Limiting Access to Office 365 Services

A client was looking to limit access to mailboxes from outside the corporate network in order to improve data security. Because Outlook can cache mailbox information on a local machine, they would like their users to be able to connect to Outlook only from corporate machines. These are the requirements:

  • Outlook users can only use corporate laptops to connect as long as they establish a VPN tunnel to the corporate network
  • OWA can be used from any machine without restrictions
  • ActiveSync can be used from any device but the device must be approved by an administrator

Active Directory Federation Services (AD FS) 2.0 provides a way to configure these types of policies. Office 365 customers using Single Sign-On (SSO) who require these policies can now use client access policy rules to restrict access based on the location of the computer or device that is making the request.

To enable client access policy, you must complete the following steps:

Step 1: Install the Update Rollup 2 for AD FS 2.0 package on your AD FS servers

Download the Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package and install it on all federation server and federation server proxies. The package can be downloaded from http://support.microsoft.com/kb/2681584

Step 2: Add five claim rules to the Active Directory Claims Provider trust

After the Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package has been installed on all federation servers and federation server proxies, and the AD FS Windows service has been restarted, use the following procedure to add a set of claim rules that make the new claim types available to the policy engine.

In this step, you will have to add five acceptance transform rules for each of the new request context claim types using the following procedure.

On the Active Directory claims provider trust, create a new acceptance transform rule to pass through each of the new request context claim types.

  1. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management
  2. In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules
  3. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard
  4. On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next
  5. On the Configure Rule page, under Claim rule name, type the display name for this rule; in Incoming claim type, type the following claim type URL, and then select Pass through all claim values
  6. To verify the rule, select it in the list and click Edit Rule, then click View Rule Language. The claim rule language should appear as follows:
  7. c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”%5D => issue(claim = c);
  8. Click Finish
  9. In the Edit Claim Rules dialog box, click OK to save the rules

 

  1. Repeat steps 2 through 6 to create an additional claim rule for each of the following claim types shown below until all five rules have been created.
Rule Name Issued Claim
EQ-Forwarded-client-ip http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
EQ-client-application http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
EQ-client-user-agent http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
EQ-Proxy http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
EQ-endpoint-absolute-path http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path

Step 3: Update the Microsoft Office 365 Identity Platform relying party trust

This step allows you to configure what type of clients to block. At Equitable, we have created a custom block scenario – Block all external access to Office 365, except Exchange ActiveSync and browser-based applications such as Outlook Web Access or SharePoint Online.

Below is the claim rule we configured for this scenario:

exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”%5D) &&

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) &&

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) &&

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value == “/adfs/ls/”])

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value=~”\b123\.123\.123\.1\b|\b134\.134\.134\.2\b”]) &&

=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);

Once configured, the ADFS services were restarted and confirmed through testing to be accurate. This change only needed to be done on the first ADFS server installed in the farm as it holds the master copy of the Windows Internal Database (WID).

 

Setting up Hybrid Migration from Exchange 2003 to Office 365

1.1    Overview

Many companies still exist that are running Exchange 2003 as their messaging environment. Some of them are now ready to upgrade the messaging services and use Exchange Online in Office 365. This blog provides some tips and tricks on how to accomplish this task.

We will be setting up a hybrid configuration to allow for proper coexistence during the transition period to Exchange Online. In order to accommodate for coexistence, the following components are required:

  1. Exchange Hybrid Server – A hybrid deployment provides a unified email experience for the Office 365 deployment. It enables users who have on-premises Exchange Server mailboxes and users who have Exchange Online mailboxes to find one another in the global address list (GAL), to send, receive and reply to email regardless of which system is hosting their mailbox.

Exchange 2013 cannot be used as the hybrid server as it cannot coexist in the same organization as Exchange 2003. For this reason, Exchange 2010 SP3 must be used as the hybrid solution for this scenario.

