Microsoft Exchange Security Features

Posted By admin On 12/01/22

The Microsoft® Exchange Hosted Services environment is composed of computers, operating systems, applications and services, networks, operations and monitoring equipment, and specialized hardware, along with the administrative and operations staff required to run and maintain the service. Modify your profile to ensure that you are using the correct Microsoft Exchange information service' Ok, so deleted the account and tried to set it up again however, under 'Add Account' there is no longer an option to set up an Exchange account. There are only two options: 1) Outlook.com or Exchange ActiveSync compatible service or 2) POP or IMAP. Unlimited OneDrive storage for E3 or E5 subscriptions of five or more users. Microsoft will provide an initial 5 TB of OneDrive storage per user. Customers who want additional OneDrive storage can request it as needed by contacting Microsoft support. Subscriptions for fewer than five users receive 1 TB OneDrive storage per user. Exchange Online Protection provides advanced security and reliability to help protect your information. Eliminate threats before they reach the corporate firewall with multi-layered, real-time anti-spam and multi-engine anti-malware protection. Protect your company's IP reputation by using separate outbound delivery pools for high-risk email. All Microsoft Management Console (MMC) tools, like Hybrid Configuration Wizard, Event Viewer or EAC can be used remotely. A while ago, there was an announcement that TLS versions prior to TLS 1.2 will not be supported. While Exchange environments could still use the older versions of the protocol, it was not recommended.

  1. Microsoft Exchange Sign In
-->

Compliance features in Exchange Online Archiving

The following sections describe the compliance features of Microsoft Exchange Online Archiving.

Retention policies

Exchange Online Archiving offers retention policies to help organizations reduce the liabilities associated with email and other communications. With these policies, administrators can apply retention settings to specific folders in users' inboxes. Administrators can also give users a menu of retention policies and let them apply the policies to specific items, conversations, or folders using Outlook 2010 or later or Outlook Web App. In Exchange Online Archiving, administrators manage retention policies from the on-premises infrastructure.

Exchange Online Archiving offers two types of policies: archive and delete. Both types can be applied to the same item or folder. For example, a user can tag an email message so that it is automatically moved to the personal archive in a specified number of days and deleted after another span of days.

With Outlook 2010 and later and Outlook Web App, users can apply retention policies to folders, conversations, or individual messages and can also view the applied retention policies and expected deletion dates on messages. Users of other email clients can have email deleted or archived based on server-side retention policies provisioned by the administrator, but they do not have the same level of visibility and control.

The retention policy capabilities offered in Exchange Online Archiving are the same as those offered in Exchange Server 2010 Service Pack 2 (SP2) and later. Administrators can manage retention policies from on-premises Exchange Server 2010 and later environments. Managed Folders, an older approach to messaging records management that was introduced in Exchange 2007, are not available in and not compatible with Exchange Online Archiving. For more details, see Retention Tags and Retention Policies.

In-Place Hold and Litigation Hold

Update

When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI), including email that's relevant to the case. This expectation can occur before the specifics of the case are known, and preservation is often broad. Organizations may preserve all email related to a specific topic, or all email for certain individuals.

Note

In-place hold and litigation hold currently do not apply to emails sent using POP or IMAP clients, or by custom applications that use the SMTP protocol.

In Exchange Online, you can use In-Place Hold or Litigation Hold to accomplish the following goals:

  • Enable users to be placed on hold and preserve mailbox items immutably

  • Preserve mailbox items deleted by users or automatic deletion processes such as MRM

  • Protect mailbox items from tampering, changes by a user, or automatic processes by saving a copy of the original item

  • Preserve items indefinitely or for a specific duration

  • Keep holds transparent from the user by not having to suspend MRM

  • Use In-Place eDiscovery to search mailbox items, including items placed on hold

Additionally, you can use In-Place Hold to:

  • Search and hold items matching specified criteria

  • Place a user on multiple In-Place Holds for different cases or investigations

Note

When you put a mailbox on In-Place Hold or Litigation Hold, the hold is placed on both the primary and the archive mailbox.

For more information, see In-Place Hold and Litigation Hold.

