MSB365

Mass Email with Exchange Online: Pros, Cons, Limits & Better Alternatives

drago — Tue, 17 Mar 2026 09:36:22 +0000

Email Strategy

Exchange Online excels at business email but was never built to be a bulk marketing engine.
This article provides a complete technical overview of limits, risks, best‑practice architecture and alternatives for high‑volume or marketing email delivery.

Per‑mailbox limit (24h)

~10,000

Send rate

~30/min

Tenant external cap

License‑based TERRL

When Exchange Online can work

Exchange Online works fine when message volume stays low and recipients are primarily internal.

Small internal communications.
Department updates, announcements, emergencies.
Internal distribution lists count as 1 recipient.
No additional systems or APIs required.

Technical and deliverability limitations

Exchange Online includes strict policies to protect the service from abuse, spam and compromised accounts.

Not designed for marketing or bulk sending.
High risk of throttling (per‑minute and per‑day limits).
Risk of IP warm‑up issues and reputation drops.
No proper bounce handling or suppression lists.
Limited analytics (opens, complaints, deliverability).
CAN‑SPAM / GDPR compliance must be handled manually.

Key technical limits

Mailbox-level limits

~10,000 recipients per 24h per mailbox.
~30 messages per minute.
Dynamic throttling when patterns look like bulk sending.
Automated lockout if Exchange detects spam‑like patterns.

Tenant-wide TERRL (Tenant External Recipient Rate Limit)

TERRL depends on your M365 license count. Higher license volume → more outbound capacity.

Licenses	Recipients / 24h
1	10,000
25	≈14,000+
100	≈28,000+
1,000	≈72,000+

TERRL is not officially published in detail. Microsoft adjusts thresholds dynamically to protect global capacity.
As a rule: **Exchange Online is not a bulk sender and scales poorly for newsletters**.

Deliverability challenges

Shared Microsoft IP pools → reputation varies.
No ability to warm up IPs for new volumes.
No feedback loops with major ISPs (Outlook.com, Gmail, Yahoo).
Risk of domain reputation damage if recipients mark mails as spam.
Lack of automated bounce categorization (hard/soft/subscription).

Domain strategy: Use a dedicated subdomain

Separating marketing email protects your primary business domain.

Use e.g. news.yourdomain.tld, mail.yourdomain.tld or updates.yourdomain.tld.
Independent SPF, DKIM, DMARC policies.
Protects your main domain from reputation damage.
Allows independent DNS routing (e.g., towards ACS or Mailchimp).

Recommended DNS setup

SPF: include only required platforms.
DKIM: sign from dedicated selector.
DMARC: use p=none for warm‑up → later quarantine → reject.
Optional: BIMI increases trust at Gmail/Yahoo.

Better platforms for newsletters

For real newsletters or any type of marketing automation:

Professional templates & responsive layouts.
List management (subscriptions, bounce lists, suppression lists).
A/B testing, analytics, link tracking.
Compliance (opt‑in, double opt‑in, unsubscribe pages).
High deliverability via dedicated warm IP pools.

Examples

Mailchimp
Brevo (Sendinblue)
HubSpot
Klaviyo
CleverReach

Azure Communication Services (ACS)

For automated or transactional email

ACS is excellent for application‑driven email delivery:

API-first, scalable email service.
Supports templating & dynamic content.
Custom domain support with DKIM/DMARC.
High throughput and queue-based delivery.
Ideal for apps: invoices, password resets, confirmations.

When ACS is better than Exchange Online

You send >5,000 external transactional emails/day.
You need automated retries, bounce classification, webhooks.
You require custom integration via Node.js, .NET, Python.
You want to avoid throttling and protect your business domain.

Best practices and recommendations

If you must use Exchange Online

Send slowly (intervals between batches).
Use dynamic distribution lists to reduce message count.
Do not send marketing mail from shared mailboxes.
Limit daily volume to 2,000–3,000 recipients to avoid throttling.
Implement SPF, DKIM, DMARC correctly.
Monitor message trace for throttling patterns.

If you want zero risk

Use a marketing platform for newsletters.
Use ACS for system-generated mail.
Separate domains and DNS policies per use case.

Conclusion

Exchange Online is a world-class business email platform but fundamentally not designed for
marketing, bulk or high-volume transactional email.
For newsletters use a dedicated marketing platform;
for scalable transactional email use ACS.
This protects your domain reputation, increases deliverability and ensures full compliance.

Cleaning Meetings in M365

drago — Mon, 09 Mar 2026 10:25:09 +0000

This documentation describes how to properly cancel and remove meetings and recurring meetings organized by a departed employee from the calendars of all attendees and resource calendars (e.g., conference rooms) in Microsoft 365.

Important Prerequisite: The departed employee’s mailbox must not be permanently deleted yet. Execute these steps as part of the offboarding process, before the account is completely removed from Microsoft 365.

Method 1: The Best Practice Approach (PowerShell)

This is the official and most efficient method. It automatically sends cancellations to all attendees and frees up previously booked rooms.

Step 1: Check Prerequisites & Install Module

Launch PowerShell as an Administrator. If you haven’t already, you need to install the Exchange Online module:

Install-Module -Name ExchangeOnlineManagement -Force

Step 2: Connect to Exchange Online

Connect-ExchangeOnline -UserPrincipalName [email protected]

Step 3: Delete Meetings (Remove-CalendarEvents)

Use the Remove-CalendarEvents cmdlet to cancel the meetings. Here are two typical use cases:

Use Case A: Standard Cleanup (1 Year)

Employee John Doe is leaving the company. All of his future meetings for the upcoming year should be canceled.

Remove-CalendarEvents -Identity "[email protected]" -CancelOrganizedMeetings -QueryWindowInDays 365

Use Case B: Preview Affected Meetings (WhatIf)

If you are unsure and want to see which meetings would be deleted without actually executing the command, use the -WhatIf switch:

Remove-CalendarEvents -Identity "[email protected]" -CancelOrganizedMeetings -QueryWindowInDays 120 -WhatIf

Step 4: Disconnect Session

For security reasons, always disconnect your session after successfully completing your tasks:

Disconnect-ExchangeOnline -Confirm:$false

Method 2: The Manual Workaround (Web Interface / GUI)

Use this method only if you lack PowerShell permissions or if you need to manually manage a specific, single recurring meeting.