    • Microsoft Online Services Directory Synchronization Server The Microsoft Online Services Directory Synchronization tool is primarily used to synchronize the Exchangeglobal address list, also known as the shared address book and provision users in a cross-premises deployment. Directory synchronization is a requirement for the hybrid deployment scenario, and it as a pre-requisite for shared cross-premises GAL, calendar and free\busy sharing, and single sign on to produce a rich seamless user experience in the co-existence phase.
    • Active Directory Federation Services Infrastructure(ADFS) – This includes both ADFS server as well as the optional yet recommended ADFS Proxy server. The ADFS infrastructure provides a Single Sign-On (SSO) like experience – Users enter their Active Directory corporate credentials to access the Office 365 Services. Check out this blog for some added information between single sign-on and same sign-on

 

  1. Please note that for authentication ADFS does not have to be used. You may also use Directory Synchronization with Password Synchronization to provide “Same Sign-on” experience where the user’s password is synchronized to Office 365 along with their user credentials. Authentication is handled in the cloud as opposed to being redirected back on-premise for verification.

 

1.2    Install and Configure ADFS

The most important operation you need to perform to provide your users with single sign-on access to the cloud service is to deploy a new AD FS federation server farm. Microsoft recommends deploying at least two federation servers in order to provide fault tolerance, load-balancing, and scalability to your organization’s AD FS production environment.

1.2.1   Installing Microsoft Online Services Sign-In Assistant

The Microsoft Online Services Sign-In Assistant (MOS SIA) provides end user with sign-in capabilities to Microsoft Online Services like Microsoft Office 365. The MOS SIA installs client components that allow desktop applications like Microsoft Outlook and Microsoft Lync to authenticate to Microsoft Online Services. The MOS SIA also provides an improved sign-in experience so users can access Microsoft Online Services without re-entering their usernames or passwords.

This is required so that ADFS can authenticate and create a proper federation session to Office 365.

1.2.2   Installing AD FS

  • Install the necessary Windows prerequisites for ADFS
  • Import the SSL certificate onto the server
  • Configure the certificate in IIS
  • Install the ADFS feature
  • Configure a service account for the federation server farm
  • Run the ADFS Federation Service Configuration wizard to create and configure the federation farm

1.3    Install and Configure Hybrid Server

In this blog I will not go into details of installation and/or configuration of the hybrid server – instead I will provide the high-level steps required to be configured.

1.3.1    Prepare for Exchange 2010 SP3 Installation

Before we can begin installing Exchange 2010 servers, the following preparation tasks need to be done.

  1. Exchange 2010 SP3 prerequisites check for the operating system being used
  2. Ensure that the Active Directory forest functionality mode is at Windows Server 2003 or higher
  3. Ensure that the Active Directory domain functionality mode is at Windows Server 2003 native mode or higher
  4. Validate that the schema master is running Windows Server 2003 SP2 or later
  5. Run EXBPA (Exchange Best Practices Analyzer) and resolve any issues reported by the tool
  6. Hybrid configuration must install Exchange 2010 SP3 at a minimum.
  7. Obtain an Exchange 2010 Hybrid Edition product key from Office 365 Support
  8. Extend Active Directory Schema with Exchange 2010 SP3

1.3.2    Install Exchange 2010 Server SP3

When installing the hybrid server, make sure to select a “typical installation” where the following three roles will be installed:

  • Mailbox role
  • Client access (CAS) role
  • Hub transport role

Each of the roles must be configured individually to allow a proper hybrid setup. During the installation, make sure the following settings are configured as follows:

Use the Configure Client Access Server external domain page to configure an external fully qualified domain name (FQDN). This is the FQDN that you give to Outlook Web App users to connect to an Exchange 2010 hybrid Client Access server. This is also the FQDN endpoint that Exchange Online will use to perform on-premises look-ups, including free/busy calendar availability. This will be completed at a later stage. Leave the check box unselected unless you have all the required DNS records already configured for a hybrid configuration
On the Mail flow settings page, browse and select the Exchange 2003 server that will be the bridgehead between the two messaging systems. This server will send emails between Exchange 2003 and Exchange 2010 and Office 365

