocol.
• When dealing with encrypted email, Outlook mobile is a more secure client than ActiveSync clients are because it is “enlightened.” This means that Outlook Mobile can process and display email protected by rights management inline (for example, email protected by the Encrypt-Only default template available in all Office 365 E3 and E5 tenants). ActiveSync clients are “unenlightened,” so the server must decrypt protected messages before the clients can read them. Downloading decrypted messages to a device removes much of the benefit of encryption.
• It’s easier to manage Outlook Mobile clients with Intune than non-Microsoft email clients. As Outlook Mobile and Intune progress, the gap is likely to grow.

Now I’ve made the case for Outlook Mobile, you might decide that no further discussion is necessary. But perhaps a better idea is to attend one or more of Microsoft’s seminars to gather extra information before making your mind up. Added knowledge is never bad.

For more information about mobile clients for Exchange Online, read Chapters 10 and 18 of the Office 365 for IT Pros eBook. InTune is also covered in Chapter 18.

Taping Office 365 Exposed

This week I have been in Palma de Mallorca to attend an event. Fortunately, fellow MVPs Paul Robichaux and Vasil Michev were also in town and we got to record an episode of the Office 365 Exposed podcast. Paul is editing the content and we should have it online soon. Stay tuned.

Exchange 2010 Was The Best

One of the issues we discussed was the impending unsupported status for Exchange 2010, which I also covered in a Petri.com article. I think that Exchange 2010 was the most important release on a technical level because of its impact on Office 365. Others argued for Exchange 5.5 (too old to be considered), Exchange 2000 (the release that embraced Active Directory), and Exchange 2007 (the first to use PowerShell). All in all, I’m happy to stay with my position that the DAG, RBAC, Native Data Protection, and MRS were huge steps forward and make Exchange 2010 the champion of all releases.

Scanning for Sensitive Documents

We also talked about the growing use of encryption in Office 365. Microsoft IT published an interesting case study about their use of the Azure Information Protection scanner to look for and protect sensitive content stored in on-premises repositories like file shares. It’s worth a read. The scanner can be expensive to deploy, but it’s much more effective than human checking of file shares and SharePoint on-premises libraries.

Also in the world of Azure Information Protection (AIP), the latest client (1.41.51.0) protects PDFs using the industry standard. Microsoft updates the AIP client regularly and you need to keep an eye on what’s changed in each release. The development team runs a Yammer group that is open to all. You might like to join it.

Bad Teams

On the Teams front, some reports have come in to say that the Get-Team cmdlet isn’t working as well as it should. The symptom is that some teams don’t show up in PowerShell or the Graph but do in the Teams client, which is confusing. Microsoft is doing some background processing to update the properties of older teams to make them behave as they should. Apparently, the process will be complete soon!

AvePoint’s #ShiftHappens Event

I received an invitation to speak at the first AvePoint #ShiftHappens conference (Washington DC, June 12-13). At this point, I don’t know exactly what I’ll talk about (except that it will be linked to Office 365), but I’m looking forward to visiting DC again. It’s been a while since I worked there on projects like the deployment of ALL-IN-1 at the U.S. Treasury and Exchange at the U.S. Senate. Happy Days…

Outlook Mobile for the Government

I’m sure that the folks working in DC were interested to read that Outlook mobile meets the needs of people with the highest Federal security and compliance requirements. Unfortunately, these folks seem to be limited to S/MIME instead of the rights-management based encryption available to other Office 365 customers. I guess some more work is needed to qualify this kind of encryption for government use.

Outlook mobile can consume rights-management based protection today (in Microsoft terms, it is an “enlightened” client) and the Office 365 roadmap includes the ability for Outlook mobile to apply sensitivity labels in Q2 CY19. See this Petri.com article for more information on sensitivity labels.

