Using the Office 365 Groups Send-as and Send-on-behalf feature

The capability to grant Send-as and Send-on-behalf permissions to an Office 365 Group is a straight forward process and clearly documented here.

Sending an email on behalf of an Office 365 Group via Outlook is the same familiar process as sending on behalf of another user – show the “From” field, click the “From” drop down, choose “other email address” and select the address. read more

Unable to run Office 365 / Exchange Hybrid Wizard – “Content was blocked because it was not signed by a valid security certificate”

Unable to run Office 365 / Exchange Hybrid Wizard – “Content was blocked because it was not signed by a valid security certificate”


From the Exchange Admin Center you run the Hybrid configuration setup


You are prompted to login to Office 365


You enter your credentials


And then receive this message / warning


You are unable to complete the Hybrid configuration


You can resolve this issue by installing the certificate as follows: read more

Error creating a public folder migration batch when the “Folder to Mailbox Map” CSV file has more than 1000 rows

Problem Description

Trying to migrate public folders from Exchange 2007 to 2013 using the batch migration process detailed here

On step 5, when running the New-Migration cmdlet to create the migration batch as follows

New-MigrationBatch -Name PFMigration -SourcePublicFolderDatabase (Get-PublicFolderDatabase -Server SERVER01) -CSVData (Get-Content Public_Folder_to_mailbox_map.csv -Encoding Byte) -NotificationEmails -BadItemLimit $BadItemLimitCount    read more

Mailbox Management & SSO after Office 365 Hybrid Migration

So you are coming to the end of an Exchange Online Hybrid migration, and are considering decommissioning the on-premise Hybrid Exchange server.  Are there any considerations that need to be taken into account?

By the end of the mailbox migrations, you may have configured Azure AD Sync and made the on-premises Active Directory the source of authority. Therefore, going forward, you must perform any required changes on the objects in the on-premises Active Directory and not in Office 365, as most attributes on  are read only. read more

Exchange Active Sync not working for some users due to Kerberos Token Bloat


  • You have deployed Exchange or are in the middle of a migration from an older version.
  • You discover that Active Sync is not working for some users, but it’s working fine for other users
    • In my case I was migrating from Exchange 2007 to Exchange 2013.

    Other Symptoms

    • HTTP Proxy Log contains the following error
      • WebExceptionStatus=ProtocolError;ResponseStatusCode=400;WebException=System.Net.WebException: The remote server returned an error: (400) Bad Request.


      The problem in my case was a Kerberos Token Bloat cause by the affected users being a member of a larger number of Active Directory Groups (in my case 150)

      As per this Technet article:

      “This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up.  If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.” read more

Exchange 2013 – Event ID 17, 23 and 258 HealthMailbox: No role Assignments


The following 3 errors are filling up the application log

Event ID 17, 23 and 258

(Process w3wp.exe, PID 6828) “RBAC authorization returns Access Denied for user domain.local/Microsoft Exchange System Objects/Monitoring Mailboxes/HealthMailbox6abb348c643845acaee87941bd609e63. Reason: No role assignments associated with the specified user were found on Domain Controller dc.domain.local” read more

Exchange 2013 Server Component State Inactive

I came across a problem recently with an Exchange 2013 server component showing as inactive which had me puzzled for a while, but in the end was an easy fix.


The Exchange 2013 server OWAProxy component showing as inactive.  Further, running the Set-ServerComponentState to change the component state to active had no affect read more

Microsoft Exchange ActiveSync Error 500


On a new deployment of Exchange 2013, Active Sync is not working


  1. Mobile device fails to connect to mailbox “Unable to connect to server”
  1. You see the following error in the HTTP Proxy log:


  1. Also, in the application event log on your Exchange server you see Event ID 1053



Inheritance is disabled on the user account


As per this Microsoft KB article:

“The first time that a user tries to synchronize an EAS device, the Microsoft Exchange Server tries to create a container of the type msExchActiveSyncDevices under the user object in Active Directory Domain Services (AD DS). The Exchange Server then tries to change permissions on the container. read more

Microsoft Exchange DAG database copy queue length 9223372036854773269


As part of testing a new Exchange 2013 DAG before going into production, I was simulating different scenarios including server failure.  One of the 3 servers in the DAG was powered off.  Active databases failed over automatically to the other servers, and the databases mounted automatically. read more