Step 1: Convert to a Shared Mailbox

Open the Microsoft 365 admin center.
Go to Users > Active users.
Click on the departed employee’s name.
Select the Mail tab and click on Convert to shared mailbox.

Step 2: Grant Full Access Permissions

Scroll down in the user’s Mail settings to Mailbox permissions.
Click on Manage mailbox permissions.
Add your own Admin account under Read and manage (Full Access).

Note: It can take up to 60 minutes for the permissions to fully synchronize across the cloud.

Step 3: Open Mailbox and Cancel the Series

Open Outlook on the web (OWA) with your Admin account.
Click on your profile picture in the top right corner and select Open another mailbox…
Enter the email address of the departed employee and open it.
Switch to the Calendar view.
Locate the recurring meeting in question.
Right-click it and select Cancel -> Cancel series.
Send the cancellation. The meeting will now be removed from all attendees’ calendars.

How to Configure a PIN-Protected PSTN Call Flow in Microsoft Teams (Calling Plans)

drago — Fri, 27 Feb 2026 07:01:57 +0000

Securing a specific phone number so that only authorized callers can reach the destination is a common request in modern telecommunications. But how do you achieve this in Microsoft Teams Phone when you are using Microsoft Calling Plans and don’t have a Session Border Controller (SBC) to handle complex pre-routing logic?

In this guide, we will walk you through a highly effective configuration workaround that uses native Teams features to create a PIN-protected entry point.

[Insert your flowchart diagram here showing PSTN call routing with PIN authentication]

The Use Case: Why Are We Doing This?

Imagine you have a dedicated VIP support hotline, an emergency IT-escalation number, or an exclusive dial-in for remote field workers. You publish a standard PSTN number, but you only want the call to ring the target team if the caller knows a specific secret code (PIN).

The Desired Flow:

Caller dials the PSTN number.
Caller hears an announcement: “Please enter your access code.”
If correct: The call is routed to the target user or Call Queue.
If incorrect / no input: The caller is told the code is invalid, and the call drops.

The Challenge: Microsoft Teams Calling Plans Limitations

If you use Direct Routing, an SBC (like AudioCodes or Ribbon) would intercept the call, ask for the PIN, verify it, and then forward the call to Teams. However, with Microsoft Calling Plans, the call goes straight into the Microsoft cloud. Microsoft Teams does not have a native “Require PIN” toggle for Auto Attendants.

The Solution: The “Dial by Extension” Hack. We will configure an Auto Attendant to ask for the PIN, but technically, Teams will be using its Dial by extension feature. The “PIN” will actually be the target user’s configured extension.

Pros and Cons of This Configuration

Advantages (Why we do it this way)	Disadvantages (What you need to know)
No Extra Costs: Uses existing Teams Phone licenses and Auto Attendants. Fully Cloud-Native: No SBC, on-prem hardware, or Azure Communication Services development required. Simple to Maintain: PINs can be updated by changing a user’s extension in Entra ID.	Not Enterprise-Grade Security: This is a routing trick, not cryptographic multi-factor authentication. Static System Prompts: If the user enters a wrong PIN, Teams plays a default system message (e.g., “We didn’t find a match”) before dropping the call. You cannot fully customize the “Wrong PIN” audio prompt. Directory Search Limits: The PIN (extension) must be uniquely assigned to a user in your directory.

Advantages (Why we do it this way)

Disadvantages (What you need to know)

No Extra Costs: Uses existing Teams Phone licenses and Auto Attendants.
Fully Cloud-Native: No SBC, on-prem hardware, or Azure Communication Services development required.
Simple to Maintain: PINs can be updated by changing a user’s extension in Entra ID.

Not Enterprise-Grade Security: This is a routing trick, not cryptographic multi-factor authentication.
Static System Prompts: If the user enters a wrong PIN, Teams plays a default system message (e.g., “We didn’t find a match”) before dropping the call. You cannot fully customize the “Wrong PIN” audio prompt.
Directory Search Limits: The PIN (extension) must be uniquely assigned to a user in your directory.

Step-by-Step Configuration Guide

Follow these steps to set up the PIN-protected routing in your Microsoft 365 environment.

1 Prepare the Target User (Assigning the “PIN”)

First, we need to assign the secret PIN as an extension to the user who should receive the calls.

Go to the Microsoft 365 Admin Center > Users > Active users.
Select the target user (this user must have a Teams Phone license).
Go to Manage contact information.
In the Office phone field, enter a dummy number with the desired PIN as the extension. Format it strictly like this: +10000000000;ext=8524 (Assuming 8524 is your desired PIN).
Save the changes. Note: It can take up to 24 hours for the Teams directory sync to recognize the new extension, though it often takes only a few hours.

Pro Tip: If you want the call to go to a Call Queue instead of a single person, assign this extension to a “dummy” licensed user account, and set that user’s Teams client to immediately forward all calls to the desired Call Queue.

2 Create the “PIN Gateway” Auto Attendant

Now, we create the Auto Attendant that will act as the gatekeeper.

Open the Teams Admin Center.
Navigate to Voice > Auto attendants and click Add.
Name it something like AA – PIN Gateway.
Set the Operator to “Disconnect” (since we don’t want callers bypassing the PIN).
Set the Time Zone and Language. (The language determines the voice of the default system error messages).

3 Configure Call Flow & Menu Options

This is where the magic happens. We will use the Menu Options to force the caller to interact, allowing the Directory Search to capture their DTMF (keypad) input.

Under Call flow, choose Play menu options.
For the audio, choose Play an audio file. Upload a professionally recorded MP3 or WAV file that says: “Welcome. Please enter your 4-digit access code to proceed. If you do not have a code, please hang up.”
Crucial Step: Do NOT assign any keys (0-9) to routing options. Leave the dial pad assignments empty.
Under Directory search, select Dial by extension.