Note

The default quota for the Recoverable Items Folder is 100 GB for Exchange Online Archiving users.

In-Place eDiscovery

Exchange Online Archiving supports In-Place eDiscovery for searching the contents of mailboxes in an organization. Using the Exchange admin center or remote Windows PowerShell from an on-premises Exchange 2013 server, administrators or authorized Discovery managers can search a variety of mailbox items - including email messages, attachments, calendar appointments, tasks, and contacts. In-Place eDiscovery can search simultaneously across primary mailboxes and archives. Rich filtering capabilities include sender, receiver, message types, sent date, received date, carbon copy, and blind carbon copy, along with Keyword Query Language (KQL) syntax. For more details, see In-Place eDiscovery.

The Exchange admin center and remote Windows PowerShell can be used to search up to 5,000 mailboxes at a time in an In-Place eDiscovery search. For details about using remote Windows PowerShell to run In-Place eDiscovery searches, see New-MailboxSearch.

Note

In remote Windows PowerShell, the Search-Mailbox cmdlet can be used to search more than 5,000 mailboxes. For details about searching large numbers of mailboxes using remote Windows PowerShell, see Search-Mailbox.

Results of an In-Place eDiscovery search can be previewed in the Exchange admin center, exported to a .pst file, or copied to a special type of mailbox, called a discovery mailbox. Administrators or compliance officers can connect to the discovery mailbox to review messages. For details, see Create an In-Place eDiscovery Search.

Note

When copying search results for an In-Place eDiscovery search performed across on-premises and cloud-based mailboxes or archives, you must select an on-premises discovery mailbox. Messages from the on-premises primary mailbox and the cloud-based archive are copied to the on-premises discovery mailbox.

Administrators can also search for and delete inappropriate email messages sent to multiple mailboxes across their organizations. For example, if confidential salary information was accidentally sent to all employees, an administrator can delete the email from the users' mailboxes. This type of search is not available in the Exchange admin center. It must be performed using Remote PowerShell. For details on how to delete messages from users' mailboxes, see Search and Delete Messages.

Security features in Exchange Online Archiving

The following sections describe the security features of Microsoft Exchange Online Archiving.

Encryption between on-premises servers and Exchange Online Archiving

TLS is used to encrypt the connection between email servers to help prevent spoofing and provide confidentiality for messages in transit. TLS is also used for securing on-premises mail server traffic to Office 365 data centers for Exchange Online Archiving.

Encrypting between clients and Exchange Online Archiving

Client connections to Exchange Online Archiving use the following encryption methods to enhance security:

  • SSL is used for securing Outlook, Outlook Web App, and Exchange Web Services traffic, using TCP port 443.

  • Client connections to on-premises servers do not change with the introduction of Exchange Online Archiving.

Encryption: S/MIME and PGP

Exchange Online Archiving will store Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. However, Exchange Online Archiving does not host S/MIME functions or host the public keys, nor does it provide key repository, key management, or key directory services because all of these services attach to the on-premises Exchange infrastructure.

Similarly, Exchange Online Archiving will store messages that are encrypted using client-side, third-party encryption solutions such as Pretty Good Privacy (PGP).

Information Rights Management

Exchange Online Archiving does not provide hosted Information Rights Management (IRM) services, but administrators can use on-premises Active Directory Rights Management Services (AD RMS). If an AD RMS server is deployed, Outlook can communicate directly with that server, enabling users to compose and read IRM-protected messages. If interoperability between the AD RMS server and the on-premises Exchange environment is configured, users will be able to compose and read IRM-protected messages.

Support for IRM in Outlook Web App

Users can read and create IRM-protected messages natively in Outlook Web App, just as they can in Outlook. IRM-protected messages in Outlook Web App can be accessed through Internet Explorer, Firefox, Safari, and Chrome (with no plug-in required). The messages include full-text search, conversation view, and the preview pane. Interoperability between the Active Directory Rights Management Services server and the on-premises Exchange environment must be configured to enable this.

IRM Search

IRM-protected messages are indexed and searchable, including headers, subject, body, and attachments. Users can search IRM-protected items in Outlook and Outlook Web App, and administrators can search IRM-protected items by using In-Place eDiscovery or the Search-Mailbox cmdlet.

