Ceyhun KIRMIZITAS

In Exchange Hybrid environments, it is common to use mail flow rules to add an external disclaimer or warning banner to messages received from outside the organization. A typical warning may look like this: WARNING: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender. This is a good security control. It helps users identify messages that came from external sources. However, there are some scenarios where messages generated by internal application servers may also receive this external disclaimer. This usually happens when an internal application server submits email anonymously to Exchange Server on-premises, and Exchange then routes the message to Exchange Online. In this article, we will look at how to handle this scenario safely by using a custom header…

Microsoft recently published guidance for Exchange Server addressing the May 2026 vulnerability. One important note in the article is related to OWA Light. Microsoft states that OWA Light — accessed by using an OWA URL ending with /?layout=light — does not work properly after the mitigation is applied. Microsoft also notes that this feature was deprecated several years ago and is not intended for regular production use. This can become a practical issue if some users previously selected the following option in Outlook on the web: "Use the light version of Outlook" When this option is selected, the user may continue to be redirected to the Light version of OWA even when accessing the normal OWA URL. Example URLs: https://mail.contoso.com/owahttps://mail.contoso.com/owa/?layout=light The Issue In the lab I confirmed the following behavior:…

In Exchange Hybrid environments, shared calendar behavior after mailbox migration is often misunderstood. Many assume that calendar access breaks when a mailbox is moved to Exchange Online. In reality, the outcome depends on how permissions were configured before the migration. This article walks through a controlled scenario and shows exactly what happens. Scenario We use two users: buser01@onpremx.com bmuser01@onpremx.com Initial state: Both mailboxes are on on-prem Exchange Users can access each other’s calendars Step 1 – Test Default Behavior (On-Prem → On-Prem) Without assigning any permissions: Add calendar in Outlook Calendar is added successfully Only free/busy information is visible No subject or details This is expected. Default calendar permission: PowerShellAvailabilityOnlyAvailabilityOnly Step 2 – Check Existing Permissions Verify current permissions: PowerShellGet-MailboxFolderPermission bmuser01:\Calendar Get-MailboxFolderPermission buser01:\CalendarGet-MailboxFolderPermission bmuser01:\Calendar Get-MailboxFolderPermission buser01:\Calendar Typical result: No explicit…