Cloud-based mailbox storage and Exchange hybrid attack surface reduction with Teams calendar and Outlook Mobile

Secure Remote Work from Anywhere is the trend of 2021! This trend has forced more companies over to Microsoft Teams for meetings and wanting to utilize conditional access, MFA and Outlook Mobile for on-premises hosted users. They are not ready to migrate everything to Microsoft 365 but want to use the secure remote work components. Meetings in Teams and MFA for Outlook Mobile are the main drivers.

The questions are, what is stored in Microsoft 365 when the mailbox is still on-premises and can we limit the attack surface for Exchange on-premises in this setup? The answers has two parts.

Part 1: When user is still on-premises, does not use Outlook Mobile but uses calendaring in Microsoft Teams

The great news is that the Teams clients connects via the Teams Backend Service to EWS to get calendar data. This means that you do not need to expose the on-premises Autodiscover and EWS to the clients for calendaring in Teams to work. It is enough to limit access to known Microsoft IP ranges found in the Office 365 URLs and IP address ranges article. The Teams Backend Service will den relay the parsed calendar data to the Teams client requesting the data. I got this information from a very informative and detailed TechCommunit article by MVP Thomas Stensitzki Microsoft Teams and on-premises mailboxes: Part 2 – Teams Calendar App Troubleshooting. Also read How Exchange and Microsoft Teams interact for a general understanding

Nothing is stored in Microsoft 365 in this scenario, except for personal chat activity for compliance reasons. How can you know? You can run a content search against the user and verify that no calendar events are stored in Exchange Online. You can navigate to Microsoft 365 Compliance Center and go to Content Search and click New search. In the keyword field you type a title of a calendar event for the user you want to search. Then you find the actual user you want to search and click Save & Run. Note that you need to have Compliance Administrator role assigned to your admin user and you need and exchange license with online mailbox for result preview to work.

The result should be empty and you have validated that no calendar data is cached in the cloud-based mailbox. To see Teams chats and meetings stored for compliance reasons you can add Kind:MicrosoftTeam as a keyword. Then re-run the search and validate that you can find the Teams data stored for compliance reasons. The Add App Content for On-Premises Users checkbox specifies that you are searching the cloud-based mailbox of the user. Read more about this process here.

What is a cloud-based mailbox?

  • It is created to store compliance records for Microsoft Teams personal chat and meeting activity
  • It is not possible to log on or access the mailbox in any scenario
  • It requires at least an Exchange Online Plan 1 license assigned to the user
  • It is used to cache emails for 28 days when you use Outlook Mobile to access the on-premises mailbox
    • includes four weeks of email, all calendar data, all contact data, and out-of-office status, source
    • If you do a search further back than 28 days, the resulting data is stored for 1 day, source
    • Outlook Mobile on iOS caches attachment for only 7 days, source

Part 2: When user is still on-premises and uses Outlook Mobile

The Outlook Mobile client does not connect directly to the Exchange on-premises mailbox, but via the cloud-based mailbox. It uses the AutoDetect service, not to be confused with the on-premises Autodiscover URL, to connect to the on-premises mailbox. The cloud-based mailbox then uses Autodiscover to find the ActiveSync URL and syncs 28 days of the users mailbox data. If the user on Outlook Mobile does a search further back than 28 days, the cloud-based mailbox will cache the on-premises query results for one day before it is deleted. Read about the connection flow here

Source: Using hybrid Modern Authentication with Outlook for iOS and Android | Microsoft Docs

This means that you do not need to expose the on-premises Autodiscover and ActiveSync to the mobile clients directly. It is enough to limit access to known Microsoft IP ranges found in the Office 365 URLs and IP address ranges article. If you do a Content Search on a user that uses Outlook Mobile, you will find the cached data. Hybrid Modern Authentication (HMA) is a requirement for Outlook Mobile and on-premises mailboxes. HMA and Outlook Mobile explained are in detail in the Using hybrid Modern Authentication with Outlook for iOS and Android article.

Be aware of the following

  • Hybrid Modern Authentication prerequisites
  • The Outlook Mobile global address list (GAL) is based on objects synced to Azure AD
    • This means you need to sync out all objects that needs to be searchable from Outlook Mobile including shared mailboxes in Azure AD Connect
  • Meeting rooms needs to be synced out and if you use room finder, make sure you sync out the distribution lists building the room lists.
  • Recommendation is to migrate from Skype for Business Server to Teams if possible in this scenario
    • If that is not a possibility, make sure the Skype for Business client supports ADAL logon because it connects to Exchange On-Premises calendar through EWS which is set up with HMA
      • Use the AllowAdalForNonLyncIndependentOfLync setting as described here
    • If you are not migrating to Teams and want to use Skype for Business Mobile app, the recommendation is to set up HMA for Skype for Business Server too, as described in this article
      • This enabled MFA and conditional access to be utilized for the SfB mobile client
      • The mobile client still connects via the SfB reverse proxy so it still needs to be exposed to the internet, you cannot lock it down as you can for Exchange.
      • There is no support for Lync Server 2010 or 2013 in the hybrid environment when using HMA

What about desktops and secure remote work?

The Teams clients connect to the Teams Backend Service to get the calendar. Outlook however requires a direct connectivity to Exchange on-premises. The assumption is that VPN is used in these scenarios for desktops together with split tunneling so that Teams media and calendaring goes directly to cloud and does not put unnecessary load on internal infrastructure. If you want to expose your Outlook Web App outside of VPN, simplest solution is to use Azure AD Application proxy.


Can you lock down your on-premises environment for Exchange and use Secure Remote Work with Teams and Outlook Mobile? Yes! Absolutely. Is this the secure remote work approach we recommend moving forward for those not ready to migrate yet? Yes! Absolutely :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.