Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 5)

If you would like to read the other parts in this article series please go to:

Distribution Groups

Now that we have explored how to create, match and import user accounts, let us move on to Distribution Groups by selecting the Distribution Groups tab under USERS:

Figure 1

As I have not yet created any distribution groups, the pane is empty. However, if there were already distribution groups created in Office 365, they would appear here.

So let us start by creating one in Essentials. We start by clicking on Add a distribution group:

Figure 2

We then give it a name, description and e-mail address (selecting the right domain if we have multiple):

Figure 3

We chose which users should be members of the group:

Figure 4

And then click Next to create the distribution group:

Figure 5

The group now appears under Distribution Groups:

Figure 6

If we also check Exchange Online, we will see the group has been created in Office 365 as well:

Figure 7

Strangely enough, this is not a traditional Active Directory Distribution Group, so you will not see it or be able to manage it through Active Directory Users and Computers or Active Directory Administrative Center. You can only manage it through the Essentials Console or Exchange Online.

User Groups

The final tab under USERS that we will be looking at is User Groups. Through this screen, we can create and manage Office 365 Security Groups, which can be used for a variety of tasks such as to assign permissions to resources in other hosted online services such as SharePoint Online.

To create a new Office 365 security group, click on Add a new user group:

Figure 8

Give the new group a name and description:

Figure 9

Select the option to create a new security group in Office 365. Alternatively, we could also assign an existing Office 365 security group to this new group we are creating, basically matching them as we have done with user accounts:

Figure 10

Select which users will be members of the new group (notice that in here we can add several other users, such as accounts associated with on-premises Exchange mailboxes):

Figure 11

And click Next to create it:

Figure 12

If we now check the Office 365 Admin portal we will see the group we have just created:

Figure 13

And if we look at its membership, we will see that Nuno is a member:

Figure 14

As I mentioned, we can now use this security group to grant its members access to a SharePoint site for example:

Figure 15

ActiveSync Integration

Another advantage of integrating Essentials with Office 365 is the ability to manage mobile devices that users use to connect to Exchange Online, namely requiring password protection when mobile devices connect to their mailbox in Exchange Online. Set a minimum password length or the maximum number of failed sign-in attempts;

We are also supposed to be able to block or quarantine a particular mobile device from connecting to Exchange Online and wipe the device to delete any sensitive data the next time the device is turned on. However, as we will see at the end of this article, I have not been able to perform any of these two actions…

To manage ActiveSync settings, we navigate to DEVICES and then Mobile Devices:

Figure 16

From here, we basically have two main options:

Figure 17

Clicking on Modify the device policy allows us to modify the default Mobile Device Mailbox Policy of Exchange Online. Before we do that, let us login to our Office 365 portal and open the Mobile Device Mailbox Policy of Exchange Online to see how it is currently configured:

Figure 18

Now, if we go back to our Essentials console and click on Modify the device policy, the Device policy settings screen will open but with no settings at all!

Figure 19

This is because, for some strange reason, Essentials does not read what is already configured in our default mobile device mailbox policy in Exchange Online (again, hopefully something to improve in the future)…

So let us configure the policy through Essentials. For this scenario, I configure most options to something different than what is already configured in Exchange Online:

Figure 20

By clicking on Advanced settings we get access to a few more ActiveSync settings, all of them self-explanatory:

Figure 21

We then click OK to save our changes. If we now check the ActiveSync policy in Exchange Online, we can see that it has been overwritten by what we configured in Essentials:

Figure 22

This means that changes made to the ActiveSync policy need to be made through Essentials as it will not read what is done/configured in Exchange Online, basically a one-way sync from on-premises to the cloud.

Access Rules

If from the main screen we click on Edit access rules, we can explicitly block certain types of mobile devices from accessing Exchange Online. The type of mobile devices in the block list is defined by a combination of family (such as Android) and model (such as Nexus 4). This is useful when a certain type or family of devices has a known security vulnerability or if you want your users to only connect company-provided devices to Exchange Online.

Start by clicking on Edit access rules:

Figure 23

The following window will open:

Figure 24

However, clicking on the family and model drop-down boxes presents no results at all:

Figure 25

Which is the same with Exchange Online and on-premises when they are first set up. The list of available options gets updated every time a new device connects to Exchange. In my case, after I connect a few devices to Exchange Online, their details will be registered and I am able to create access rules based on them:

Figure 26

However, this information is not replicated or read by Essentials… This means that unless devices previously connected to an on-premises Exchange environment being managed by Essentials, we cannot use essentials to manage them in Exchange Online. At first I thought this couldn’t be the case and that I was missing something, but after a few tests I still cannot manage any mobile device through Essentials… For the third time, hopefully something to get improved soon.

Other Tasks

What happens when a user leaves the organization, or we want to restrict the user’s access to Office 365 services? When managing users’ online accounts along with their user accounts in Windows Server Essentials, we have three options:

  • Unassign the online account – if we want to keep a user from using Office 365 without preventing access to local resources, we should unassign the online account. The Office 365 license will be released and the user is blocked from signing in to Office 365. However, the server maintains the mapping between the user account name and the Office 365 email address:

Figure 27

  • Deactivate the user account – if we deactivate a user account because an employee leaves, either temporarily or permanently, the user’s online account also is deactivated. The online account cannot be used, but the user data, including email, is retained in Microsoft Online Services:

Figure 28

  • Remove the user account – if we remove a user account, the online account is removed from Microsoft Online Services also:

Figure 29

Please be aware that when an online account is removed, the user data is subject to the data retention policies of Microsoft Online Services. If you need to retain the user’s data after an employee leaves, deactivate the user account instead of removing it.


In this article series, we explored the capabilities of the Windows Server 2012 R2 Essentials Experience Role in managing Exchange Online. We saw how Essentials can easily create or match user accounts in Office 365, manage users’ licenses, add or remove email aliases, and even synchronize their passwords for a better user experience, all from a single user console without the need for an on-premises Exchange server.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top