What happens here? The Auto Attendant plays your custom audio. Because “Dial by extension” is enabled, it listens for keypad inputs. If the caller types 8524, the system searches the directory, finds the user from Step 1, and routes the call to them.

4 Configure Default Routing (For incorrect / no PIN)

We must define what happens if the caller just waits and presses nothing.

Still in the Call flow section, look for the setting regarding what happens when callers don’t make a choice (Timeout).
Set the default action to Disconnect.

What about wrong PINs? If a caller enters 1111, Teams will look for extension 1111. When it doesn’t find it, the Microsoft default voice will say “We couldn’t find a match.” After a few failed attempts, the system automatically drops the call. This fulfills the requirement that invalid codes cannot proceed.

5 Assign the PSTN Number via Resource Account

Finally, we need to make this Auto Attendant reachable from the outside world.

Create a new Resource Account in the Teams Admin Center.
Assign a Microsoft Teams Phone Resource Account license to it.
Acquire a PSTN number from your Microsoft Calling Plans inventory and assign it to this Resource Account.
Assign this Resource Account to your newly created Auto Attendant.

Conclusion

While Microsoft Teams doesn’t offer a simple “PIN toggle,” utilizing the Dial by extension feature provides a robust, zero-cost workaround for Microsoft Calling Plan users. It successfully gates a phone line behind a numeric code, ensuring only authorized callers reach your internal teams, all while keeping your infrastructure 100% in the cloud.

Bridging the Gap: Mastering M365 Cross-Tenant Calendar Sharing

drago — Mon, 23 Feb 2026 07:27:10 +0000

In today’s interconnected business world, organizations rarely operate in isolation. Whether it’s a merger, a holding structure with multiple subsidiaries, or a long-term joint venture, the need to see “when” a colleague from another organization is available is critical.

Scheduling meetings via email ping-pong (“Are you free Tuesday at 2?” – “No, how about Wednesday?”) is inefficient. The solution lies within Exchange Online Organization Relationships. This guide walks you through the “Why”, the “How”, and the “What to Expect”.

Real-World Use Cases

Before we dive into the configuration, let’s look at where this setup delivers the most value:

Mergers & Acquisitions

Scenario: Company A buys Company B. Migration takes months, but management needs to schedule meetings today.

Benefit: Instant visibility of Free/Busy times across both tenants without waiting for full IT integration.

Holding Structures

Scenario: A parent company has 5 subsidiaries, each with its own M365 tenant.

Benefit: Seamless scheduling across the entire group while keeping data and administration strictly separated.

Joint Ventures

Scenario: Two independent companies work on a major project for 12 months.

Benefit: Teams can collaborate as if they were in the same office, without needing Guest Accounts for every single user.

Technical Guide: Setting Up Organization Relationships

This configuration establishes a trust relationship specifically for calendar data. It does not give access to emails or files.

Admin Requirement: This configuration must be performed mirrored on both tenants (Tenant A -> Tenant B, and Tenant B -> Tenant A) for the access to work bi-directionally.

Step-by-Step Configuration

Step 1: Access the Exchange Admin Center
Navigate to admin.exchange.microsoft.com with Global Admin or Exchange Admin credentials.

Step 2: Locate Sharing Settings
In the left-hand menu, go to Organization > Sharing.

Step 3: Add Relationship
Find the Organization Sharing section and click on Add organization relationship.

Step 4: Configure Domain & Permissions

Relationship Name: E.g., “To Partner Company”.
Domains to share with: Enter the partner’s domain (e.g., partner-company.com).
Sharing Level: Enable “Calendar free/busy information sharing”.

Decision Point: Choose your level of transparency:

Time only: Users see “Busy” blocks. Good for loose partnerships.
Time, subject, and location: Users see “Meeting with Client X in Room 202”. Recommended for M&A and internal holdings.

Propagation Time: Once both sides have configured this, it can take up to 24 hours for Microsoft’s backend to replicate the settings. Patience is key!

User Experience: How to View the Calendar

Unlike internal colleagues, external calendars don’t just “appear.” Users need to add them once.

In Outlook (New / Web / Classic)

Go to the Calendar View.
Select Add Calendar > From Directory (or use the search bar).
Type the full email address of the external colleague (e.g., john.doe@partner-company.com).
Click Open/Add.

Outlook will now query the external tenant and display the availability side-by-side with your own calendar.

The Capabilities Matrix: Managing Expectations

It is crucial to understand that an Organization Relationship is a “Look but don’t touch” scenario. Here is a breakdown of what is technically possible:

Feature	Status	Details
View Free/Busy Status	Yes	You can see when they are available for a meeting.
View Subject & Location	Yes	Only if enabled by Admins in Step 4.
Edit/Delete Appointments	No	Read-Only access. You cannot modify their calendar.
Create Items in their Calendar	No	You cannot place an appointment directly into their calendar; you must send a meeting invite.
View Private Items	No	Private appointments remain private (shown only as “Private” or “Busy”).
Open Attachments	No	You cannot see meeting agendas, files, or body text inside the appointment.
Mobile App Sync	Partial	External calendars often require adding via Desktop first to appear in the Outlook Mobile App.

Conclusion

Setting up an Organization Relationship is a quick, high-impact win for IT departments managing split environments. It solves the number one scheduling headache without the security complexity of full Guest Access or Trust setups.

Need to go a step further and allow users to act as delegates or sync users as contacts? Contact us to discuss Cross-Tenant Synchronization.

Microsoft Teams Shared Locations

drago — Mon, 26 Jan 2026 07:42:35 +0000

Technical Deep Dive 2026

A comprehensive guide to mobile sharing, AI-driven Wi-Fi detection, and enterprise privacy.

In the modern era of hybrid work, the question “Where are you?” has replaced “How are you?” as the most common workplace icebreaker. As of 2026, Microsoft has significantly expanded how Teams handles physical presence—moving from simple manual pin-drops to AI-driven, network-aware location intelligence.

