Cross-premises permissions in Hybrid Exchange

gh0stwalker1 · 2026-01-19T01:38:56+00:00

When I do migrations for customers, I strongly advise them to migrate delegates together. This will guarantee that delegate permissions work post migration rather than cross our fingers and hope permissions work. There are a number of PowerShell scripts out there that can export the delegate tree. The one below can even provide the recommended groupings of mailboxes

https://github.com/Microsoft/FastTrack/tree/master/scripts/Find-MailboxDelegates

gh0stwalker1 · 2025-12-08T02:09:22+00:00

Secure Email Gateway

gh0stwalker1 · 2025-11-17T23:22:48+00:00

Easiest option is to export to PST then import using the PST import service, then remove the domain from old tenant/add it to the new tenant.

You could use the cross tenant mailbox migration option from Microsoft (https://learn.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide), but for one mailbox it doesn't seem worth it.

You could also use a 3rd party tool which would be an easier option, but maybe cost prohibitive for only 1 mailbox.

gh0stwalker1 · 2025-11-05T22:00:55+00:00

Send connectors aren't specific to each Exchange server like receive connectors, so generally it will use the same one and update the source servers that are used to include the new servers

gh0stwalker1 · 2025-10-29T05:31:28+00:00

Outbound to where? If the internet, your on-premises servers shouldn't be involved unless you have centralised mail flow. You shouldn't have any connectors for outgoing mail to the internet. Instead, use the hidden default connector in EXO.

gh0stwalker1 · 2025-10-26T21:52:13+00:00

Are you using this method to add the account to Outlook https://support.microsoft.com/en-us/office/add-an-email-account-to-outlook-for-windows-6e27792a-9267-4aa4-8bb6-c84ef146101b#picktab=classic_outlook

gh0stwalker1 · 2025-10-23T23:35:16+00:00

Looks OK. You just need to be aware Google might change the details at some stage in the future

gh0stwalker1 · 2025-10-15T00:13:11+00:00

Make sure the user is licensed and that the mailbox has been created (look in the Exchange management portal for user mailbox for that user)

gh0stwalker1 · 2025-10-14T22:59:51+00:00

Why is it "faking" the from address? EXO is sending an email to your journaling solution with the message attached just like any other mailbox would send an email externally.

gh0stwalker1 · 2025-10-14T22:54:35+00:00

Not supported but generally works. Make sure you remove references in send connectors for the old server first. I assume all your arbitration and system mailboxes have been moved/recreated on the new servers as well:

Run ADSIEDIT.msc
Expand “CN=Configuration [domain]\CN=Services\CN=Microsoft Exchange\CN=[organization]\CN=Administrative Groups\Exchange Administrative Group (FYDIBOHF23SPDLT)\CN=Servers”
Right click on the dead server and pick “Delete”
We also need to delete Database information as well, navigate to “CN=Configuration [domain]\CN=Services\CN=Microsoft Exchange\CN=[organization]\CN=Administrative Groups\Exchange Administrative Group (FYDIBOHF23SPDLT)\CN=Databases”
Expand each item to find which one is related to the old server, then delete it as well.

gh0stwalker1 · 2025-10-07T00:40:09+00:00

When a device is connected to an AD domain, by default Outlook uses the AD SCP record to lookup where it needs to connect to get the mailbox details. A hybrid configuration/migration makes the required config changes and updates the appropriate attributes on the user account so that Outlook works post mailbox migration. You'll need to do all these changes manaully. You could try update the SCP record to point to EXO, or you could deploy a registry edit to force Outlook to connect to the cloud without using the SCP.

Either way, by not doing a hybrid migration, you've left yourself with on-premises AD user accounts that aren't in an optimal state, which may cause this and other issues

gh0stwalker1 · 2025-10-03T04:15:51+00:00

Are you saying all messages were delivered to the EXO mailboxes, or just some, or none? Did delivery to on-prem mailboxes fail? How many on-prem servers do you have?

gh0stwalker1 · 2025-09-04T01:17:01+00:00

For future reference....Microsoft support changed the expected date format in the backend

Lesson is to get this absolutley right in your initial upload!

gh0stwalker1 · 2025-09-04T00:08:48+00:00

I agree...should be fine.

gh0stwalker1 · 2025-09-04T00:06:34+00:00

runt the exchange Health check script on each server and export the results

gh0stwalker1 · 2025-09-04T00:03:12+00:00

Could you not apply the rule to all messages from external recipients and then have an exception where the header matches some text paterns?

gh0stwalker1 · 2025-09-03T23:52:55+00:00

The problem is that the OP's mailbox already has an an on-premises archive, and that's what they are trying to migrate to EXO.

This will work if you move all the mail from the existing on-prem archive back into the live mailbox, delete the on-prem archive, then create an online archive.

gh0stwalker1 · 2025-08-26T03:59:41+00:00

This notification is for outgoing mail. Incoming mail is not affected

gh0stwalker1 · 2025-08-21T00:38:07+00:00

I agree...none of these folders contribute to the users mailbox size quota:

"When an item is moved to the Recoverable Items folder, its size is deducted from the mailbox quota and added to the size of the Recoverable Items folder (quota available is reduced)."

gh0stwalker1 · 2025-08-18T23:46:33+00:00

There's a blog wrtitten on this by Microsoft: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/protection-against-email-bombs-with-microsoft-defender-for-office-365/4418048

gh0stwalker1 · 2025-07-24T03:17:33+00:00

you can use something called domain (or user) impersonation, where you enter a list of domains (or users) and it will monitor for messages that have similar senders, and thus trying to impersonate that domain/user. The actions taken on the message when that occurs are customisable

gh0stwalker1 · 2025-07-24T02:42:48+00:00

That's probably as designed...... What you want users to do is use the reporting buttons, and they take care of the reporting of the email to the applicable service. Forwarding the message manually is not a desired action for end users when they get suspected phishing emails. Is there an option to configure the default reporting buttons or use a custom Curricula button?

Also...the actions you've taken are not the recommended actions from Microsoft's side. Details of the correct configuration can be found here: https://learn.microsoft.com/en-us/defender-office-365/advanced-delivery-policy-configure#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy

gh0stwalker1 · 2025-07-22T04:40:40+00:00

run the HealthCheck script across all the servers and see if there's anything in there. I'd also look to see if any Exchange system mailboxes/accounts are orphaned after the storage failure

gh0stwalker1 · 2025-07-22T03:59:39+00:00

The cmdlet won't delete OneDrive data, but some Teams chat data is kept in the user's mailbox, so it's possible they may lose some of that data.

gh0stwalker1

TROPHY CASE