Exchange Online (Office 365) – How to manage

Hello All,

Ahmad Yasin

This guide will discuss the main administrative tasks on exchange online, it will discuss the most important functions and options that the IT admins will use usually.

Note: You must have a little experience with earlier versions of exchange.

As you know, to access exchange online admin page you must be an administrator on office 365 cloud, then you must login in office 365 portal, follow this link:, enter user name and password then choose the exchange tab from the left pane in admin page.

First page will show an overview of exchange online, from the left pane choose recipient’s option:

Portal Page

Portal Page


In recipient’s page, six tabs will appear as discussed below:

Exchange Online Page

Exchange Online Page


Mailboxes: this tab show all users with their licensed mailboxes
Groups: it will show all groups in your environment (Distribution and security groups).
Resources: manage room and equipment’s mailboxes.
Contacts: create internal and external contacts.
Shared: create a shared mailboxes which will be shared between all members of Mailbox.
Migration: this is used to migrate from on premise to cloud and vice versa.

For A double click on User you will get 9 left tabs:

User Mailbox

User Mailbox

  • General: Basic information for user First name, Last Name and alias Name
  • Mailbox usage: Mailbox Free Space
  • Contact information: the all information for user Address, Street and Mobile phone … etc.
  • Organization: will show you Title, Department and Direct Manager
  • Email address: shows you user the SMTP
  • Mailbox feature: show you user policies: Sharing Policy, Retention Policy and Address Book Policy
  • Member of: shows you the Distribution Groups that include this recipient
  • MailTip: You can create a MailTip to display when people send email to this user
  • Mailbox delegation: Give user Permission to Send As, Send on Behalf and Full Access.

Now let’s discuss each points:

General: Basic information for user First name, Last Name and alias Name

General Option - User Mailbox

General Option – User Mailbox

Mailbox usage: it will show the used and free space in that Mailbox.

Mailbox Usage - User Mailbox

Mailbox Usage – User Mailbox

Contact information: the all information for user Address, Street and Mobile phone … etc.

Contact Information - User Mailbox

Contact Information – User Mailbox

Organization: will show you Title, Department and Direct Manager

Organization - User Mailbox

Organization – User Mailbox

Email address: shows you user the SMTP address and you can add or edit these addresses.

To add a new SMTP Address click (+):

Email Address - User Mailbox

Email Address – User Mailbox

Choose the Email Address Type and Enter the Alias Then Click OK:

New SMTP Email Address

New SMTP Email Address

A new email address will appear with small smtp word, small letters mean it’s secondary email address:

New Email Address Appears

New Email Address Appears


Mailbox feature: show you user policies: Sharing Policy, Retention Policy and Address Book Policy.

Mailbox Features

Mailbox Features

Member of: shows you the Distribution Groups that include this recipient.

Groups - User Mailbox

Groups – User Mailbox

MailTip: You can create a MailTip to display when people send email to this user.

MailTips - User Mailbox

MailTips – User Mailbox

Mailbox delegation: Give user Permission to Send As, Send on Behalf and Full Access.

Mailbox Delegation - User Mailbox

Mailbox Delegation – User Mailbox

The difference between delegation types as below:

Full Access   This permission allows a delegate to open a user’s mailbox and access the contents of the mailbox. However, assigning the Full Access permission doesn’t allow the delegate to send mail from the mailbox. You have to assign the delegate the Send As or the Send on Behalf permission to send mail.
The Full Access permission isn’t available when configuring permissions for groups.

  • Send As   This permission allows delegates to use the mailbox to send messages. After this permission is assigned to a delegate, any message that the delegate sends from the mailbox will appear to have been sent by the mailbox owner. However, this permission doesn’t allow a delegate to sign in to the user’s mailbox. It only allows users to open the mailbox. If this permission is assigned to a group, a message sent by the delegate will appear to have been sent by the group.
  • Send on Behalf   This permission also allows a delegate to use the mailbox to send messages. After this permission is assigned to a delegate, the From address in any message sent by the delegate indicates that the message was sent by the delegate on behalf of the mailbox owner.
    The Send on Behalf permission isn’t available when configuring permissions for shared mailboxes.Again let’s go back to the menus in Office 365 Exchange online part:

Groups: it will show all groups in your environment (Distribution and security groups).

Groups - Exchange Online

Groups – Exchange Online

Group types

Groups are used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.

There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources.

Distributions groups

Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled, which means that they cannot be listed in discretionary access control lists (DACLs). If you need a group for controlling access to shared resources, create a security group.

Security groups

Used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can:

  • Assign user rights to security groups in Active Directory

User rights are assigned to security groups to determine what members of that group can do within the scope of a domain (or forest). User rights are automatically assigned to some security groups at the time Active Directory is installed to help administrators define a person’s administrative role in the domain. For example, a user who is added to the Backup Operators group in Active Directory has the ability to backup and restore files and directories located on each domain controller in the domain.