Auditing

Exchange Online Archiving provides two types of built-in auditing capabilities:

  • Administrator audit logging Administrator audit logging allows customers to track changes made by their administrators in the Exchange Online Archiving environment, including changes to RBAC roles or Exchange policies and settings.

  • Mailbox audit logging Mailbox audit logging allows customers to track access to mailboxes by users other than the mailbox owner.

Several predefined audit reports are available in the Exchange admin center, including Administrator Role Changes, Litigation Hold, and Non-Owner Mailbox Access. Administrators can filter reports by date and role, and they can export all audit events for specified mailboxes in XML format for long-term retention or custom reporting.

Administrator audit logging is on by default, and mailbox audit logging is off by default. Administrators can use remote Windows PowerShell to enable mailbox audit logging for some or all mailboxes in their organization. For more information, see Auditing Reports.

Feature Availability

To view feature availability across Office 365 plans, standalone options, and on-premise solutions, see Exchange Online Archiving Service Description.

Mobile Device Management for Office 365 can help you secure and manage mobile devices like iPhones, iPads, Androids, and Windows Phones used by licensed Office 365 users in your organization. You can create mobile device management policies with settings that can help control access to your organization’s Office 365 email and documents for supported mobile devices and apps. If a device is lost or stolen, you can remotely wipe the device to remove sensitive organizational information.

In this article

Microsoft exchange security features 2017

Need more functionality than is included in MDM for Office 365? See if Microsoft Intune has what you need: Choose between MDM for Office 365 and Microsoft Intune.

Supported devices

You can use MDM for Office 365 to secure and manage the following types of devices.

  • Windows Phone 8.1+

  • iOS 7.1 or later versions

  • Android 4 or later versions

  • Windows 8.1*

  • Windows 8.1 RT*

  • Windows 10**

  • Windows 10 Mobile**

* Access control for Windows 8.1 and Windows 8.1 RT devices is limited to Exchange ActiveSync.

** Requires the device to be joined to Azure Active Directory and be enrolled in the mobile device management service of your organization.

If people in your organization use mobile devices that aren't supported by Mobile Device Management for Office 365 , you might want to block Exchange ActiveSync app access to Office 365 email for those devices, to help make your organization's data more secure. Steps for blocking Exchange ActiveSync: See Manage device access settings.

Access control for Office 365 email and documents

The supported apps for the different types of mobile devices in the following table will prompt users to enroll in MDM for Office 365 where there is a new mobile device management policy that applies to a user’s device and the user hasn’t previously enrolled the device. If a user’s device doesn’t comply with a policy, depending on how you set the policy up, a user might be blocked from accessing Office 365 resources in these apps, or they might have access but Office 365 will report a policy violation.

Windows Phone 8.1+

iOS 10.0+

Android 4.4+

Exchange

Exchange ActiveSync includes built-in email and third-party apps, like TouchDown, that use Exchange ActiveSync Version 14.1 or later.

Exchange

Mail

Email

Office and OneDrive for Business

No supported apps

Outlook

OneDrive

Word

Excel

PowerPoint

On phones and tablets:

Outlook

OneDrive

Word

Excel

PowerPoint

On phones only:

Office Mobile

Notes:

  • Support for iOS 10.0 and later versions includes iPhone and iPad devices.

  • Management of BlackBerry OS devices isn’t supported by Mobile Device Management for Office 365. Use BlackBerry Business Cloud Services (BBCS) from BlackBerry to manage BlackBerry OS devices. Blackberry devices running Android OS are supported as standard Android devices

  • Users won’t be prompted to enroll and won’t be blocked or reported for policy violation if they use the mobile browser to access Office 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.

The following diagram shows what happens when a user with a new device signs in to an app that supports access control with MDM for Office 365. The user is blocked from accessing Office 365 resources in the app until they enroll their device.

Note: Policies and access rules created in MDM for Office 365 will override Exchange ActiveSync mobile device mailbox policies and device access rules created in the Exchange admin center. After a device is enrolled in MDM for Office 365, any Exchange ActiveSync mobile device mailbox policy or device access rule applied to the device will be ignored. To learn more about Exchange ActiveSync, see Exchange ActiveSync in Exchange Online.

