Office 365 – Have You Evaluated These Exchange Online Features?

One of the great aspects of Office 365 is that there is no shortage of features and it seems like there are new features added monthly.
That said, not all organizations want all of the features and in many cases, Microsoft has enabled these features by default. You may want to roll out these features in a phased approach or block some of them altogether.
You would (hopefully) never install Exchange on-premises by just clicking “next”, “next”, “next” and leaving it at that. Likewise, you shouldn’t assume that Exchange Online is fully configured just because you changed your MX records and moved your mailboxes.
Below are some of the optional features within Exchange Online that you should evaluate as well as some ways to manage them.

First Release

Keeping up with all the change in Office 365 can be a challenge at times. The “First Release” feature allows you to have a select group of users that receive updates prior to the general user population. Users set as “First Release” will typically receive new features a few weeks if not a few months in advance. Information on how to assign users as “First Release” can be found on the “Office 365 Release Options” page.

Clutter

The “Clutter” feature was added way back in November 2014. It’s basically a feature where messages that aren’t spam, but that you don’t generally read quickly, are filed into a folder called “Clutter” in your mailbox. Users will receive a notification email from Microsoft providing information on the feature along with instructions on how it can be disabled. This feature is enabled by default and some organizations choose to disable it given that the concept is a bit unfamiliar for their users. The feature can be disabled on a per-mailbox basis by running the command below.

Set-Clutter -Identity {alias} -Enable $false

Distribution Groups Creation

The “Default Role Assignment Policy” in Exchange Online allows users to create their own distribution groups in the cloud Global Address List (GAL). In many cases, this is not desirable, especially in an Exchange hybrid environment where the on-premises directory is authoritative. Assuming that you don’t want users to be able to create groups on their own, you’ll want to edit the existing “Default Role Assignment Policy” or create a new “Role Assignment Policy” and assign it to your users. For guidance on changing or creating a new policy, see “How to prevent users from creating and managing distribution groups in Office 365” (KB2580991). If you’re fine with users creating their own Distribution Groups, you may want to consider creating a “Distribution Group Naming Policy“.

Office 365 Groups

The “Office 365 Groups” feature (not to be confused with “Distribution Groups”) is one that can be a great collaboration tool for team or project-based work. However, this feature is another place and way to store data which means it should be evaluated from a records management perspective. The feature is enabled by default so users can freely create their own “Office 365 Groups”; this may not align with how you organization wishes to roll out such a feature. You can disable this feature in the OWA Mailbox Policy by running the command below.

Set-OwaMailboxPolicy -Identity {policy name} -GroupCreationEnabled $False

Unleash the Potential of Power Platform With a Center of Excellence

Business innovation often comes from within. Discover how to empower innovation from non-traditional developers with the Microsoft Power Platform.

Learn More

If you want to leave the feature enabled for a subset of users, you can create an additional OWA Mailbox Policy and assign it to those users.

POP / IMAP

Rarely do you see an organization where users are accessing their mailbox via POP or IMAP yet these protocols are enabled by default on every mailbox. This setting is configured per-mailbox and can be disabled with the command below.

Set-CASMailbox {alias} -PopEnabled $false -ImapEnabled $false

ActiveSync Allow/Block/Quarantine

Back in Exchange 2010, Microsoft added the “Allow/Block/Quarantine” (ABQ) feature for ActiveSync devices and it exists in Exchange Online today. The idea is that you can “whitelist” or “blacklist” specific device types but one of the more interesting options is the ability to “Quarantine” devices. A user can go through the process of setting up their mobile device as usual; when they complete the process, the user receives a single synced message stating the device has been quarantined along with whatever custom message you include. Some organizations choose to take this approach and then use that notification to redirect the user to a company policy for acknowledgement. When the policy has been accepted, an administrator can now approve the device in the portal. You can configure “Quarantine” mode along with a notification group and custom message using the command below.

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients {group@company.com} -UserMailInsert {Quarantine Message}

Keep in mind if you already have users with ActiveSync devices and you enable “Quarantine”, you will end up quarantining all those existing devices. You’ll want to make sure you explicitly approve existing devices if you want to avoid that scenario.

OWA Offline Mode

As the name might suggest, “OWA Offline Mode” allows for some local caching of data while using OWA. Some organizations may view this as a security concern and choose to block this feature. This is another feature that is disabled in the OWA Mailbox Policy using the command below.

Set-OwaMailboxPolicy -Identity {policy name} -AllowOfflineOn NoComputers

Retention Policies

The “Default MRM Policy” in Exchange Online includes a “Default Policy Tag” (DPT) called “Default 2 years move to archive”. As the name suggests, the tag will move items over 2 years old to the archive mailbox if you have enabled the archive mailbox for a user. If this action is not desirable, you can remove the tag from the “Default MRM Policy”.

Retention Policy Tags

Retention Policies can cause a bit of confusion for some organizations. One of the little known aspects of Retention Policies and Retention Policy Tags is that a user can use any “Personal Tag” you’ve created, not just those linked to their assigned Retention Policy; this is because the “Default Role Assignment Policy” includes the “MyRetentionPolicies” role. You can remove this role from the default policy with the command below:

Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" -Role "MyRetentionPolicies" | Remove-ManagementRoleAssignment

Summary

Like any other platform, features within Exchange Online should be evaluated against your organization’s security and compliance standards. While many features may be enabled by default, they can usually be disabled for the general population until the evaluation can be completed.

Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.