This is possible because by default, the user rights  Back up files and directories and  Restore files  and directories are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights assigned to that group. For more information about user rights, see  User rights. For more information about the user rights assigned to security groups, see  Default groups.

You can assign user rights to security groups, using Group Policy, to help delegate specific tasks. You should always use discretion when assigning delegated tasks because an untrained user assigned too many rights on a security group can potentially cause significant harm to your network. For more information, see  Delegating administration. For more information about assigning user rights to groups, see  Assign user rights to a group in Active Directory.

  • Assign permissions to security groups on resources

Permissions should not be confused with user rights. Permissions are assigned to the security group on the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions set on domain objects are automatically

assigned to allow various levels of access to default security groups such as the Account Operators group or the Domain Admins group. For more information about permissions, see  Access control in Active Directory.

Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account added to a group receives the rights assigned to that group in Active Directory and the permissions defined for that group at the resource.

Like distribution groups, security groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the group.

You can add new groups click on (+) and choose the type of group that you need to create:

Create New Group

Create New Group

Configure your new Distribution group: Display name, Alias and Email Address

New Distribution Group Configuration

New Distribution Group Configuration

Also you can choose the Approval type of Distribution Group

  • Open: Anyone can join this group without being approved by the group owners.
  • Closed: Members can be added only by the group owners. All requests to join will be rejected automatically.
  • Owner approval: All requests are approved or rejected by the group owners.
Groups - Approval Types

Groups – Approval Types

Shared: create a shared mailboxes which will be shared between all members of Mailbox.

Note: Shared Mailbox doesn’t need a license, but any user need to have an access on it must have a license.

Shared Mailbox

Shared Mailbox

You can add the shared mailbox from the (+) icon, fill Display name, Email address and Shared Mailbox Members, shared mailbox members will see the shared mailbox on their outlook.

Shared Mailbox Configuration

Shared Mailbox Configuration

Let’s go now to Permissions you will see the admin Roles and user roles and outlook web Apps Policies

Permissions Page

Permissions Page

Below is a quick overview of roles description:

Roles Group Part 1

Roles Group Part 2

Mail Flow tab you can manage some feature and the most important rules for exchange needed.

Mail Flow Page

Mail Flow Page

First of all, from this page you can click on the (+) button to add transports rules, so let’s take a quick look at transport rules components.

“You can use Exchange transport rules to look for specific conditions in messages that pass through your organization and take action on them. Transport rules are similar to the Inbox rules that are available in many email clients. The main difference between transport rules and rules you would set up in a client application such as Outlook is that transport rules take action on messages while they’re in transit as opposed to after the message is delivered. Transport rules also contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.”

Transport Rule Components:

Each rule includes criteria (conditions and exceptions), actions, and properties:

  • Conditions Conditions specify the characteristics of messages to which you want to apply a transport rule action. Some conditions examine message fields or headers, such as the To, From, or Cc fields. Other conditions examine message characteristics such as message subject, body, attachments, message size, and message classification. Most conditions require that you specify a comparison operator, such as equals, doesn’t equal, or contains, and a value to match. If there are no conditions or exceptions, the rule is applied to all messages.For a complete list of transport rule conditions, see Transport rule conditions (predicates). The list of conditions is also available in the Transport rule dialog in the EAC. If you use the Shell, you can retrieve the list of conditions by using the Get-TransportRulePredicate cmdlet.
  • Exceptions Exceptions are based on the same characteristics used to build conditions. However, unlike conditions, exceptions identify messages to which transport rule actions shouldn’t be applied. Exceptions override conditions and prevent actions from being applied to an email message, even if the message matches all configured conditions.
  • Actions Actions are applied to messages that match all the conditions and don’t match any of the exceptions. There are many actions available, such as rejecting, deleting, or redirecting messages, adding additional recipients, adding prefixes in the message subject, or inserting disclaimers in the message body.For a complete list of transport rule actions available, see Transport rule actions. The list of actions is also available in the Transport rule dialog box in the EAC. If you use the Shell, you can retrieve the list of actions by using the Get-TransportRuleAction cmdlet.
  • Properties Properties specify when and how the rule should be applied, including whether to enforce or test the rule and the time period when the rule applies.

Multiple Conditions, Exceptions, and actions:
The following table shows how multiple conditions, condition values, exceptions, and actions are handled in a rule

Transport rule components

Transport rule components

Transport Rule Properties:

Each rule has the following properties:

  • The order in which the rules are processed. The rule with a priority of 0 is processed first, followed by the rule with a priority of 1 and so on. You can change the rule priority by adjusting the order of rules in the EAC or changing the priority of individual rules. For example, if you have one rule to reject messages that include a credit card number, and another one requiring approval, you’ll want the reject rule to happen first, and stop applying other rules.
  • The mode of the rule. This controls whether to enforce or test the rule:
    • Do all the actions (Enforce)
    • Don’t do actions that impact mail delivery, and notify the sender (Test with Policy Tips)You can notify the sender that they might be violating one of the rules—even before they send an offending message. You can accomplish this by configuring Policy Tips and setting the mode of the rule. Policy Tips are similar to MailTips, and can be configured to present a brief note in the Microsoft Outlook 2013 or Outlook Web App client that provides information about possible policy violations to a person creating a message. For more information, see Policy Tips.
    • Don’t do actions that impact mail delivery (Test without Policy Tips). This options is typically used for testing a newly created rule.