1.3.3    Configure DNS records in an Exchange 2010 hybrid deployment

To enable Outlook 2010 and mobile clients to connect to mailboxes in the Exchange Online organization, you need to configure an AutoDiscover record on your public DNS. AutoDiscover automatically configures client settings so that users don’t need to know server names or other technical details to configure their mail profiles. Microsoft also recommends that you configure a Sender Policy Framework (SPF) record to ensure that destination e-mail systems trust messages sent from your domain and the Exchange Online Protection (EOP) service for your Office 365 organization.

  • AutoDiscover record – The AutoDiscover DNS record for your on-premises organization needs to refer requests for autodiscover.domain.com to your on-premises hybrid server. You can use either a CNAME DNS record or an A DNS record. A CNAME DNS record must refer to the FQDN of an on-premises hybrid server that has the Client Access server role installed. An A (Host) DNS record must point to the external IP address of a hybrid server or your firewall, depending on your network configuration.
  • SPF record – The SPF record for your organization uses the Sender ID Framework. The Sender ID Framework is an e-mail authentication protocol that helps prevent spoofing and phishing by verifying the domain name from which e-mail messages are sent. Sender ID validates the origin of e-mail messages by verifying the IP address of the sender against the alleged owner of the sending domain.

 

1.3.4    Configuring Exchange certificates in an Exchange 2010 hybrid deployment

Digital certificates are an important requirement for secure communications between the on-premises Exchange 2010 hybrid servers, clients, and the Exchange Online organization. You need to obtain a certificate that can be installed on the hybrid servers from a third-party trusted certificate authority (CA). Wildcard certificates work best for this type of setup as it can be used for both Exchange as well as ADFS infrastructure when using single sign-on.

Once the certificate has been purchased, import it onto the hybrid server and assign SMTP and IIS services to it.

1.3.5    Configuring Exchange Web Services in an Exchange 2010 hybrid deployment

Configure the external FQDN as the external URL on the Exchange Web Services (EWS), Outlook Address Book (OAB), AutoDiscover and the Exchange ActiveSync (Microsoft-Server-ActiveSync) virtual directories. If multiple hybrid servers will be used, make sure the URL is pointing to the load balanced name of the servers.

1.3.6    Configure Client Access Array

Regardless of how many hybrid servers will be used, always configure the Client Access (CAS) Array.

1.3.7    Enabling Outlook AnyWhere

Outlook Anywhere for Exchange Server 2010 provides Internet-based access to your messaging environment using an Outlook 2003/2007/2010 client. If you have enabled Outlook Anywhere on a server that is running Exchange 2010 that has the Client Access server role installed, users who are on Exchange 2010 servers that have the Mailbox server role installed can use RPC over HTTP to connect to their Exchange mailbox. This is required to be enabled for connectivity to Exchange Online.

1.3.8    Configuring management interfaces in an Exchange 2010 hybrid deployment

In order to manage the Exchange Online organization from a hybrid server in the on-premises organization, the Exchange Online organization must be added to the Exchange Management Console (EMC).

Installing Microsoft Online Service Sign-In Assistant

Before you can connect the cloud-based organization to the Exchange management console, the Microsoft Online Service Sign-in Assistant must be installed on the hybrid server(s). It basically provides you with sign-in capabilities to Microsoft online services like Office 365.

Adding Exchange Online Organization to the Management Console

You can add your Exchange Online organization to the EMC on any hybrid server by using the following steps:

  • Open the EMC on a hybrid server. In the console tree, click the Microsoft Exchange node. This is the top-most node in the tree
  • In the action pane, click Add Exchange Forest
  • In the Add Exchange Forest dialog box, complete the following fields:

 

    1. Specify a friendly name for this Exchange forest – Type the name of the Exchange forest. This name will display in the console tree
    2. Specify the FQDN or URL of the server running the Remote PowerShell instance – Select Exchange Online, which contains the URL necessary to access your Exchange Online organization
    3. Logon with default credential – Leave this check box unselected. You will be automatically prompted to enter the credentials for an administrator in your Exchange Online organization after you click OK.

