The ability to send a notification to the recipient when a transport rule triggers. This is a request that we have received from a lot of customers, and I’m happy to let you know that it is now rolling out in the form of an action in EOP transport rules. Sweet!

Recipient Notifications

Let’s say you have a transport rule that quarantines all inbound messages with an executable attachment. In the past there was no way to automatically notify your users that a message destined to them had been redirected to the quarantine because of your transport rule. Now, with Recipient Notifications, your transport rules can send a notification to the recipient when they trigger.

Configuration

When creating a transport rule, you will notice a new action called “Notify the recipient with a message…”

 
As an example, if we want to quarantine messages destined to our users that contain executable content, and want to notify them when this happens, our transport rule could look like this.

 
In this rule contoso.com is our own domain. Here’s what the notification text looks like in the above rule.

A company policy blocked an inbound message to you - Executable content not permitted.<br><br>

Date: %%MessageDate%% UTC<br>
From: %%From%%<br>
To: %%To%%<br>
CC: %%Cc%%<br>
Subject: %%Subject%%

And here is what the notification looks like that the recipient will receive when this rule triggers.

 
You’ll notice that I was able to insert information from the original message into the notification using variables. Let’s look next at what customization is possible.

Notification customization

Variables can be added into the notification text to include information from the original message. The following variables are supported for recipient notifications.

Summary

If you don’t see the recipient notification action yet in your transport rules don’t panic. This feature only just lit up in my test tenant this past week and will still be rolling out. Enjoy this new capability!

Resources

TechNet documentation has not been updated yet, but once it has I will post links here.

On TechNet we publish the range of IP addresses that are used when sending mail out of a custom EOP connector. If you have created an EOP on-premises connector to deliver inbound mail to your on-premises mail environment, or an EOP partner connector to deliver mail to a partner, the IPs used in these situations are the ones we publish. These published ranges DO NOT include the IPs that are used to deliver mail that does not leave through a custom EOP connector.

Effective as of January 1, 2015, additional IP ranges have been added to support the growth of the service. For organizations that lock down their on-premises mail environment to only accept mail from EOP, you will need to allow these additional IP ranges. This also applies for organizations that accept mail from you through a custom EOP outbound connector, if they lockdown their inbound mail from you to the published EOP IP ranges.

As we have noted on the TechNet page, organizations that started using EOP prior to January 1, 2015, do not need to take immediate action, but we recommend that you add these new IP ranges to your environment as soon as you can.

As of today, January 6, 2015, the range of IPs used by custom EOP connectors are as follows.

23.103.132.0/22
23.103.144.0/22
23.103.191.0/24
23.103.198.0/23
23.103.200.0/21
23.130.136.0/21
64.4.22.64/26
65.55.83.128/27
65.55.88.0/24
65.55.169.0/24
94.245.120.64/26
104.47.0.0/17
134.170.132.0/24
134.170.140.0/24
134.170.171.0/24
157.55.133.160/27
157.55.158.0/23
157.55.206.0/23
157.55.234.0/24
157.56.73.0/24
157.56.87.192/26
157.56.108.0/24
157.56.110.0/24
157.56.111.0/24
157.56.112.0/24
157.56.206.0/24
157.56.208.0/22
207.46.51.64/26
207.46.100.0/24
207.46.101.128/26
207.46.163.0/24
213.199.154.0/24
213.199.180.128/26
216.32.180.0/24
216.32.181.0/24

2a01:111:f400:7c00::/54
2a01:111:f400:fc00::/54

Current EOP IP ranges for custom connectors can be found at the links below.

Resources

Exchange Online Protection IP addresses
Change notification for EOP IP addresses

This is typically a slow week for people, so what better time than to post something fun about Exchange Online Protection!

Back in May I presented a session on EOP at TechEd North America 2014 which took place in Houston. To be a little different, I wrote a poem about EOP which I read to kick the presentation off. I have always enjoyed poetry and thought I'd try something different by beginning my EOP session with some rhymes. Here's that poem.

Hello to you my TechEd friends,
Thank you for joining me here.
Today we will learn of a wondrous service,
And you'll see, there's nothing to fear.
 
Email can sometimes come with spam,
And if you're not careful, a computer infection.
Lucky for you, we can prevent those two,
With Exchange Online Protection.
 
EOP is a breeze to deploy,
There's really nothing to it.
Listen closely and don't leave early,
You'll soon learn how to do it.
 
Add one domain or up to nine hundred,
Then create a connector or two.
Now point your MX over to us,
And like that, we're protecting you.
 
Now let's begin this break out session,
Silence those phones in your pocket.
And next time you log in to O365,
You'll really be able to rock it.

If you are interested in watching the session, which covers configuration and some interesting tidbits about EOP, it can be viewed on Channel 9.

See you in the new year!

I only began this blog in June of this year and so it’s hard to believe that it is already six months old! Looking back over the past six months I have had a blast writing and sharing articles with the community and have received a lot of positive feedback. I have a long list of articles in the hopper that I haven’t got to yet and many more ideas for future posts. Please continue to leave comments on articles as I will always try to leave a reply, it just may not be immediate.

With that being said, I wanted to share the top 10 articles from this blog from this past year. I used to love watching David Letterman’s top 10 list, and if I had more of a budget I’d put together a list Letterman style. Alas, here‘s the list, TechNet style..

1. Outbound Connector Smart Host Behavior
2. P2 Headers Now Respected for End User Safe and Blocked Senders Lists
3. TLS, Connectors, and You
4. Prevent DLs From Receiving ESNs
5. Quarantine and PowerShell
6. On-Premises Delivery Failover
7. Is X-Microsoft-Antispam a New EOP Header
8. Remote Desktop Connection Manager updated to v2.7
9. The Resolver
10. Verifying ESN Delivery

I hope that you have a wonderful holiday season and keep up with me in the New Year!