    For more information about the modes, see Test a transport rule.

  • Time period. You can specify the date and time to start and stop the rule.
  • Whether or not the rule is enabled. You might want to disable a rule until you are ready to test it.
  • Category for the rule reports. You can specify whether to include the rule in the rule reports, and how it should be categorized in the reports.
  • What to do if rule processing fails. You can specify whether to skip the rule if rule processing fails.
  • How to evaluate the sender address. You can specify whether any conditions related to the sender address match the value in the message header, message envelope, or both.

For more information follow this article from Microsoft:

So after click on (+) you can create the transport rule:

Create New Rules

Create New Rules


Configure your rule Name, Apply this rule (the Rule) and Do the Following … etc.
Below rule is an example to redirect all messages will be sent from internal to a mailbox of user called Waleed:

Transport Rule Configurations

Transport Rule Configurations

Now let’s go message trace and configure the trace options and click search to trace the message you want.

Message Tracing

Message Tracing

Also you can configure the sender or receiver of email you want to trace:

Message Tracing Options

Message Tracing Options


In mobile tab you can manage all mobiles connect with your environment, create polices for mobile devices.

Mobile Page

Mobile Page

Set up and manage mobile access for your users

Windows Phone, iPhone, iPad, Android, BlackBerry®, or other phones or tablets can be set up to send and receive Office 365 email, access calendar and contacts information, and share documents on SharePoint and OneDrive sites. Your users can also access their email on their phone or tablet by  signing  in to Outlook Web App.

Mobile device access is turned on by default. If, however, you want to use a BlackBerry device with Exchange ActiveSync, you’ll need to  enable BlackBerry® Business Cloud Services for BlackBerry  devices for an integrated email and calendaring experience.

As an administrator, you can  turn mobile access on or off and  tell your users how to set up their phone  or tablet.

After you allow email for users’ phones and tablets, you can remotely manage some phone features or options. For example, you can require passwords for your users’ devices.

Turn mobile access on or off

Exchange ActiveSync, which is turned on by default, turns on mobile access for Windows Phone, Apple iPhone and iPad, Android phones, and BlackBerry devices.

Change mobile access settings for devices using Exchange ActiveSync

Mobile access is allowed by default for Exchange ActiveSync. If you want to turn off or suspend access, or turn access back on, you can do the following.

  1.  Sign in to Office 365 with your work or school account.
  2.  Go to the Exchange admin center.
  3. In the Exchange admin center, select Mobile.
  4. Under Exchange ActiveSync Access Settings, select Edit.
  1. In the Exchange ActiveSync access settings dialog box, choose one of the following: o Allow access

Block access

o    Quarantine – Let me decide to block or allow later

After you’ve enabled Exchange ActiveSync, you can quarantine or set up rules for specific devices on the Mobile device access page.

Turn on BlackBerry Business Cloud Services

BlackBerry Business Cloud Services can be enabled only by global admins, but can be managed by global admins, service admins, and user management admins. For a more integrated email and calendaring experience on BlackBerry devices, you need to enable and manage BlackBerry Business Cloud Services.

  1.  Sign in to Office 365 with your work or school account.
  2.  Go to the Office 365 admin center.
  3. Go to Service settings > Mobile. Select Enable service.
  4. In the dialog box, select Yes, and then select Ok.
  5. You are now back on the Mobile page. Choose Manage to go to the BlackBerry Business Cloud Services website and set up your connection.

You can turn off BlackBerry Business Cloud Services by choosing Admin > Service settings > Mobile > Remove service.


In Office 365, you can create mobile device mailbox policies to apply a common set of policies or security settings to a collection of users. A default mobile device mailbox policy is created in every Office 365 organization.

Mobile polcies

Mobile polices

 Overview of mobile device mailbox policies

You can use mobile device mailbox policies to manage many different settings. These include the following:

  • Require a password
  • Specify the minimum password length
  • Require a number or special character in the password
  • Designate how long a device can be inactive before requiring the user to re-enter a password
  • Wipe a device after a specific number of failed password attempts

 Managing Exchange ActiveSync mailbox policies

Mobile device mailbox policies can be created in the Exchange Administration Center (EAC) or the Exchange Management Shell. If you create a policy in the EAC, you can configure only a subset of the available settings. You can configure the rest of the settings using the Shell.
For more interested topics for mobile devices , follow Microsoft Article:

Blogger …

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the publisher of
AzureDummies blog. He also hold many certificates in office 365
and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions
and MCSA office 365.

Find Ahmad at Facebook and LinkedIn



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.