1. The Three Faces of Location in Teams

To understand the functionality, we must distinguish between three different features that often get confused in the Microsoft 365 ecosystem:

Feature	Primary Use Case	Device	Data Type
Shared Location (Chat)	Real-time GPS sharing with a specific contact.	Mobile (iOS/Android)	Precise GPS Coordinates
Work Location (Status)	Indicating “In the Office” or “Remote”.	Desktop & Mobile	Building name or generic status
Smart Detection (2026)	Auto-updating office location via Wi-Fi.	Desktop & Mobile	Network-based (BSSID)

2. Deep Dive: Shared Location in Mobile Chat

This remains the most “active” form of sharing. It is a mobile-centric feature that allows users to share their physical coordinates via a Teams chat or group channel.

Static vs. Live Location

Static Location: A snapshot of your current position. Once sent, the pin stays where you were at that moment.
Live Location (Real-Time): A continuous stream. As of the latest updates, users can share this for 30 minutes, 1 hour, or 8 hours.

How to trigger it:
Tap the “+” (Plus) icon in a mobile chat > Select Location.

Note: Since 2025, a mandatory App-level Consent Popup appears, ensuring users are aware of the tracking duration.

3. The 2026 Game Changer: Automatic Wi-Fi Detection

Following the roadmap milestones of late 2025, Microsoft has finalized the rollout of Smart Work Location Tracking (Roadmap ID: 409534).

Teams now recognizes your organization’s Wi-Fi access points (BSSIDs). When your laptop connects to a registered corporate network, Teams automatically updates your status to “Working from Building A, Floor 3”.

Privacy Guardrail

This feature only triggers during your defined “Working Hours” in Outlook. It stays dormant during personal time.

Opt-in Culture

It is Off by default. Both Admin policies and User consent must be granted simultaneously to activate tracking.

4. Administrative Configuration & Compliance

For IT Admins, the control center has evolved. Location-Based Services (LBS) are now managed under a unified privacy framework.

The Messaging Policy

In the Teams Admin Center (TAC), the toggle “Send location in messages” controls whether the mobile sharing icon is visible to your users. If disabled, the entire Location sub-menu disappears from the mobile app.

Data Residency

A critical point for compliance officers: Microsoft Teams does not store a historical movement log. The data is transient. Once a live session ends, the real-time coordinates are purged from the active session, though the chat message itself follows your organization’s standard retention policy.

5. Frequently Asked Questions

Can my manager see a map of my movements all day?

Absolutely not. Microsoft Teams does not provide a “surveillance dashboard.” Location data is only used to update your status or shared manually in a chat. There is no admin command to “ping” an employee’s location without their knowledge.

Why can’t I see the “Location” button on my Desktop app?

Precise GPS sharing is a mobile-only feature because desktops generally lack GPS hardware. Desktop users can only set their “Work Location” (status) or use the Smart Wi-Fi detection if enabled.

Official Sources & Technical Documentation

The Deep-Dive Guide: Microsoft Graph API for PowerShell

drago — Mon, 12 Jan 2026 07:20:15 +0000

In the modern Microsoft 365 landscape, the “Portal-Clicker” is being replaced by the “Automation Architect.” Microsoft Graph is the engine behind this transformation. While legacy modules like AzureAD or MSOnline were siloed, Graph provides a single endpoint, a single authentication model, and a single data schema.

The Architect’s Logic: Every PowerShell command in the Microsoft Graph SDK is a wrapper for a REST API URL.
Get-MgUser -UserId "bob@contoso.com" is actually a GET request to https://graph.microsoft.com/v1.0/users/bob@contoso.com.

1. Professional Setup & API Profiles

Before scripting, you must decide which API version to target. The SDK supports v1.0 (Production-ready) and Beta (latest preview features like Sign-in logs or specialized Teams settings).

# Switch to Beta for advanced features
Select-MgProfile -Name "beta"

# Connect with specific permissions (Scopes)
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Mail.Read", "Sites.Read.All"

2. Unattended Automation (App-Only Auth)

For background tasks (Azure Automation, Task Scheduler), interactive logins are impossible. You must use an App Registration with a certificate for maximum security.

$params = @{
    ClientId              = "YOUR_APP_ID_GUID"
    TenantId              = "YOUR_TENANT_ID"
    CertificateThumbprint = "A1B2C3D4E5F6G7H8I9J0"
}
Connect-MgGraph @params

3. Service Deep-Dives: Read & Write

A. Entra ID: OData Filtering Mastery

A true deep dive requires moving beyond Where-Object. Filter at the source to prevent script lag and memory exhaustion.

# Efficient: Server-side filtering for active Finance users
$Filter = "Department eq 'Finance' and AccountEnabled eq true"
$Users = Get-MgUser -Filter $Filter -All -Property "Id", "DisplayName", "JobTitle"

B. Microsoft Teams: Resource Provisioning

Creating a Team is a multi-step process. In Graph, you often create a Group first and then “Team-enable” it.

$teamBody = @{
    DisplayName = "New Project Team"
    "template@odata.bind" = "https://graph.microsoft.com/v1.0/teamsTemplates('standard')"
}
New-MgTeam -BodyParameter $teamBody

C. SharePoint & OneDrive: The “Drive” Logic

SharePoint Sites contain Drives (Document Libraries), which contain DriveItems (Files/Folders).

# Search for a site and list its library root
$Site = Get-MgSite -Search "Marketing"
Get-MgSiteDriveItem -SiteId $Site.Id -DriveId (Get-MgSiteDrive -SiteId $Site.Id).Id

4. Advanced Query Parameters

To optimize performance, use -ExpandProperty to join related data into a single request, avoiding multiple round-trips.

# Fetch user AND their manager in one call
$User = Get-MgUser -UserId "admin@domain.com" -ExpandProperty "manager"
$ManagerMail = $User.Manager.AdditionalProperties["mail"]

5. JSON Batching: Combining 20 Requests

Batching allows you to group up to 20 individual API calls into a single HTTP POST. This is essential for high-speed synchronization tools.

$batchRequest = @{
    requests = @(
        @{ id = "1"; method = "GET"; url = "/users/user1@domain.com" },
        @{ id = "2"; method = "GET"; url = "/users/user2@domain.com" }
    )
}
$BatchResult = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/`$batch" -Body $batchRequest

6. Delta Queries: Tracking Changes

Instead of scanning 50,000 users every hour, use **Delta Queries** to only pull objects that were created, updated, or deleted since your last sync.

