CHANGE LOG: View Quarantine add-in for Outlook

Monday, October 11, 2021

View Quarantine add-in for Outlook Change Log

Please see How to install an Outlook add-in to view the Microsoft 365 End-User Quarantine for a full description and installation instructions.

UPDATE #1: Microsoft won't certify my add-in because they say it "does not provide significant value or benefits to commercial marketplace customers". I think most of you will disagree. I'll keep trying to get it certified, but in the meantime you can always install it from my website using the procedures from my blog article.

UPDATE #2 [version]: I added automatic localization for 37 languages. Reinstall the add-in to if you need one of these languages. Please let me know if my translations need adjustments.

Read more ...

How to install an Outlook add-in to view the Microsoft 365 End-User Quarantine

Thursday, October 7, 2021
This article explains how to install an Outlook add-in that will open the Microsoft 365 end-user quarantine in a browser with a single click. This makes it really easy to access the quarantine directly from Outlook. And since this is a true Office add-in, it also displays and works in Outlook mobile and Outlook on the web!

View the add-in change log for status and feature updates.

The add-in displays in the Outlook ribbon when viewing any folder that contains mail items. 

The View Quarantine add-in for Outlook

The Microsoft 365 end-user quarantine

I originally built this add-in using the Build your first Outlook add-in - Office Add-ins documentation. This gave me a good head start to build and customize the add-in.

The View Quarantine add-in source files are available for free on my website here. The add-in consists of three files plus icons in various sizes for the different platforms.

Source File



An HTML "wrapper" that calls the JavaScript used by the add-in when the button is clicked.


The JavaScript functions that provide status and opens the end-user quarantine in a browser.


The real heart of the add-in. It defines the unique ID for the add-in and describes when to display the View Quarantine button and how the add-in functions.

assets folder

Contains six icon files of different sizes and opacity for Outlook, OWA, and Outlook mobile.

I'm currently in the process of publishing this add-in to the AppSource marketplace via the Microsoft Partner Center, which may take a week or so to certify. In the meantime, there are two ways you can try out the View Quarantine add-in now.

Option 1 -- Install via the Web

You can install the add-in from my website until Microsoft publishes it on AppSource.
  • Open Outlook and click the Get-Add-ins button in the ribbon.
  • Click My add-ins in the top left.
  • Click the + Add a custom add-in dropdown at the bottom of the window under Custom add-ins, then select Add from URL...
  • Enter the following URL: and click OK.

  • You will see a warning before installation. Click Install to install the add-in.

  • The add-in will now be listed under Custom add-ins. Note: To remove the View Quarantine add-in at any time, click the ellipses (...) and select Remove.
  • Close the Add-ins window to add it to the Outlook ribbon.

Option 2 -- Install from Source Files

You can also install the add-in using the manifest.xml file in my source files.
  • Download the View Quarantine source files from my website.
  • Extract the ZIP file to a local drive or network share.
  • Open Outlook and click the Get-Add-ins button in the ribbon (shown above).
  • Click My add-ins in the top left.
  • Click the + Add a custom add-in dropdown at the bottom of the window under Custom add-ins, then select Add from file...
  • Browse to the manifest.xml file and click Open.
  • You will see a warning before installation. Click Install to install the add-in.

  • The add-in will now be listed under Custom add-ins.
  • Close the Add-ins window to add it to the Outlook ribbon.

Deploying to All Users in the Organization

Once you're satisfied that the add-in is installed and working properly, you can deploy it to all users in your organization. Here's how to do that:
  • Open the Exchange Admin Center and navigate to Organization > add-ins.
  • Install the manifest file by clicking the + drop down button and do one of the following:
    • To install from the web, select Add from URL, enter, and click OK
    • To install from the source files, select Add from File, browse to the manifest.xml file you downloaded above, and click OK
  • After the add-in is installed, double-click the View Quarantine add-in to select how you want it deployed to users:
    • Optional, enabled by default (users can choose to remove it)
    • Optional, disabled by default (users can choose to enable it)
    • Mandatory, always enabled. Users can't disable this add-in.

I hope you enjoy this free add-in and you find it useful!

Read more ...

Notes and details on the eradication of Basic Authentication in Exchange Online

Wednesday, October 6, 2021

Unless you've been living under a rock, or are just blissfully unaware, Microsoft has been making a concerted push to remove Basic authentication from Exchange Online for some time.

There's a very good reason for this. Basic auth is a single factor authentication method (username/password), which is just too easy for the bad guys to guess and exploit. Modern Authentication, on the other hand, supports MFA and is much more secure. Disabling Basic auth in your tenant requires you to use Modern Auth for all authentication requests.

The trouble is that some legacy apps and clients still only use Basic auth. Fortunately, that list is getting shorter. As you may have read in the Microsoft Message Center or the Exchange Team Blog, Microsoft is currently disabling Basic auth in tenants that they've determined are not using it. I applaud this endeavor.

