Ultimate Guide to Manage Office 365 Mailboxes in Multi-Geo
Multi-Geo is a feature in Office 365 that allows organizations to deploy and manage a single tenant with multiple locations or regions. It enables organizations to store their data in the region where they operate, helping them comply with data residency requirements, improve performance, and reduce latency. This blog will help you to Manage Office 365 mailboxes in Multi-Geo locations.
With Multi-Geo, organizations can manage their Office 365 mailboxes and support their users across different regions while ensuring compliance with local regulations. It benefits multinational organizations that need to manage data across different locations and comply with local laws and regulations. You must connect to the Exchange Online PowerShell module and the Microsoft Graph PowerShell to manage Office 365 mailboxes in Multi-Geo environment using PowerShell.
You can configure and use the Multi-Geo capabilities for your organization once you have purchased the Multi-Geo Capabilities in Microsoft 365 add-on SKU.
You can follow these steps to purchase the Multi-Geo Capabilities in Microsoft 365 add-on SKU for your Microsoft 365 subscription.
- Go to the your products page under the Billing tab in the admin center.
- Select the product subscription you’re using for the mailbox. Click on “Find more add-ons in Purchase services” under the Add-ons section.
- Purchase the Multi-Geo Capabilities in Microsoft 365 add-on SKU.
You can use all Geographies with Exchange Online as soon as Multi-Geo has been enabled within Exchange Online for the office 365 tenant.
Connecting to a specific Geo location in Exchange Online PowerShell is important because it allows administrators to manage Exchange Online resources located in that specific Geo location and to comply with data residency and privacy regulations.
Executing the PowerShell command below allows administrators to connect and manage Exchange Online mailboxes located in a specific Geographic region. This feature is particularly useful for organizations with users in different satellite locations requiring access to Exchange Online services.
Connect-ExchangeOnline -UserPrincipalName <AdminUPN> -ConnectionUri https://outlook.office365.com/powershell?email=<AnyUserUPNinSpecificGeo>
For example,
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com -ConnectionUri https://outlook.office365.com/[email protected]
Here, [email protected] is the admin account, and [email protected] is a user account that resides in the target Geo-location where you want to connect.
To view all the configured Geo locations in Microsoft 365 Multi-Geo, execute the following PowerShell cmdlet.
Get-OrganizationConfig | Select -ExpandProperty AllowedMailboxRegions | Format-Table
Central Geo mailbox location is a mailbox region where mailboxes are created by default in a Multi-Geo environment. To view your tenant’s central Geo-location, run the following cmdlet in Exchange Online PowerShell.
Get-OrganizationConfig | Select DefaultMailboxRegion
You can retrieve the preferred data location and the mailbox database of a specific user by the execution of the following ‘Get-Mailbox’ cmdlet.
Get-Mailbox -Identity <UPN> | Format-List Database,MailboxRegion
Note: If the location code of a mailbox database doesn’t match the mailbox region value, the mailbox will be automatically moved to the mailbox region. Exchange Online checks for any mismatches between these two values and puts the mailbox into a relocation queue to ensure that it’s moved to the correct Geo location.
To move an existing cloud-only mailbox to a specific Geo-location in Exchange Online, you can use the ‘Update–MgUser‘ cmdlet.
Update-MgUser -UserId <UPN> -PreferredDataLocation <GeoLocationCode>
This cmdlet is only applicable for moving the cloud-only mailboxes to specific satellite Geo locations and cannot be used for moving on-premises or synced mailboxes.
Note: You can also use the MS online module or Azure AD module instead of MS Graph PowerShell. But it is recommended to use MS Graph PowerShell since Microsoft has announced deprecation for MS Online and Azure AD PowerShell modules.
To create a new mailbox in a Geo-location, you have to follow the following steps.
1. First, you have to create a user in the respective Geo-location using the MS Graph PowerShell. Run the following cmdlet to create a new user in the specific Geo-location.
$params = @{ accountEnabled = $true displayName = "<DisplayName>" mailNickname = "<MailNickName>" userPrincipalName = "<UPN>" PreferredDataLocation = "<GeoLocationCode>" UsageLocation = "<Country/RegionCode>" passwordProfile = @{ forceChangePasswordNextSignIn = $true password = "<Password>" } } New-MgUser -BodyParameter $params
2. After the creation of the user in a specific satellite Geo, you have to assign a mailbox license. To assign a mailbox license using MS Graph you must know the “SKUid” of the particular license. You can use the ‘Get-MgSubscribedSku’ cmdlet to list the licenses available in your organization with “SKUid”.
3. After the identification of “SKUid” for the particular license you can assign a license to a user using the following cmdlet.
Set-MgUserLicense -UserId <UPN>-AddLicenses @{<SKUid>} -removeLicenses @()
Replace the “UPN” with the user identity and ”SKUId” with the license id.
For example,
Set-MgUserLicense -UserId [email protected] -AddLicenses @{SkuId = "c42b9cae-ea4f-4ab7-9717-81576235ccac"} -removeLicenses @()
In the above example, In the given example, the user “[email protected]” is assigned a license with the SKU ID “c42b9cae-ea4f-4ab7-9717-81576235ccac” (Developer Pack E5).
To move on-premises mailboxes directly to a specific Geo Location using PowerShell, you must follow the following steps.