# Initial sync gets the deltaLink
$Delta = Get-MgUserDelta
$SyncToken = $Delta.AdditionalProperties["@odata.deltaLink"]

# Future runs use the $SyncToken to fetch ONLY changes
$Changes = Invoke-MgGraphRequest -Method GET -Uri $SyncToken

7. Expert Error Handling

Graph errors are JSON objects. A professional script parses these to understand if a failure was due to a missing resource (404) or throttling (429).

try {
    Update-MgUser -UserId "ghost-id" -Department "IT"
} catch {
    $Err = $_.Exception.Message | ConvertFrom-Json -ErrorAction SilentlyContinue
    Write-Error "Code: $($Err.error.code) - Message: $($Err.error.message)"
}

Summary Checklist

Scenario	Best Practice
Large Data Sets	Use `-All` and `-Filter`. Avoid `Where-Object`.
Security	Use Certificates for Auth; use Least Privilege Scopes.
Speed	Use `-ExpandProperty` and `$batch`.
Troubleshooting	Append `-Debug` to see raw HTTP traffic.

Next Steps: Start by experimenting in the Graph Explorer to visualize the JSON responses before writing your PowerShell logic.

Strategic Implementation Concept: Microsoft Teams Walkie-Talkie for Airport Operations

drago — Tue, 06 Jan 2026 07:10:55 +0000

Aviation Digital Operation Blueprint

Executive Summary

Modernizing airport communication is a critical safety and efficiency factor. This document outlines the transition from traditional LMR/TETRA radio systems to an integrated Microsoft Teams Walkie-Talkie solution. By merging voice communication, digital identity, and compliance archiving, we achieve seamless coverage (WLAN/5G/LTE) while reducing hardware costs and infrastructure complexity.

1. Operational Use Cases (Deep Dive)

Airport Security

Instant PTT group communication for terminal incidents. Integration of location data for rapid responder positioning. Military-grade encryption for sensitive security channels.

Baggage Handling

Direct coordination between check-in and loading bays. Use of high-performance noise-canceling headsets to ensure clear communication despite heavy machinery noise.

Airside & Ground Ops

Marshaling instructions and FOD (Foreign Object Debris) checks on the apron. Utilization of ruggedized devices (e.g., Samsung XCover) built for extreme weather.

2. PowerShell Configuration (Admin Guide)

Automated deployment via PowerShell ensures that all frontline workers have the Walkie-Talkie app pinned to their mobile navigation bar.

# Connect to Microsoft Teams
Connect-MicrosoftTeams

# Define Policy Parameters
$policyName = “Aviation_Frontline_WT”
$appId = “0048126e-44b2-4404-8740-1f951e707a0c”

# Create Policy and Pin App
New-CsTeamsAppSetupPolicy -Identity $policyName -Description “Airport Ops PTT Policy”
Set-CsTeamsAppSetupPolicy -Identity $policyName -PinnedApps @{Add=$appId}

# Batch Assignment to Entra ID Group
$groupId = “YOUR-GROUP-ID-HERE”
New-CsGroupPolicyAssignment -GroupId $groupId -PolicyType TeamsAppSetupPolicy -PolicyName $policyName -Rank 1

3. Security: Conditional Access & Geofencing

Geographical Access Control

To ensure security, Walkie-Talkie access is restricted to the airport perimeter. Communication is blocked once a user leaves the trusted network zone.

# Define Trusted Airport Location (IP-Range)
New-MgNamedLocation -DisplayName “Airport-Fence-Zone” `
    -IsTrusted $true `
    -OdataType “#microsoft.graph.ipNamedLocation” `
    -IpRanges @{ “cidrAddress” = “192.168.1.0/24” }

4. Compliance & Recording

Audit-Ready Communication

Legal requirements (e.g., ICAO/FAA) often mandate the archiving of operational radio traffic. Teams uses the Compliance Recording Framework for this purpose.

# Create Compliance Recording Policy
New-CsTeamsComplianceRecordingPolicy -Identity “Airport_Safety_Archive” `
-Enabled $true -Description “Audit-Log for Runway Ops”

# Assign to Safety Personnel
Grant-CsTeamsComplianceRecordingPolicy -Identity “ops-team@airport.com” `
-PolicyName “Airport_Safety_Archive”

5. Hardware Integration & Button Mapping

Device Type	Configuration Tool	Intent Action
Zebra TC-Series	StageNow / KeyMappingMgr	`com.microsoft.office.outlook.ptt.PUSH_TO_TALK`
Samsung XCover	Knox / Android Settings	Direct App Link: Teams Walkie-Talkie
Jabra Headsets	BlueParrott App/SDK	Trigger via BLE (Bluetooth Low Energy)

6. Implementation Roadmap

Phase 1: Pilot (Weeks 1-2): Testing in Terminal 1 with Security Key Users. Focus on Wi-Fi roaming stability.

Phase 2: Transition (Weeks 3-6): Expansion to Ground Handling. Parallel operation with legacy radio for risk mitigation.

Phase 3: Full Go-Live: Complete decommissioning of analog frequencies and activation of all recording bots.

7. Training & Radio Etiquette

Discipline: Keep messages short. Wait for the “Beep” before speaking.
Hardware: Use the physical side-button (no need to unlock the screen).
Channels: Ensure you are connected to the correct operational channel (e.g., ‘Ramp-Ops’).

Mastering Exchange Online Security: Automating Send-As & Impersonation Audits

drago — Wed, 24 Dec 2025 09:17:08 +0000

PowerShell • Exchange Online • Security • Auditing

As Exchange Online administrators, visibility is our most valuable asset. One of the most common security “blind spots” in growing organizations involves mailbox delegation. Specifically: Who has the right to send emails as someone else?

While the Microsoft 365 Admin Center allows you to check permissions one mailbox at a time, auditing an entire tenant for Send As permissions and global ApplicationImpersonation roles can be a nightmare. Today, I’m sharing a PowerShell solution that automates this process and generates a beautiful, searchable HTML report.