At a recent MVP meeting we discussed how this effort is being undertaken. Here are some notes and details on certain aspects that you might find useful or interesting.

  • Microsoft is examining tenants for actual Basic auth usage. They are not checking to see if the tenant has an Authentication Policy set or is using Conditional Access to block Basic authentication.
  • Basic auth is being disabled in the tenant configuration for all protocols except Autodiscover. Basic auth is required by Autodiscover for legacy (read, old) Outlook clients like Outlook 2013 and earlier. This alone is one of the best reasons to get off these old clients ASAP. See New minimum Outlook for Windows version requirements for Microsoft 365 starting November 1, 2021.
  • Basic auth for SMTP is being disabled for customers that don't use it by using the Set-TransportConfig -SmtpClientAuthenticationDisabled:$true command. Admins can reenable it by setting the value to $false. This setting can also be configured as a per-user setting, which is recommended. The user setting overrides the tenant setting.
  • Authentication Policies are the preferred way to disable Basic auth, rather than Conditional Access policies. CA policies only apply AFTER the user has already signed in.
  • You can use Authentication Policies to disable Basic auth for Autodiscover (and all other protocols). That means that if you may have two areas to check if you need to reenable Basic auth for a protocol -- the Auth Policy and the tenant configuration settings that Microsoft is using.
  • For a limited time, tenant admins can use the Basic Auth troubleshooter to run diagnostics and provide self-service options to reenable Basic auth for Exchange Online protocols such as POP3, IMAP4, Exchange ActiveSync, Exchange Web Services, Offline Address Book, MAPI, RPC and Remote PowerShell. Simply click the Help & Support button on any O365 portal and type Diag: Enable Basic Auth in EXO.

  • So far, they have disabled Basic auth in thousands of tenants since they started. Only 0.06% of tenants have reenabled Basic auth for a specific protocol, and all of them using the self-help troubleshooter.
  • Tenant admins can tell if Basic auth has been disabled in their tenant by connecting to Exchange Online PowerShell and running Get-OrganizationConfig | fl basic*. The BasicAuthBlockedApps property value will be 0 if Basic auth is still enabled or 255 if it's been fully disabled. This value is a bit mask for each of the following protocol values, totaling 255. Thanks to Greg Taylor for the secret decoder ring. 😊





Block Basic for Exchange ActiveSync



Block Basic for Exchange Web Services



Block Basic for POP3 Clients



Block Basic for IMAP4 Clients



Block Basic for PowerShell



Block Basic for MAPI Protocol



Block Basic for Offline Address Book



Block Basic for RPC Protocol


  • Be aware that if you've configured a client to connect using Basic auth (Outlook for Mac, for example), it will likely require you to reconfigure the client profile to use Modern Auth after Basic is disabled.
This information should be helpful in your "Death to Basic Auth" journey.

Read more ...

Time is running out for Comms vNext 2021

Wednesday, October 6, 2021
Do you manage the exciting Microsoft Teams collaboration workspace? Are you tired of the thin content of virtual conferences? Do you miss the in-person collaboration and relationship-building that only an in-person conference can bring? Then you should come to Comms vNext Reconnect on October 25-26, 2021 in Denver, CO!

Comms vNext is an independent, Community-led event, created and fashioned with the Community in mind.

Here, you will meet with leaders in the Microsoft Teams community to learn best practices and how to be successful in your engagements. This in-person event will be held at the  Renaissance Denver Central Park Hotel in Denver, Colorado, with special pricing for Comms vNext attendees.

Read more ...

IMPORTANT: AAD Connect versions 1.x will retire August 31, 2022

Friday, August 27, 2021

Microsoft released AAD Connect version on August 10, 2021 which included many important changes. Not the least of which is that the localDB database used by AADC was changed to SQL Server 2019. This means that AAD Connect version 2.x can only run on Windows Server 2016 or later, since that's a requirement for SQL Server 2019.

Today, Microsoft posted in the Azure Active Directory Connect version history that all 1.x versions of AAD Connect will be retired August 31, 2022, roughly one year after version 2.x was released.


On 31 August 2022, all 1.x versions of Azure Active Directory (Azure AD) Connect will be retired because they include SQL Server 2012 components that will no longer be supported. Either upgrade to the most recent version of Azure AD Connect (2.x version) by that date, or evaluate and switch to Azure AD cloud sync.

You need to make sure you are running a recent version of Azure AD Connect to receive an optimal support experience.

If you run a retired version of Azure AD Connect it may unexpectedly stop working and you may not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools and service enhancements. Moreover, if you require support we may not be able to provide you with the level of service your organization needs.

Go to this article to learn more about Azure Active Directory Connect V2.0, what has changed in V2.0 and how this change impacts you.

Please refer to this article to learn more about how to upgrade Azure AD Connect to the latest version.

