Tuesday, September 30, 2014

Exchange Online Shared Mailboxes - Licensing, quota and compliance

Like all things cloud, things change.  This was based on September 2014 data and findings.

Writing today about shared mailboxes as a customer recently had several requirements and in reviewing the service description, I have found some inconsistent information.

And here's the current text of the footnote:
A user must have an Exchange Online license in order to access a shared mailbox. Shared mailboxes don’t require a separate license. However, if you want to enable In-Place Archive for a shared mailbox, you must assign an Exchange Online Plan 1 or Exchange Online Plan 2 license to the mailbox. If you want to enable In-Place Hold for a shared mailbox, you must assign an Exchange Online Plan 2 license to the mailbox. After a license is assigned to a shared mailbox, the mailbox size will increase to that of the licensed plan.

So for the purpose of this blog, I am going to focus on three issues:
  1. How large can a shared mailbox (no license) be?
  2. Can you put shared mailboxes into litigation hold or in-place hold?
  3. If you needed >10GB mailboxes or in place hold, how would you assign a license? 
How large can a shared mailbox (no license) be?
I created a shared mailbox and did a get-mailbox and see the prohibit send and receive is at 50GB

So, either the service description is incorrect, or PowerShell's quota reporting of space is incorrect.

So, I started stuffing the shared mailbox.  I have a pretty nice home PC.  SSD, 32GB RAM, etc.  I'd say around 5GB, using Outlook 2013 with all current patches, a shared mailbox became pretty slow and difficult to work with, even in OWA and Outlook 2013.
Can you put shared mailboxes into litigation hold or in-place hold? 
Based on the service description, you need a license for both litigation hold or in-place hold.  
Here's the GUI versus powershell of my in place hold.  You can see that in shell it shows there are no sourcemailboxes but the GUI shows I have an in place hold.  Confusing and very misleading.
According to the shared mailbox screen, it is under in-place hold

And my test eDiscovery with in place hold seems to be capturing data:

 And the preview shows my data!

What about litigation hold?   Well, that allows me to set it:

But can we trust it?  Is it really holding data?  The answer is yes.  Here's a trimmed screenshot of a prior test (not the same as the in-place hold) that captured data.  Even better, this mailbox was deleted, so this also proves that it is in litigation hold since the mailbox is no longer enabled, we know we are not searching an active mailbox.

If you needed >10GB mailboxes or in place hold, how would you assign a license? 

According to the Service Description, if you need in place hold or larger than 10GB shared mailboxes, you need to assign an Exchange Online Plan 1 or Plan 2 license to the mailbox.

However, since the mailbox is shared, you cannot assign a license to it.

So I opened a quick case asking "how do I apply a license to a shared mailbox?"

Their answer was simple - you need to convert the mailbox to a user mailbox.

Once converted, you can assign a license.   However, one may argue or be concerned on the points this brings up:
  • This is no longer a shared mailbox, but is a user mailbox that is shared, it now has a username and password (and the password assigned is not very complex if a cloud only account (@tenant.onmicrosoft.com) 
  • This is now a cloud only account, if you run DirSync or had a security requirement that all accounts be sourced in AD, this would not be within that policy, or subject to any policies your authentication solution might enforce.  If you had a Hybrid environment, you could convert and move the shared user mailbox to on premise, or just create your shared mailboxes on premise
  • Licensing does not appear to be required to have in-place or litigation hold enabled 
UPDATE 10/1/2014: Thanks to Nino Bilic for pointing out, you ABSOLUTELY can license a shared mailbox.  In O365 Users, search for it, and add a country and license.  He also advises that while quota and hold status may be working without a license, you should license them, in case Microsoft decides to enforce licensing, it could put you in a state of non compliance or over the size limit shared mailboxes!

UPDATE 10/8/2014: Another nod to Nino - In this article, Microsoft addresses Exchange Online licensing required and explicitly mentions Litigation Hold as WELL as in place hold require an Exchange plan 2 license!
Manage inactive mailboxes in Exchange Online

In closing..
  1. Quota, litigation and in-place hold all function as expected on shared mailboxes without a license, however this could change and be enforced at any given time, so obviously recommend using licensing if the functionality is needed.
  2. Litigation and in-place hold are completely enabled for shared mailboxes, regardless of the licensing section of the Service Description
  3. Licensing a shared mailbox can be performed by converting them to a user mailbox or by assigning a license to the shared mailbox MSOLUser as documented above

Wednesday, September 24, 2014

Exchange Online and a Connection Filter limitation

Ran into a situation the other day where I was inputting Whitelisted IP's from a customer's current mail hygiene solution, and EOP would not let me input a /20 network into the dialog.  I double checked the IP/subnet was correct, the periods were really periods, and no whitespace characters in my input.  No go.   Turns out I hit a fun limitation of the connection filter.  Not sure why they would have this limitation, but here is the documented limit and a workaround (if you use Exchange Online - if you are an EOP only customer, I am not currently aware of a workaround)

From here: http://technet.microsoft.com/en-us/library/jj200718%28v=exchg.150%29.aspx
"You can specify a maximum of 1273 entries, where an entry is either a single IP address or a CIDR range of IP addresses from /24 to /32."

So that's the limitation.  Luckily, this customer is using Exchange Online, which allows you to also use Transport Rules that can then cover a larger subnet and bypass spam filtering for connections from that IP:


Tuesday, September 09, 2014

Lync Key Health Indicators (KHI) summarization

"Necessity is the mother of all invention."

Lync Call Quality Methodology is a great way to inspect your environment and find areas in need of improvement and troubleshoot end user reported problems better.  However the first portion of the methodology is collecting KHI's or Key Health Indicator reports from performance monitor.  I've found this article at Flinchbot to be pretty helpful in deploying the KHI's as well as triggering the stop and start of log collection.  But then the very manual process of collecting average and maximum values from multiple servers and days.

So I wrote this little thing in Excel.  If you find errors, let me know, I won't claim to be a programmer, so this is free and completely at your own risk.  I tried to make it simple.

  1. Name your CSV's something like "Server - Date.csv"  Each file will be a new tab.
  2. Edit the xlsm document with the folder where your CSV's are stored (E14)
  3. Click "Summarize KHI CSVs"
  4. Wait a bit.   Some of these files are large and the operation may make Excel hang or seem unresponsive for a bit.  I promise, I couldn't code a virus to save my life.
  5. The output provides each counter with the Average and Max value, one sheet in the workbook per CSV provided.
Sample of interface:

Sample of Output

Download from Technet Here

Demonstration Video
Excuse the interface, I prettied it up before posting it!