Book Update Coming

Stay tuned for an update for the Office 365 for IT Pros eBook next week.
The writing team is working hard to update chapters and if all goes well, we should publish on January 21 and have updates available in EPUB, PDF, and Kindle formats available then.

Outlook Mobile Connects with Microsoft Sync Technology or an Older Protocol

In my Petri.com article about the new architecture (aka, “Microsoft Sync Technology”) Microsoft is deploying to connect Outlook for iOS and Android devices to Exchange Online and Outlook.com, I mention a Microsoft FAQ on the topic. That FAQ includes some PowerShell code to help administrators know what protocol devices use to connect. The code is perfectly good, but being PowerShell, there are many ways to approach a problem and some to improve the solution. Here’s my attempt to do so.

The single-line command (always good) in the FAQ uses the Get-MobileDevice cmdlet to retrieve a list of devices that have connected to Exchange Online, extracts the devices running the iOS or Android client, and reports the protocol each device uses. All good, but the data would be more valuable if you knew who used the devices as well.

Mailboxes, Not Mobile Devices

My solution takes a user-centric approach to the question. The first step to know who is using Outlook for iOS or Android to connect to Exchange Online is to create a set of user mailboxes as they’re the only Exchange objects that can have mobile devices.

Next, we go through the list of mailboxes and use the Get-MobileDeviceStatistics cmdlet to examine details of mobile devices that have “partnerships” with each mailbox. We’re only interested in devices that report running Outlook for iOS or Android. If we find such a device, we grab the statistics like the O/S version running on the device and the date and time of the last successful synchronization. To know what architecture the device uses, we examine the ClientType property, which is “REST” if the device connects using the old architecture, or “Outlook” for the new.

[array]$Mbx = (Get-ExoMailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Select-Object Alias, DisplayName)
Write-Host "Processing" $Mbx.count "mailboxes"
$Report = @()
ForEach ($M in $Mbx) {
   Write-Host "Checking devices for" $M.DisplayName
   $Devices = (Get-MobileDeviceStatistics -Mailbox $M.Alias | ? {$_.DeviceModel -eq "Outlook for iOS and Android"})
   If ($Devices.Count -eq 0)
      { Write-Host $M.DisplayName "has no Outlook Mobile devices"}
   Else 
      { ForEach ($D in $Devices) {
        $ReportLine = [PSCustomObject]@{
           User     = $M.DisplayName
           Device   = $D.DeviceFriendlyName 
           OS       = $D.DeviceOS
           SyncType = $D.ClientType
           LastSync = $D.LastSuccessSync}
      $Report += $ReportLine }
  }
}

Examining Connection Details

To see what data our code generates, we examine the $Report variable.

$Report | Format-Table User, Device, SyncType, Lastsync, OS

User            Device          SyncType LastSync             OS
----            ------          -------- --------             --
Deirdre Smith   Outlook for iOS REST                          iOS 12.1
Deirdre Smith   Outlook for iOS REST     24 Aug 2018 17:30:53 iOS 11.4.1
Deirdre Smith   Outlook for iOS REST     4 Dec 2018 21:27:16  iOS 12.0
James Ryan      Outlook for iOS REST     10 Oct 2018 16:22:52 iOS 12.0
Tony Redmond    Outlook for iOS REST     1 Oct 2017 18:13:27  iOS 10.3.3
Tony Redmond    Outlook for iOS REST     4 Dec 2018 22:32:34  iOS 12.0

At the time of writing, clients in my tenant still use the REST protocol that’s soon to be replaced by the Outlook protocol. See the Petri.com article for details.

Of course, if we need to do some deeper analysis, we can output the information to a CSV file with another command. The CSV file can then be loaded into Excel or Power BI to slice and dice the data, generate graphs, and so on.

$Report | Export-CSV -NoTypeInformation c:\temp\OutlookMobileDevices

Easy!

For more information about Office 365 clients, read Chapter 10 of the Office 365 for IT Pros eBook, while Chapter 18 covers mobile devices.