1.3.9   Creating a new hybrid deployment

Use the New Hybrid Configuration wizard to create the foundation for the hybrid deployment. The New Hybrid Configuration wizard creates the HybridConfiguration object in your on-premises Active Directory. This Active Directory object stores the hybrid configuration information for the hybrid deployment

1.3.10Configure the hybrid deployment

Use the Manage Hybrid Configuration wizard to configure your Microsoft Exchange organization for the hybrid deployment. The Manage Hybrid Configuration wizard gathers existing Exchange and Active Directory topology configuration data, defines several organization parameters and then runs an extensive sequence of hybrid deployment configuration tasks.

2    Migration Process

Following these steps will make sure that your Exchange migration has as little issues as possible. Using these steps has proven to reduce amount of corruption during migration and even though mailboxes are migrated twice, it greatly reduces the amount of time the migration takes directly from Exchange 2003. The migration should be done in two steps.

2.1    Migrate Mailboxes from Exchange 2003 to Exchange 2010

  1. Obtain a list of Exchange 2003 mailboxes to be migrated to Office 365
  2. Using the Exchange Management Console or Management Shell, migrate these mailboxes to Exchange 2010

2.2    Migrate Mailboxes from Exchange 2010 to Exchange Online

  1. Open Internet Explorer and go to http://portal.microsoftonline.com to log into the Office 365 portal
  2. Provide the credentials for a global administrator account and sign into the portal
  3. On the Office 365 Admin Center page, click on Admin on the top right corner of the page and select Exchange Admin Center, Click on Migration
  4. Click the New button and select to Migrate to Exchange Online
  5. On the Select a migration type page, select Remote move migration (Supported by Exchange 2010 and later versions) then click Next
  6. On the Select the users page, click the Add button to manually select the mailboxes being migrated in the batch.
  7. On the Confirm the migration endpoint, confirm the URL for the on-premise hybrid endpoint is selected as the Remote MRS proxy server then click Next
  8. On the Move Configuration page,
    1. Provide the new migration batch name if mailboxes were manually selected. If mailboxes were provided through a CSV, the file name will be used as the migration batch name
    2. On the Target delivery domain, select domain.onmicrosoft.com from the drop-down menu
    3. Accept the default option for the Archive.
    4. Click Next to continue
  9. On the Start batch page,
    1. Browse and select a recipient that will receive the migration reports
    2. Select to Automatically start the batch as the Preferred option to start the batch
    3. Select to Automatically complete the migration batch as the preferred option to complete the batch
  10. Click the New button to begin the migration
  11. Once completed, assign the necessary Office 365 licenses to the migrated mailbox and confirm functionality.

“The Public Folder Database cannot be deleted” – Exchange 2007/2010

In migrating from Exchange 2007 to Exchange 2010, one of the decommissioning tasks for Exchange 2007 is to delete the public folder database however I kept getting the following error:
error-PF

I ran Get-PublicFolderStatistics -Server E2K7ServerName and it did not show anything! Tried numerous attempts and methods to no avail!

RESOLUTIONS
In order to resolve this issue, I performed the following steps:

  1. Dismount the public folder database on the Exchange 2007 server
  2. Go to the folder path of the EDB file
  3. delete\move the EDB file
  4. Go back to the management console and mount the public folder database. You will get a warning that one or more database files is missing. Go ahead and click OK to mount a blank database file.
  5. You should be able to go to the public folder management console and remove the server from all the system folders’ replication tab.
  6. Now you can delete the database successfully

Office 365 OnRamp “the microsoft office 365 onramp activex control does not appear to be installed” Error

I was doing an assessment for a client to determine their readiness for Office 365. One of the tools available from Microsoft to assess the environment is the OnRamp. OnRamp for Office 365 is an automated assistance tool that helps you gather configuration requirements and perform deployment readiness checks against your on-premises environment.