            Why is this important?

            “Send As” allows a user (or hacker) to send an email that appears to come directly from the mailbox owner, with no “on behalf of” tag. “ApplicationImpersonation” is even more powerful, allowing applications to act as the user completely.

The Solution: A Custom PowerShell Auditor

I wrote a PowerShell script that bridges the gap between raw data and actionable insights. Instead of staring at a CSV file, this script generates a modern, interactive HTML dashboard.

Key Features

Full Tenant Scan: Iterates through all User and Shared Mailboxes.
Send-As Detection: Identifies explicit AD permissions (Active Directory Rights).
Impersonation Checks: Scans RBAC (Role Based Access Control) for the high-privilege ApplicationImpersonation role.
Visual Reporting: Produces a user-friendly HTML file with directional arrows indicating flow (Who → Can Access → Whom).
Searchable: Includes an embedded JavaScript search engine to filter results instantly.

How It Works

The script operates in three distinct phases:

1. Data Collection (Send As)

First, it connects to Exchange Online. It then loops through every mailbox using Get-Mailbox. For each mailbox, it runs Get-RecipientPermission to find any security identifier (SID) that has “SendAs” rights, filtering out the owner themselves (Self).

2. RBAC Analysis (Impersonation)

Unlike standard folder permissions, ApplicationImpersonation is an administrative role. The script uses Get-ManagementRoleAssignment to find service accounts or users who have been granted this role, and importantly, checks the Scope (whether it applies to the whole organization or just specific users).

3. Report Generation

Finally, it constructs an HTML file. It embeds CSS for styling and a small JavaScript snippet to handle the search bar logic, ensuring the report is a single, portable file you can share with auditors or management.

The Script

Here is the complete PowerShell code. Save this as Audit-ExchangePermissions.ps1 and run it in a PowerShell terminal with Exchange Online Administrator rights.

<#
.SYNOPSIS
    Generates an HTML Report for "Send As" and "ApplicationImpersonation" permissions.
.DESCRIPTION
    Scans all User and Shared mailboxes for 'SendAs' rights.
    Checks RBAC assignments for 'ApplicationImpersonation'.
    Outputs a searchable HTML file.
#>

# --- Configuration ---
$ReportPath = "$env:USERPROFILE\Desktop\Exchange_SendAs_Impersonation_Report.html"
$LogoUrl = "https://img.icons8.com/color/48/000000/microsoft-exchange.png"

# --- Connection Check ---
try {
    Get-Mailbox -ResultSize 1 -ErrorAction Stop -WarningAction SilentlyContinue | Out-Null
    Write-Host "Connection to Exchange Online verified." -ForegroundColor Green
}
catch {
    Write-Host "Connecting to Exchange Online..." -ForegroundColor Yellow
    try {
        Connect-ExchangeOnline -ErrorAction Stop
    }
    catch {
        Write-Error "Could not connect. Please check internet and permissions."
        exit
    }
}

# --- Data Collection ---
$ReportData = @()

# 1. Mailbox SendAs Checks
Write-Host "Scanning Mailboxes for 'Send As' rights..." -ForegroundColor Cyan
$Mailboxes = Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox,SharedMailbox

$Counter = 0
$Total = $Mailboxes.Count

foreach ($Mailbox in $Mailboxes) {
    $Counter++
    Write-Progress -Activity "Auditing Permissions" -Status "Processing: $($Mailbox.DisplayName)" -PercentComplete (($Counter / $Total) * 100)
    
    # Filter 'SendAs' rights, excluding the user themselves (Self)
    $Permissions = Get-RecipientPermission -Identity $Mailbox.Id -ResultSize Unlimited -Trustee $null | Where-Object { 
        ($_.AccessRights -like "*SendAs*") -and 
        ($_.Trustee -ne "NT AUTHORITY\SELF") -and 
        ($_.Trustee -ne $Mailbox.UserPrincipalName)
    }

    foreach ($Perm in $Permissions) {
        $ReportData += [PSCustomObject]@{
            OwnerName    = $Mailbox.DisplayName
            OwnerUPN     = $Mailbox.UserPrincipalName
            Type         = if ($Mailbox.RecipientTypeDetails -eq "UserMailbox") { "User Mailbox" } else { "Shared Mailbox" }
            Direction    = "Sent By"
            Actor        = $Perm.Trustee
            AccessRights = "Send As"
        }
    }
}

# 2. ApplicationImpersonation Checks (RBAC)
Write-Host "Checking for 'ApplicationImpersonation' roles..." -ForegroundColor Cyan
$ImpersonationRoles = Get-ManagementRoleAssignment -Role "ApplicationImpersonation" -ResultSize Unlimited -ErrorAction SilentlyContinue

foreach ($RoleAssignment in $ImpersonationRoles) {
    $ScopeName = "Entire Organization"
    if ($RoleAssignment.CustomRecipientWriteScope) {
        $ScopeName = "Scope: " + $RoleAssignment.CustomRecipientWriteScope
    } elseif ($RoleAssignment.RecipientReadScope -ne "Organization") {
        $ScopeName = "Scope: " + $RoleAssignment.RecipientReadScope
    }

    $ReportData += [PSCustomObject]@{
        OwnerName    = $ScopeName
        OwnerUPN     = "RBAC Scope"
        Type         = "App Impersonation" 
        Direction    = "Impersonated By"
        Actor        = $RoleAssignment.RoleAssigneeName
        AccessRights = "ApplicationImpersonation"
    }
}

Write-Progress -Activity "Auditing Permissions" -Completed

# --- HTML Generation ---
Write-Host "Generating HTML Report..." -ForegroundColor Cyan

$CSS = @"

"@

$ScriptJS = @"

"@

$HTMLHeader = @"


Exchange Permissions Report$CSS $ScriptJS

    
         Exchange Permissions Audit
        
            Audit Summary:

            Found $($ReportData.Count) permission entries.
        