For version history information on retired versions, see Azure AD Connect version release history archive

A few notes on this announcement:

  1. "Retired" doesn't necessarily mean it won't work anymore, but I suspect Microsoft will eventually block it in the future. You should ALWAYS keep AAD Connect up-to-date for the best features, performance, and security.
  2. Although the announcement mentions evaluating and switching to Azure AD cloud sync, be aware that AAD cloud sync is not compatible with Exchange. See my article, How to Decide Between Azure AD Connect and Azure AD Connect Cloud Sync on the Practical365 blog. I also recorded a video podcast about AAD cloud sync with Steve Goodman from Practical365 here.
  3. Refer to my article, How to migrate AAD Connect to a new server for step-by-step instructions how to move AAD Connect to a new Windows 2016 Server using the latest version of AADC. There's really no better time to do it than now.

Read more ...

Where do those "# Questionable URLs detected in message" emails come from?

Monday, August 23, 2021

Exchange Online admins may receive emails from time-to-time with the line, "# Questionable URLs detected in message:". The email includes the SMTP headers, a text-only version of the original message, and the original message included as an attachment.

Where are these emails coming from and why are you getting them?

The answer lies within the User Submissions configuration in the Microsoft Defender portal ( Go to User submissions - Microsoft 365 security and check the Send the reported messages to: configuration.

The default and recommended setting is to send reported messages only to Microsoft, but you can reconfigure it to send to Microsoft and another email address in your organization.

This will send diagnostic info to both Microsoft and the internal email address you specified.

What isn't obvious is that Safe Links in Microsoft Defender for Office 365 (formerly ATP) uses the same configuration. When Safe Links detects questionable URLs in an email, that diagnostic information is sent the same way as User Submissions. So if you've configured User Submissions to send reported messages to an internal email address, you will get Safe Link reports to that address, too.

Read more ...

How to migrate AAD Connect to a new server

Wednesday, July 21, 2021

As I posted earlier, Microsoft has released Azure Active Directory Connect version 2.0.3, which now requires Windows Server 2016 or later. Customers running AAD Connect on Windows Server 2012 or Windows Server 2012 R2 will need to install a new copy of AADC on new Windows Server 2016 computer or later.

In this walk-through I will show you how to do this and migrate all your current settings to the new Windows 2016 server. These same steps can be used whenever you wish to move AADC to a new server.

The high-level steps are:

  • Export the existing AAD Connect configuration from the current server.
  • Install the latest version of AADC on a new or existing Windows Server 2016 computer.
  • Import the AADC configuration, put it into staging mode, and sync.
  • Uninstall AADC from the old server.
  • Remove the new server from staging mode.

Begin by exporting the AADC configuration on the current server. Open Azure AD Connect and select View or export current configuration.

Select View or export current configuration and click Next

Click the Export Settings button

The settings will be exported as a single JSON file in C:\ProgramData\AADConnect by default.
Copy this file to the new AAD Connect server.

Now login to the Windows Server 2016 or later computer where you want to install AADC. This can be either a new or existing domain-joined server.

Download the latest version of AAD Connect from and install it.

Start the AADC installer.

Select Customize since we're going to import the existing config.

Check Import synchronization settings and browse to the JSON file you copied from the old server.
Click Install to begin the installation.

The installer will walk you through setup using the existing config, similar to a manual upgrade.

Make sure Enable staging mode is checked, then click Install.

Installation will take a few minutes to complete and should look like this. Click Exit.

Open Computer Management on the new server and add the domain's Enterprise Admins group to the local ADSyncAdmins group so they can manage AAD Connect. Log off and back on to get the new management permissions.

You will notice that the two Azure AD Connect Health Sync services and the Microsoft Azure AD Sync service are now installed and running on the new server.

Open the Synchronization Service Manager client located at "C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe". You will see that the initial full sync occured on the new server.

Now you're ready to complete the AAD Connect migration by uninstalling AADC from the old server and disabling staging mode on the new server.

Login to the old AADC server, open Programs and Features, and uninstall Microsoft Azure AD Connect.

Make sure to check "Also uninstall supporting components" and click Remove.

AADC is successfully uninstalled from the old server.

Now login to the new AADC server again and run Azure AD Connect to disable staging mode.

Select Configure Staging Mode and click Next.

Enter the tenant credentials for an admin who has Hybrid Identity Administrator or Global Admin rights.

Clear the checkbox to Enable staging mode and click Next.

Click Configure to disable staging mode and start the sync process.

Click Exit. The migration to the new AAD Connect server is now complete!

The final step is to delete the old MSOL_<guid> user account from Active Directory. You will find one MSOL_<guid> user account for each AADC installation. Uninstalling AADC does not remove the old account from AD.

Using Active Directory Users and Computers, find the MSOL accounts. They will be normally in the Users container by default. Examine the Description which will tell you which computer created each account.

Delete the MSOL_<guid> account that was created by the old AADC server.

Read more ...