Requirements for running:

  • minimum OS Windows Server 2008 R2 or Windows 7
  • Internet Explorer 9 or above
  • Administrative rights on the machine

The following are not mentioned anywhere but are definitely required on the machine as well:

Some changes you want to make on the OS include:

  • For Windows server, turn off Internet Explorer Enhanced Security Configuration otherwise you will receive the following error:

OnRamp1

 

 

 

 

 

 

 

 

 

  • Add onramp.office365.com to internet explorer Trusted Sites

This will minimize the number of errors you will get when running the tool. For more detailed information, please visit http://technet.microsoft.com/en-us/library/jj993929.aspx.

 

Exchange 2010 Retention Policy to Clear Deleted Items

Creating Exchange 2010 Retention Policy Tags and Retention Policies

Retention policies can be used by organizations to limit the amount of data stored in their mailboxes and at the same time keep the amount of unnecessary mail items to a minimum.

Scenario – An organization would like to implement a policy that performs the following:

  1. Clear deleted items folder of items that have past their retention deadline of 30 days
  2. Only the last 365 days work of mail items should be in the mailbox
  3. These policies should not apply to default folders such as Notes and Contacts

Depending on how they’re applied to mailbox items, retention tags are categorized as the following three types.

  • Default Policy Tags (DPTs), which apply to untagged items in the mailbox – untagged items being items that don’t have a retention tag applied directly or by inheritance from parent folder. You can create three types of DPTs: an archive DPT, a delete DPT and a DPT for voicemail messages
  • Retention Policy Tags (RPTs), which are retention tags with a delete action, created for default folders such as Inbox and Deleted Items. Not all default folders are supported. Notably, Calendar, Tasks and Contacts folders aren’t supported
  • Personal Tags, which are retention tags that users can apply to items and folders in Outlook 2010 and Outlook Web App. Personal tags can either be delete tags or archive tags. They’re surfaced in Outlook 2010 and OWA as Retention policies and Archive policies

Create Retention Policy Tags

First step is to create the various tags for each of the tasks that need to be done. The first tag we are creating is for the Deleted items.

“Clear Deleted Items” Policy Tag

  1. In the console tree, expand the forest you want, and then navigate to Organization Configuration > Mailbox
  2. In the action pane, click New Retention Policy Tag
  3. the New Retention Policy Tag page, complete the following fields
    1. Tag Name Use this box to type a name for the retention tag. This is the name of the retention tag object in Active Directory. This name can contain up to 64 characters.
    2. Tag Type Use this list to select the type of retention tag that you want to create. To create a RPT for a default folder (for example, Inbox), select the default folder name. To create a DPT, select All other folders in the mailbox. To create a personal tag, select Personal Folder.
    3. Age limit for retention (days) Click this button to specify that items have a retention period. In the corresponding text box, type the number of days in the retention period. (The range of values is from 1 through 24,855 days.)
    4. Action to take when the age limit is reached After clicking Age limit for retention (days), you can use this list to specify what should happen to an item when it’s past the age limit for retention. The choices include:
  • Delete and Allow Recovery If you select this option, messages are deleted but can be recovered by using the Recover Deleted Items feature in Outlook or Outlook Web App
  • Permanently Delete If you select this option, messages are permanently deleted and aren’t recoverable by the user
  • Move to Archive If you select this option, messages are automatically moved to the user’s archive mailbox. If you haven’t created an archive mailbox for the user, no action is taken.
  1. Disable this tag Click this button to disable the processing of this tag. The Managed Folder Assistant won’t process messages that have a disabled tag applied.
  2. Comments Use this box to type a comment that will be displayed to the user in Outlook. For example, to alert users that MRM is enabled on the folder, you could type the following message: “Messages are removed from this folder after 120 days.” The maximum length of this comment is 255 characters.
  1. On the Completion page, click Finish to close the wizard

000 2-4-2013

“Retain 365 Days’ Worth of Mail Data” Policy Tag

This policy tag will be configured to remove any mail item in the mailbox that is over a year old – this would mean that the mailbox would only contain items that are 365 days in age.