        
        
"@

$HTMLRows = ""
foreach ($Row in $ReportData) {
    $BadgeClass = switch ($Row.Type) {
        "Shared Mailbox" { "badge-shared" }
        "App Impersonation" { "badge-imper" }
        Default { "badge-user" }
    }
    
    $HTMLRows += @"
                
"@
}

$HTMLFooter = @"
            
            
                
                    Type Target (Owner/Scope) Access Actor (Delegate)
                
            
            
                    $($Row.Type)
                    $($Row.OwnerName)
$($Row.OwnerUPN)
                    ← $($Row.AccessRights) ←
                    $($Row.Actor)
                
        
        Generated on $(Get-Date -Format "yyyy-MM-dd")
    


"@

$FinalHTML = $HTMLHeader + $HTMLRows + $HTMLFooter
$FinalHTML | Out-File -FilePath $ReportPath -Encoding UTF8
Invoke-Item $ReportPath

Type	Target (Owner/Scope)	Access	Actor (Delegate)
$($Row.Type)	$($Row.OwnerName) $($Row.OwnerUPN)	← $($Row.AccessRights) ←	$($Row.Actor)

Conclusion

Regular auditing of Exchange permissions is critical for maintaining a “Zero Trust” environment. By automating the discovery of Send As and Impersonation rights, you ensure that no unauthorized account holds keys to your organization’s communication channels.

Feel free to customize the script to add more checks (like “Full Access” permissions) or change the branding to match your company colors!

Setting Up Calendar Sharing Between Microsoft 365 Tenants

drago — Thu, 04 Dec 2025 13:08:42 +0000

Introduction

In today’s interconnected business world, collaboration across organizations is essential. Microsoft 365 offers robust tools for cross-tenant calendar sharing, allowing users from different tenants to view availability (free/busy) or even full calendar entries. This guide walks you through the setup process, drawing from official Microsoft documentation and practical examples. We’ll cover free/busy sharing via organization relationships and full calendar access, which requires enabling external sharing and per-user configurations.

Possible Scenarios for Cross-Tenant Calendar Sharing

Cross-tenant sharing is useful in various contexts. Here are some common scenarios:

Business Partnerships: Two companies collaborating on a project need to schedule meetings without conflicts. Free/busy sharing ensures visibility into availability, while full sharing allows detailed event insights for closer coordination.
Mergers and Acquisitions: During integration, teams from acquired and parent companies can share calendars to align on timelines, reducing miscommunication.
Supply Chain Management: Vendors and clients can view each other’s schedules for deliveries or reviews, enhancing efficiency.
Hybrid Work Environments: Freelancers or consultants from external tenants can integrate calendars for seamless booking.
Multi-Tenant Organizations (MTO): In advanced setups like MTO, sharing extends to groups, but starts with basic free/busy for all users.
Challenges in Regulated Industries: Sectors like finance or healthcare may limit to free/busy only for compliance, avoiding full entry details.

Note: Full sharing beyond free/busy isn’t automated tenant-wide; it’s user-initiated. For large-scale needs, consider automation scripts or policies.

Prerequisites

Global or Exchange Admin permissions in both tenants.
Access to Microsoft 365 Admin Center and Exchange Admin Center.
Exchange Online PowerShell module for advanced setups.
Domain names of both tenants (e.g., contoso.com and fabrikam.com).
Changes may take up to 24 hours to propagate.

Step-by-Step Setup

Step 1: Enable External Calendar Sharing (Required for Full Access)

This allows users to share calendars externally.

Log into the Microsoft 365 Admin Center (admin.microsoft.com).
Go to Settings > Org settings > Services > Calendar.
Enable Let your users share their calendars with people outside of your organization who have Office 365 or Exchange.
Select access levels (e.g., full details).
Save and repeat in the other tenant.

Step 2: Set Up Organization Relationship (for Free/Busy Sharing)

This enables tenant-wide visibility of availability. Perform in both tenants for bidirectional access.

Using Exchange Admin Center

Log into Exchange Admin Center (admin.exchange.microsoft.com).
Navigate to Organization > Sharing > Organization sharing tab.
Click + Add organization relationship.
Enter a name (e.g., “Contoso-Fabrikam”).
Add the other tenant’s domain.
Enable Calendar free/busy information sharing.
Choose level: Time only or Time, subject, location.
Select scope: Everyone or a security group.
Create and repeat in the other tenant.

Using PowerShell

Connect:

Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

Create:

New-OrganizationRelationship -Name "Contoso-Fabrikam" -DomainNames "fabrikam.com" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

Verify:

Get-OrganizationRelationship | Format-List

Step 3: Perform Full Calendar Sharing (Per-User)

Once external sharing is enabled:

In Outlook, right-click your calendar and select Share > Permissions.
Add the external user’s email.
Set permissions (e.g., Can view all details).
Send invitation; recipient accepts in Outlook.
To view: Add the shared calendar via link or invitation.

Verification and Troubleshooting

Test by inviting cross-tenant users to meetings. If issues arise, check domains, wait for propagation, or use PowerShell diagnostics. For advanced scenarios like MTO, refer to Microsoft docs.

Conclusion

Cross-tenant calendar sharing boosts productivity but requires careful setup for security. Start with free/busy for broad access, then enable full sharing as needed. Stay updated with Microsoft changes!

Managing Exchange Mailbox Permissions: Export and Import Scripts

drago — Thu, 23 Oct 2025 06:27:21 +0000

8 min read
Exchange Server

PowerShell
Exchange Server
Automation
Migration

If you’ve ever had to migrate Exchange servers or audit mailbox permissions across your organization, you know the pain of manually tracking who has access to what. Today, I’m sharing two PowerShell scripts that will save you hours of work by automating the export and import of Exchange mailbox permissions.

The Problem

Managing mailbox permissions in on-premises Exchange environments can be challenging, especially when:

Migrating to a new Exchange server
Performing disaster recovery operations
Auditing current permission structures
Documenting compliance requirements
Replicating permission structures across environments

Exchange Server stores three critical types of mailbox permissions that need to be preserved:

Full Access – Complete access to another user’s mailbox
Send As – Ability to send emails as another user
Send On Behalf – Ability to send emails on behalf of another user

The Solution

I’ve developed two PowerShell scripts that work together to solve this problem comprehensively:

Export Script

Reads all mailbox permissions from your Exchange server and exports them to CSV and HTML formats for easy review and backup.