1. Verify that the PreferredDataLocation attribute in Azure AD is set to the desired value for the you are going to move. The PreferredDataLocation value will be synchronized to the MailboxRegion attribute of the corresponding mail in the respective Geo location.
2. Connect to the respective satellite Geo location in PowerShell as described above.
3. Store the on-premises mailbox administrator credentials to a variable using the below cmdlet.
$Credential = Get-Credential
4. Now create a new move request using the ‘New-MoveRequest’ cmdlet like the following example.
New-MoveRequest -Remote -RemoteHostName mail.contoso.com -RemoteCredential $Credential -Identity [email protected] -TargetDeliveryDomain <YourAppropriateDomain>
Where mail.contoso.com represents the on-premises hostname, [email protected] represents the on-premises user and “YourAppropriateDomain” represents the Exchange Online domain name.
Error in Hybrid Synced Mailbox: If the organization is running a hybrid synced configuration with Exchange Server, moving a mailbox to a specific Geo location may require additional configuration steps or adjustments to the hybrid deployment to ensure proper mailbox routing and synchronization.
The following are the limitations to consider while changing your tenant to a Multi-Geo tenant.
- Limitations in Security and Compliance Features: Security and compliance features available in the Exchange admin center (EAC) aren’t available in multi-Geo organizations. You can use those features using the Microsoft 365 Security & Compliance Center.
- Temporary Loss of Access to Mac Users: Outlook for Mac users may experience a temporary loss of access to their Online Archive folder while you move their mailbox to a new Geo-location.
- Restriction to Share Mailbox Folders Across Geo Locations in OWA: Users can’t share mailbox folders across Geo locations in Outlook on the web. Note: You can use Outlook on Windows for mailbox folder sharing in Cross-Geo locations.
- Limitations in Mailbox Auditing: Cross-Geo mailbox auditing is not available in Multi-Geo environment. This means that if a user is granted access to a shared mailbox located in a different Geographical location, any actions they take within that mailbox will not be recorded in the mailbox audit log of the shared mailbox.
- Public Folder Restrictions: Public folders must remain in the central Geo-location. You can’t move public folders to satellite Geo-locations.
- Restriction with Archive Mailbox: When you move a mailbox from one location to another in a Multi-Geo environment, the respective archive mailbox also moves along with it. It’s important to note that the primary mailbox and archive mailbox of a user cannot reside in two different Geo-locations simultaneously.
- Latency Issues: Moving a mailbox from one Geo location to another can take some time and may be impacted by network latency issues, which can cause delays in mailbox access or synchronization.
- Compliance and Regulatory Restrictions: Certain Geo-locations may have specific compliance or regulatory requirements that limit the use of certain Exchange Online features or settings. This can impact the ability to move a mailbox to that specific Geo location or restrict certain operations on the mailbox.
Conclusively, using the capabilities of Multi-Geo, organizations derive significant benefits from managing data across different locations and complying with local laws and regulations. Additionally, it is crucial to monitor Exchange Online activities to ensure that data is securely and compliantly used and stored. AdminDroid is an excellent option for monitoring Exchange Online, offering improved visibility, risk reduction, increased efficiency, and enhanced compliance.
AdminDroid Exchange Online Auditing offers extensive auditing reports that provide valuable insights for Office 365 mailbox. These reports cover Office 365 mailbox activities, access permissions, and configuration changes, overcoming the inherent challenges of using native mailbox auditing tools. This provides the following audit reports regarding Exchange Online activities.
- Mailbox Access Audit
- Mailbox Activities
- Non-Owner Mailbox Accesses
- Mailbox Permissions Changes
- Microsoft 365 Mailbox Management Activities
- Office 365 Advanced Threat Protection Configuration Changes
- Microsoft 365 Groups, Contacts, and Public Folders Audit
- Exchange & Mail Flow Configuration Changes, and more
Adding ice to the cake, AdminDroid Exchange reporting tool contains info on inactive mailboxes, mailbox usage, permissions, forwarding configurations, Exchange settings, etc. with in-depth details, graphical representation, and advanced filters. With this handy tool, you can get the following Exchange Online insight reports with a few clicks.
- Exchange Online Mailbox Information
- Mailbox Usage Reports
- Mailbox Forwarding Reports
- Mailbox Permission Reports
- Exchange Online Group Reports
- Archived, Inactive, On Hold Mailbox reports
- Exchange Online Audit Settings
- Mailbox Protocol Reports
Are you still curious about why AdminDroid? Here is the explanation for you.
AdminDroid Exchange Online management provides 170+ reports to track, schedule, and get alerts on suspicious Exchange Online activity with vivid graphs and crystal-clear stats. In addition, AdminDroid provides 1800+ all-inclusive reports and over 30 dashboards for Office 365 reporting, auditing, analytics, usage statistics, security & compliance, etc.
You can explore all the features and functionalities of AdminDroid with the free 15-day premium edition. So, don’t wait, download AdminDroid and unlock powerful insights into your Microsoft 365 environment.
I hope that by following these best practices, you can manage Office 365 mailboxes in Multi-Geo environment effectively across different regions while maintaining data privacy and compliance. Multi-Geo reporting is also essential for effective mailbox management in a satellite Geo location. Feel free to reach us in the comments section for any assistance.