Policy settings for mobile devices

If you create a policy to block access with certain settings turned on, users will be blocked from accessing Office 365 resources when using a supported app that is listed in Access control for Office 365 email and documents. The settings that can block users from accessing Office 365 resources are in these sections:

  • Security

  • Encryption

  • Jail broken

  • Managed email profile

For example, the following diagram shows what happens when a user with an enrolled device isn’t compliant with a security setting in a mobile device management policy that applies to their device. The user signs in to an app that supports access control with MDM for Office 365. They are blocked from accessing Office 365 resources in the app until their device complies with the security setting.


The following sections list the policy settings you can use to help secure and manage mobile devices that connect to your organization's Office 365 resources.

Security settings

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Require a password

Prevent simple password

Require an alphanumeric password

Minimum password length

Number of sign-in failures before device is wiped

Minutes of inactivity before device is locked

Password expiration (days)

Remember password history and prevent reuse

Encryption settings

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Require data encryption on devices

Windows Phone 8.1 is already encrypted and cannot be unencrypted

✔*

* With Samsung Knox, you can also require encryption on storage cards.

Jail broken setting

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Device cannot be jail broken or rooted

Managed email profile option

The following option can block users from accessing their Office 365 email if they’re using a manually created email profile. Users on iOS devices must delete their manually created email profile before they can access their email. After they delete the profile, a new profile will be automatically created on the device. See Existing Company Email account was found for instructions on how end users can get compliant.

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Email profile is managed

Cloud settings

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Require encrypted backup

Block cloud backup

Block document synchronization

Block photo synchronization

Allow Google backup

N/A

N/A

Allow Google account auto sync

N/A

N/A

System settings

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Block screen capture

Block sending diagnostic data from device

Application settings

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Block video conferences on device

Block access to application store

Require password when accessing application store

Device capabilities settings

Microsoft Exchange Sign In

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+

Samsung Knox

Block connection with removable storage

Block Bluetooth connection

Additional settings

You can set the following additional policy settings by using PowerShell cmdlets. For more information, see Office 365 Security & Compliance Center cmdlets.

Setting name

Windows Phone 8.1+

iOS 7.1+

Android 4+ (including Samsung Knox)

CameraEnabled

RegionRatings

MoviesRatings

TVShowsRating

AppsRatings

AllowVoiceDialing

AllowVoiceAssistant

AllowAssistantWhileLocked

AllowPassbookWhileLocked

MaxPasswordGracePeriod

PasswordQuality

SystemSecurityTLS

WLANEnabled

Settings supported by Windows

You can manage Windows 8.1 and Windows 10 devices by enrolling them as mobile devices. After an applicable policy is deployed, users with Windows 8.1 and Windows 10 devices will be required to enroll in MDM for Office 365 the first time they use the built-in email app to access their Office 365 email (requires Azure AD premium subscription).

The following settings are supported for Windows 8.1 and Windows 10 devices that are enrolled as mobile devices. These setting won’t block users from accessing Office 365 resources.

Security settings

  • Require an alphanumeric password

  • Minimum password length

  • Number of sign-in failures before device is wiped

  • Minutes of inactivity before device is locked

  • Password expiration (days)

  • Remember password history and prevent reuse

System settings

Block sending diagnostic data from device

Additional settings

You can set the following additional policy settings by using PowerShell cmdlets:

  • AllowConvenienceLogon

  • UserAccountControlStatus

  • FirewallStatus

  • AutoUpdateStatus

  • AntiVirusStatus

  • AntiVirusSignatureStatus

  • SmartScreenEnabled

  • WorkFoldersSyncUrl

Remotely wipe a mobile device

If a device is lost or stolen, you can remove sensitive organizational data and help prevent access to your organization’s Office 365 resources by doing a wipe from Security & Complieance center>Data loss prevention>Device management. You can do a selective wipe to remove only organizational data or a full wipe to delete all information from a device and restore it to its factory settings.

For more information, see Wipe a mobile device in Office 365.

See Also