Cheers!

Andrew

From my experience, a very small number of people actually choose PowerShell over the GUI (Graphical User Interface, ie. The Office 365 Portal). But once you get a grasp of PowerShell and write some scripts, you’ll see the light and going back to your old ways will be very hard. PowerShell has two big advantages. First, once you are proficient you’ll be able to pull and modify data much faster with PowerShell than going into the portal. Second, most managers aren’t PowerShell experts, so when you are working and have your PowerShell window open they will be extra impressed with you! Don’t worry, you can thank me later.

In this article I’m going to focus on using PowerShell to obtain message trace results within the past seven days. For messages older than seven days we need to run an extended message trace, or Start-HistoricalSearch.

Typical message trace run

Let’s start by running a typical message trace in EOP which returns all results for the past 48 hours.

 
In this view we can sort based on the columns presented to us and can double click for additional information. Now let’s look at how PowerShell can improve upon this experience.

Message trace using PowerShell

You’ll see below that I’m going to be piping my results to Out-GridView. If you have not used this cmdlet before, it essentially will launch a new interactive window where you can view the results. Let’s take a look.

The following script will return the message trace results of the last 48 hours.

$dateEnd = get-date
$dateStart = $dateEnd.AddHours(-48)

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | Out-GridView 

Here is what the results look like.

 
Just like with the portal message trace, we can sort by clicking the column headers. Moving onto the differences, the first difference you’ll notice here is that there are more columns presented to us, and even nicer is that we can sort and filter on these extra columns which is something you can’t do in the portal message trace. For example, in the above screenshot, I have set a filter to only show me the messages that were larger than 12 MB, something that is not possible with the portal based message trace. Yes… now we are seeing some of the power!

Next let’s look for messages from the past 48 hours that have a Status of “Failed.” Here is our script.

$dateEnd = get-date
$dateStart = $dateEnd.AddHours(-48)

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | Where {$_.Status -eq "Failed"} | Out-GridView

This shows that we have five failed messages from the last 48 hours. Now let’s pipe our results to Get-MessageTraceDetail to find out more information on the failed messages. Here’s our next script to do this.

$dateEnd = get-date
$dateStart = $dateEnd.AddHours(-48)

Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Where {$_.Status -eq "Failed"} | Get-MessageTraceDetail | Select-Object MessageID, Date, Event, Action, Detail, Data | Out-GridView
 

And this will return the following:

Here I can see the status of those failed messages. “Hop count exceeded – possible mail loop.” In this situation, a message was destined for a mailbox that didn’t exist in the cloud, because of a connector problem the message kept looping around Exchange Online before it was finally rejected.

Also notice the Data column above. Here we can see a lot of extra information that is not present in the portal message trace.

<root><MEP Name="ConnectorId" String="To_DefaultOpportunisticTLS"/><MEP Name="DeliveryPriority" String="Normal"/><MEP Name="OutboundProxyTargetIPAddress" String="207.46.XXX.XXX"/><MEP Name="OutboundProxyTargetHostName" String="contoso.mail.protection.outlook.com"/><MEP Name="RecipientStatus" String="[{LRT=};{LED=554 5.4.6 Hop count exceeded - possible mail loop};{FQDN=};{IP=}]"/></root>

What’s highlighted in yellow is all the portal message trace will show. The rest of the data can only be obtained with PowerShell, or through an Extended Message Trace. We can see the IP that issued the 500 error, the connector that was used, and even the MX record where Exchange Online was trying to deliver the message to.

Let’s take a look at another example. This time we want to track a particular message based on its Message ID. An end user told us that a sent message resulted in an NDR so we already know it failed. The NDR provides us with the MessageID. Let’s run the following to get directly to the message trace details for this particular message.

Get-MessageTrace -MessageId c857c16bf46d4586a198ec089a710706@BN1AFFO11FD033.protection.gbl | Get-MessageTraceDetail | Select  MessageID, Date, Event, Action, Detail, Data | Out-GridView

Right away we can see the error “Unable to relay.” We can also see this message was tried to be delivered using TLS. What we are seeing here is most likely a connector problem.

Of course, you don’t have to use Out-GridView, I just find it sometimes handy for quick filtering of the results.

Lastly, the searches I have provided above are fairly open ended. The tenant I used has a very low number of message coming through it. If you are finding that Get-MessageTrace is taking too long to run or timing out, I would suggest making your search stricter. For example, here is how you would search for messages coming from joe@contoso.com between a particular time range.

Get-MessageTrace -SenderAddress john@contoso.com -StartDate “12/15/2014 21:00” -EndDate “12/15/2014 22:00”

Note that the time specified must be in UTC.

Other Benefits

PowerShell can be set to run automatically. One example would be to create a script which checks for messages with a status of “Failed.” Have a server run this script every hour and if you see a large number of results, have the script or the Scheduled Task send you an alert.

Summary

For those that have never used PowerShell before it can look a little scary. There are a lot of great tutorials online to get you started and once you get your feet wet you’ll start moving fast. Script once, run many times.

On the personal side, I have a PowerShell script to automatically log me into my tenant. Once connected, I have scripts that pull Transport Rules, Message Trace results, Connector information, and much more. This is often faster than logging directly into the portal.

Finally, I'd like to thank Brian, one of my customers, who gave me the idea for this post.

Happy scripting!

Resources

Connect to Exchange Online using remote PowerShell
Exchange Online cmdlets

Connect to Exchange Online Protection using remote PowerShell
Exchange Online Protection cmdlets

Run a Message Trace and View Results
Get-MessageTrace cmdlet
Get-MessageTraceDetail cmdlet