Import Script

Imports permissions from the CSV file to another Exchange server with detailed success/failure tracking and validation.

How It Works

Step 1: Exporting Permissions

The export script connects to your Exchange server and systematically reads all mailbox permissions. It filters out inherited and system permissions to focus only on explicitly granted access rights.

# Run on your source Exchange server
.\Export-MailboxPermissions.ps1

# Or specify a custom output location
.\Export-MailboxPermissions.ps1 -OutputPath "C:\ExchangeBackup"

What You Get:

A CSV file with all permissions (perfect for importing)
An HTML report with summary statistics and sortable tables
Color-coded permission types for easy identification
Timestamped files for version control

Step 2: Reviewing the Export

Before importing, open the HTML report to review what permissions exist. The report includes:

Total permission count and breakdown by type
Sortable table showing mailbox, trusted user, and permission type
Visual indicators for different permission types
Easy-to-read format for auditing and compliance

Step 3: Testing the Import

Before making any changes to your target Exchange server, use the -WhatIf parameter to preview what will happen:

# Test the import without making changes
.\Import-MailboxPermissions.ps1 -CsvPath "C:\Export\MailboxPermissions_20250113_120000.csv" -WhatIf

Pro Tip: Always run with -WhatIf first! This shows you exactly what permissions will be applied without actually making any changes. Review the HTML report to ensure everything looks correct before proceeding.

Step 4: Importing Permissions

Once you’ve verified the import plan, run the script without -WhatIf to apply the permissions:

# Import permissions to the target Exchange server
.\Import-MailboxPermissions.ps1 -CsvPath "C:\Export\MailboxPermissions_20250113_120000.csv"

The import script intelligently handles various scenarios:

Validation: Checks if mailboxes and users exist before applying permissions
Duplicate Detection: Skips permissions that already exist
Error Handling: Continues processing even if individual permissions fail
Detailed Logging: Records success, failure, and skip status for every permission

Key Features

Export Script Features

Processes all mailboxes in your organization automatically
Filters out inherited and system permissions for cleaner data
Real-time progress indicator during processing
Dual output: CSV for importing, HTML for human review
Comprehensive error handling and logging
Timestamped files prevent accidental overwrites

Import Script Features

Pre-import validation of mailboxes and users
WhatIf mode for safe testing
Interactive HTML report with filtering capabilities
Color-coded status indicators (success, failed, skipped)
Detailed error messages for troubleshooting
Progress tracking during import operations
Automatic duplicate detection

The HTML Reports

Both scripts generate beautiful, professional HTML reports that make it easy to understand what happened:

Export Report

The export report provides a complete overview of your permission structure with summary statistics and a sortable table of all permissions. Each permission type is color-coded for quick identification.

Import Report

The import report is interactive, allowing you to filter results by status:

Show All: Complete list of all import operations
Success Only: Filter to see what was successfully applied
Failed Only: Quickly identify and troubleshoot failures
Skipped Only: See which permissions already existed

Audit Trail: The HTML reports serve as excellent documentation for compliance audits and change management processes. They provide a clear record of what permissions existed and what changes were made.

Real-World Use Cases

1. Exchange Server Migration

When migrating from Exchange 2016 to Exchange 2019, export permissions from the old server, migrate mailboxes, then import permissions to the new server. The scripts ensure no permissions are lost during migration.

2. Disaster Recovery

Regular exports serve as backups of your permission structure. If you need to rebuild your Exchange environment, you can quickly restore all permissions from your latest export.

3. Compliance Auditing

Generate monthly HTML reports to document who has access to sensitive mailboxes. The reports provide clear evidence for compliance requirements like SOX, HIPAA, or GDPR.

4. Development/Test Environments

Clone your production permission structure to test environments to ensure accurate testing scenarios without manually recreating complex permission relationships.

Best Practices

Always test first: Use -WhatIf before importing to any environment
Schedule regular exports: Automate weekly exports for disaster recovery purposes
Review HTML reports: Don’t just trust the CSV – review the human-readable reports
Verify prerequisites: Ensure all users and mailboxes exist on the target server before importing
Keep audit trails: Archive HTML reports for compliance documentation
Test in non-production first: Always validate the process in a test environment
Run during maintenance windows: Large exports can impact server performance

Troubleshooting Common Issues

Mailbox Not Found Errors

If you see “Mailbox not found” errors during import, ensure the mailbox exists on the target server before importing permissions. The import script validates existence but cannot create mailboxes.

Trusted User Not Found

The user being granted permissions must exist on the destination server. Create user accounts before importing their permission grants.

Access Denied

Ensure you’re running the scripts with Exchange Organization Management or equivalent permissions. The scripts require elevated privileges to read and modify mailbox permissions.

Permission Already Exists

This is normal behavior – the script skips permissions that already exist to prevent errors. Check the “Skipped” section of the HTML report to see these entries.

Security Considerations

When working with mailbox permissions, security is paramount:

Store CSV exports securely – they contain sensitive organizational information
Limit access to the scripts and exports to authorized administrators only
Review permissions before importing to prevent unauthorized access
Use WhatIf mode to verify changes before applying them
Maintain audit logs of all permission changes
Regularly review and clean up unnecessary permissions

https://github.com/MSB365/ExchangeHelpers/tree/main

Conclusion

Managing Exchange mailbox permissions doesn’t have to be a manual, error-prone process. These PowerShell scripts automate the entire workflow, providing reliable exports, safe imports, and comprehensive reporting.

Whether you’re migrating servers, performing disaster recovery, or simply documenting your environment for compliance, these scripts will save you time and reduce the risk of permission-related issues.

The combination of CSV exports for machine processing and HTML reports for human review ensures you have both the data you need for automation and the visibility required for auditing and troubleshooting.

Start Today: Download the scripts, run an export of your current environment, and see how easy it is to document and manage your Exchange mailbox permissions. Your future self (and your auditors) will thank you!