kantver - Fotolia


Exchange updates improve ActiveSync client migrations

Exchange 2010 and 2013 now include a feature to automate mobile device reconfiguration during an Office 365 migration.

Mobile devices are a pain point during a mail migration to Office 365, but a new Exchange Server feature promises...

to fix that.

Although more organizations have started using mobile device management options, the majority of IT teams moving to Office 365 have to go through the pain of manually reconfiguring smartphones and tablets.

Exchange Server 2013 Cumulative Update 8 (CU8) and Exchange Server 2010 Service Pack 3 Rollup Update 9 (RU9) introduce a feature that, given the right set of circumstances, can make the switch happen automatically.

In theory, most ActiveSync clients can automatically reconfigure themselves to use Office 365. On the server-side, Exchange had never received an update to allow this to happen. Although it isn't supported by all clients, Exchange ActiveSync includes the ability to send the HTTP status code 451, which means the device is misconfigured. From Exchange 2007 onward, this let a server redirect ActiveSync clients to a better, more appropriate Client Access Server within the organization.

In an on-premises Exchange implementation, this allowed the ActiveSync client to update settings as mailboxes moved. For example, if employees relocated from the U.K. to the U.S., their mailboxes would often be moved. Their ActiveSync client would most likely connect via the U.K. however, so this feature gave the ActiveSync client an opportunity to update its settings.

A move to Office 365 in a hybrid Exchange environment isn't quite the same. When a mailbox moves from on-premises Exchange Server to Exchange Online, the change is similar to a cross-forest mailbox move -- those accounts may mirror your on-premises Active Directory (AD), but they're in Microsoft's own AD forests.

As a result, there was no technical mechanism built into Exchange to use its knowledge that the hybrid relationship was in place or to provide a similar redirection message to clients -- until now. Exchange 2010 SP3 RU9 and Exchange 2013 CU8 now include a feature that redirects the ActiveSync client to Office 365 after the mailbox migrates to Exchange Online.

How the ActiveSync updates work

After a mailbox migrates to Exchange Online, a Remote Mailbox object replaces it on-premises, effectively becoming a contact attached to an AD user account. The Remote Mailbox has something called the Remote Routing Address, which is used for numerous tasks, including mail routing, Autodiscover redirection and looking up federation. When a mailbox moves to Office 365, the domain in the end user's Remote Routing Address is matched with an Organizational Relationship. If the Organizational Relationship is in Office 365, the Office 365 URL is sent to the client as part of the 451 redirect (Figure 1). You can read more about how this works on the Exchange Team Blog.

451 redirect to Office 365
Figure 1

What Microsoft doesn't tell you is that this will not automatically work in all scenarios -- and by all scenarios, I mean most scenarios.

The vast majority of IT teams moving to Office 365 configure ActiveSync devices using the DOMAIN\username format rather than a valid Internet-routable User Principal Name (UPN). This creates an authentication issue when the client attempts to authenticate to Office 365 (Figure 2).

Office 365 authentication problem
Figure 2

The end result is straightforward: although the client updates with the right server name, someone must update the username/domain to reflect the Office 365 login ID before the client can sync. Otherwise, the new feature is fairly useless.

Get ready in advance

This new feature requires more than just a redirect to Office 365 to work; it requires the username to be in the right format, something that can't be implemented overnight without mobile device management.

It takes a substantial amount of time to implement the ActiveSync feature, so start preparing. If you're already working with Office 365, from today onward, configure all new devices connecting to on-premises Exchange to use the username that matches the Office 365 login ID -- the UPN. This will ensure that, at the very least, the new devices will automatically update.

Even if you haven't yet begun an Office 365 project, you can still prepare. This effort will also help Autodiscover work properly for mobile devices, so it has some side benefits.

Although every organization is different, 99% of properly configured hybrid Office 365 implementations will involve updating the UPN to match the Internet-routable Primary Email Address (Figure 3).

Update the UPN
Figure 3

This change will allow on-premises Autodiscover to work more smoothly for devices such as the iPhone because only the email address and password are required to complete setup. If Office 365 is a long way off for your organization, this also means that it's likely a high proportion of devices will be updated to use the new format when you migrate, simply through device replacements.

About the author:
Steve Goodman is an Exchange MVP and is the head of unified communications at the U.K.'s leading Office 365 partner. Steve has worked in the IT industry for 16 years and has worked extensively with Microsoft Exchange since version 5.5. Steve is the author of a number of books about Exchange, regularly presents at conferences, co-hosts The UC Architects podcast and regularly blogs about Exchange Server, Office 365 and PowerShell at

Next Steps

Public Folder, ActiveSync fixes in Exchange 2013 CU8

Exchange 2010 SP3 released, but migrations put on hold

How to use Exchange 2013 for MDM

Dig Deeper on Exchange Server setup and troubleshooting