Follow the same steps identified in the previous section to create a new retention policy tag with the following changes:

  • In the Tag Type option, select All other folders in the mailbox
  • In the Age Limit for Retention option, enter 365 days
  • In the Action to take when the age limit is reached select the desired action

002 2-4-2013

Default Folder Tags

To prevent the DPT from being applied to a default folder, you can create a disabled RPT for that folder (or disable any existing RPT for that folder). The Managed Folder Assistant, a mailbox assistant that processes mailbox items and applies retention policies, does not apply the retention action of a disabled tag. Since the item/folder still has a tag, it is not considered untagged and the DPT isn’t applied to it.

Create a retention policy tag for each of the folders (contacts, Notes, tasks and so on) you do not want a policy to apply to as shown in the image below

Create a Retention Policy to be associated with Retention Policy Tag

Using retention policies, you can group one or more retention tags and apply them to mailboxes. A mailbox can’t have more than one retention policy. Retention tags can be linked to or removed from a retention policy at any time. A retention policy with the same name as the one being created doesn’t already exist in your Exchange organization. One or more retention tags should exist so you can associate them to the new retention policy.

You can create a retention policy without linking any retention tags to it. Retention tags can be added or removed from a retention policy at any time. However, tags aren’t applied to a mailbox until they’re linked to a retention policy and the Managed Folder Assistant processes the mailbox.

  1. In the console tree, expand the forest you want, and then navigate to Organization Configuration > Mailbox
  2. In the action pane, click New Retention Policy
  3. On the Introduction page, complete the following fields:
    1. Name Use this box to type a name for the retention policy
    2. Add Click this button to add retention tags to the policy
  1. On the Select Mailboxes page, click Add to select the mailboxes to which you want to apply the retention policy
  2. On the New Retention Policy page, review your configuration settings. To create the retention policy, click New then click Finish to close the wizard

004 2-4-2013

Apply the policy to a mailbox

You can use retention policies to group one or more retention tags and apply them to mailboxes to enforce message retention settings. A mailbox can’t have more than one retention policy.

Messages are expired based on settings defined in the retention tags linked to the policy. These settings include actions such moving messages to the personal archive or permanently deleting them. Before applying a retention policy to one or more mailboxes, it is recommended that you test the policy and inspect each retention tag associated with it.

  1. In the console tree, expand the forest you want, and then navigate to Recipient Configuration > Mailbox
  2. In the result pane, select the mailbox to which you want to apply the retention policy. You can select multiple mailboxes by using the Shift or Ctrl keys
  3. In the action pane, click Properties
  4. In <Mailbox User> Properties, on the Mailbox Settings tab, select Messaging Records Management, and then click Properties
  5. In Messaging Records Management, select the Apply Retention Policy check box, and then click Browse to select the retention policy you want to apply to the mailbox.
  6. Click OK, and then in <Mailbox User> Properties, click Apply

014 2-4-2013

Configuring Mailbox Quota Messages to Messaging Administrators

In Exchange, storage quotas allow messaging administrators to control the size of mailboxes and manage the growth of mailbox databases. As storage is cheap these days, many organizations decide not to put any limits on mailbox storage sizes. This can cause the mailbox database sizes to balloon to unmanageable sizes, thus causing long backup and restore times, sometimes failure of backups, long and unfinished online maintenance and takes ridiculous amounts of time to perform any offline maintenance.
It is highly recommended to place mailbox storage quotas on all new deployments of Exchange to avoid these issues. Quota limits can always be changed on individual mailboxes that may require additional storage sizes. The following limits can be placed on mailbox databases:

  • Issue warning at (KB)   Use to specify the maximum storage limit in kilobytes (KB) before a warning is issued to the mailbox user. The value range is from 0 through 2,147,483,647 KB. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning message to the mailbox user
  • Prohibit send at (KB)   Use to specify a prohibit send limit in KB for the mailbox. The value range is from 0 through 2,147,483,647 KB. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox user from sending new messages and displays a descriptive error message
  • Prohibit send and receive at (KB)   Use to specify a prohibit send and receive limit in KB for the mailbox. The value range is from 0 through 2,147,483,647 KB. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox user from sending new messages and won’t deliver any new messages to the mailbox. Any messages sent to the mailbox are returned to the sender with a descriptive error message

It is usually the case that users will ignore such warning messages and will attempt to contact administrators when their mailboxes cannot send or receive emails anymore. To workaround this, monitoring applications can be used to monitor the sizes of the mailboxes and notification sent to administrators. For those organizations that do not have any monitoring applications, Exchange transport rules can be used.

A quota message is an e-mail message that’s automatically sent by Microsoft Exchange to the owners of a mailbox when a size limit (called a storage quota) for the mailbox is exceeded. Quota messages are sent with high importance and aren’t subject to storage quotas. They’re always delivered, even if the recipient’s mailbox is full. The table below shows the mailbox quota messages sent by exchange

Event Subject of message Default message text
Mailbox of unlimited size exceeds its Issue warning quota Your mailbox is becoming too large Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.
Mailbox of limited size exceeds its Issue warningquota

Bb232173.important(en-us,EXCHG.141).gifImportant:
The message associated with the Issue warning quota won’t be sent to the user unless the value of the quota is greater than 50% of the value specified in the Prohibit send quota. For example, if you set the Prohibit send quota to 8 MB, you must set the Issue warning quota to at least 4 MB. If you don’t, the Issue warning quota message won’t be sent.
Your mailbox is almost full Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.
Mailbox of limited size exceeds its Prohibit send quota Your mailbox is full Your mailbox can no longer send messages. Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.
Mailbox of limited size exceeds its Prohibit send and receive quota Your mailbox is full Your mailbox can no longer send or receive messages. Please reduce your mailbox size. Delete any items you don’t need from your mailbox and empty your Deleted Items folder.

For an administrator to receive the quota messages as well, create a transport rule using the following steps:

  1. Navigate to Organization Configuration > Hub Transport.  In the result pane, click the Transport Rules tab. In the action pane, click New Transport Rule

    Create New Transport Rule
  2. On the Introduction page, provide a meaningful name for the rule and enter a descriptive comment (highly recommended) for the rule so other administrators know the function of it. The Enable Rule checkbox is selected by default – do not change it
  3. On the Conditions page, complete the following fields. In the Step 1. Select condition(s) box select When the Subject field contains specific words.
  4. This selected conditions requires additional value so in the Step 2. Edit the rule description by clicking an underlined value box, click the blue underlined word.
  5. Enter your mailbox is as the words, click Add then OK to return to the wizard. Click Next to continue
  6. On the Actions page, in the Step 1. Select actions box, select Blind carbon copy (Bcc) the message to addresses as the action to take.
  7. Click the blue underlined word and enter the address of the administrator (or the address of a distribution group containing multiple administrators). Once added click OK then. After you      configure all the actions, click Next
  8. On the Exceptions page, no changes were made so click Next to continue
  9. On the Create Rule page, review the Configuration Summary. If you’re satisfied with the configuration of the new rule, click New
  10. On the Completion page, review the following, and then click Finish to close the wizard:
    • A status of Completed indicates that the wizard completed the task successfully.
    • A status of Failed indicates that the task wasn’t completed. If the task fails, review the summary for an explanation and then click Back to make any configuration changes.