This chapter covers Exchange Online, Microsoft's cloud-hosted email, calendar, and contacts solution within Microsoft 365. For the MS-900 exam, understanding Exchange Online is critical because it is a core workload tested under Objective 2.2 (Describe the productivity solutions of Microsoft 365). Expect 5-10% of exam questions to touch on Exchange Online features, licensing, security, and deployment options. This chapter will provide the depth needed to answer scenario-based questions about mail flow, protection, and coexistence.
Jump to a section
Imagine a large company's central post office. Every employee has a personal mailbox (mailbox database) with a unique address (SMTP address). The post office has a sorting room (Exchange Online Protection) that scans all incoming and outgoing mail for spam (junk mail) and malware (bombs). The postmaster (Exchange admin) can set rules: for example, automatically forward all mail from a specific sender to a legal department (transport rules). Employees can access their mail via a web portal (Outlook on the web) or a dedicated mail app (Outlook desktop/mobile). When an employee sends a letter, it goes to the post office's outgoing dock (outbound connector), which hands it to the national postal service (the internet). Incoming letters arrive at the inbound dock (inbound connector) and are sorted into the correct employee's mailbox. The post office also offers shared mailboxes for teams (like a department's mailbox that multiple people can read), resource mailboxes for meeting rooms (a calendar that auto-accepts bookings), and public folders for announcements (a bulletin board everyone can see). Just as a real post office must manage storage space (mailbox quotas), scan for dangerous items, and enforce delivery rules, Exchange Online does all this for your organization's email.
What is Exchange Online?
Exchange Online is Microsoft's Software-as-a-Service (SaaS) email server hosted in Azure datacenters. It provides enterprise-grade email, calendaring, contacts, and tasks with a 99.9% uptime SLA (service level agreement). It replaces on-premises Exchange Server, eliminating hardware maintenance, patching, and disaster recovery. Exchange Online uses a multi-tenant architecture: each customer's data is logically isolated but shares the same infrastructure. The service is accessible via multiple protocols: MAPI/HTTP for Outlook, Exchange Web Services (EWS) for custom apps, IMAP4/POP3 for legacy clients, SMTP for mail transport, and ActiveSync for mobile devices.
How Mail Flow Works Internally
When a user sends an email from Outlook, the message is submitted to Exchange Online via MAPI/HTTP. Exchange Online first checks the message against organization-wide transport rules (also known as mail flow rules). These rules can apply actions like adding a disclaimer, redirecting to a manager, or blocking the message. Next, the message is scanned by Exchange Online Protection (EOP) for spam, malware, and policy violations. EOP uses multiple engines: Microsoft's proprietary machine learning filters, third-party signature-based antivirus, and URL detonation for links. After scanning, the message enters the routing pipeline. If the recipient is in the same Exchange Online tenant, the message is delivered directly to the recipient's mailbox database. If the recipient is external, the message is routed through an outbound connector to the internet DNS MX record of the recipient's domain. Inbound mail follows the reverse: external senders query the organization's MX record (typically contoso-com.mail.protection.outlook.com), which points to Microsoft's datacenters. The message enters via an inbound connector, is scanned by EOP, and then delivered to the recipient's mailbox.
Key Components and Defaults
Mailbox: Each user gets a mailbox with a default storage quota of 50 GB for Exchange Online Plan 1, 100 GB for Plan 2 (E3/E5). Archive mailboxes (auto-expanding up to 1.5 TB) are available with Plan 2 or Exchange Online Archiving add-on.
Mailbox Database: Exchange Online uses a distributed database system with multiple copies across datacenters for redundancy. The service automatically fails over without user impact.
Accepted Domains: These are SMTP domains that Exchange Online accepts email for. You can add custom domains (e.g., contoso.com) and set the domain type as Authoritative (default), Internal Relay, or External Relay.
Connectors: Inbound and outbound connectors define how mail flows between Exchange Online and on-premises servers (hybrid deployments) or third-party email systems. Connectors enforce TLS encryption and specify smart host routing.
Transport Rules: Also called mail flow rules, these apply actions to messages based on conditions (e.g., sender, recipient, subject, attachment). Up to 300 rules per tenant, processed in order.
Exchange Online Protection (EOP): The built-in anti-spam and anti-malware service. Default spam confidence level (SCL) threshold is 5 (messages with SCL 5-9 are marked as spam). High-confidence phishing messages are automatically quarantined. Malware is also quarantined with notifications to admins.
Outlook on the Web (OWA): Browser-based email client with a simplified interface. Users can access via outlook.office.com.
Outlook Desktop: Full-featured client that uses MAPI/HTTP. Requires a Microsoft 365 license.
Mobile Access: Exchange ActiveSync (EAS) allows mobile devices to sync email, calendar, and contacts. Conditional Access policies can require device compliance.
Litigation Hold & eDiscovery: Mailboxes can be placed on hold to preserve all content (including deleted items). eDiscovery search allows admins to search across mailboxes for legal or compliance purposes.
Mailbox Types: User mailbox (individual), shared mailbox (multiple users, no license needed up to 50 GB), resource mailbox (room/equipment, auto-accepts meeting requests), and public folder mailbox (hierarchical public folders for shared access).
Configuration and Verification Commands
Exchange Online management is primarily done via the Exchange admin center (EAC) or Exchange Online PowerShell (EXO V2 module). Common PowerShell cmdlets:
- Get-Mailbox - Lists all user mailboxes.
- Set-Mailbox -Identity user@contoso.com -ProhibitSendQuota 49GB - Changes send quota.
- New-InboundConnector -Name "FromOnPrem" -SenderDomains * -SenderIPAddresses 192.168.1.0/24 -RequireTLS $true - Creates inbound connector.
- Get-TransportRule - Lists transport rules.
- Set-OrganizationConfig -AllowPlusAddressInRecipients $false - Disables plus addressing.
- Test-Mailflow - Tests mail flow from on-premises to Exchange Online.
- Get-MessageTrace - Shows message tracking data for last 90 days.
Interaction with Related Technologies
Microsoft 365 Groups: Exchange Online provides the mailbox and calendar for each Microsoft 365 Group. Group conversations are stored in the group's mailbox.
SharePoint Online: Email can be received and stored in SharePoint document libraries via incoming email settings.
Teams: Exchange Online provides the calendar for Teams channel meetings and supports email integration (e.g., sending an email to a channel).
Azure AD: Authentication for Exchange Online uses Azure AD. Conditional Access policies control access based on user, device, and location.
Microsoft Purview: Compliance features like retention policies, eDiscovery, and sensitivity labels are applied to Exchange Online mailboxes.
Hybrid Deployment: In a hybrid configuration, Exchange Online and on-premises Exchange Server coexist. Mail flow is routed through connectors, and free/busy information is shared via the Hybrid Configuration Wizard. A Hybrid Agent (newer) or Edge Transport server handles mail flow.
Licensing
Exchange Online is included in Exchange Online Plan 1 (standalone or with Business Basic/Standard) and Plan 2 (with E3/E5). Plan 1 has 50 GB mailbox, Plan 2 has 100 GB and unlimited archive. Additional features like eDiscovery, litigation hold, and retention policies require Plan 2 or E5. Exchange Online Kiosk (2 GB mailbox) is available for frontline workers. Microsoft 365 Business Basic includes Exchange Online Plan 1; Business Standard includes Plan 1 plus desktop Outlook; Business Premium includes Plan 1 with advanced security.
User sends email from Outlook
The user composes a message and clicks Send. Outlook (or OWA) submits the message to Exchange Online via MAPI/HTTP. The client authenticates using OAuth 2.0 against Azure AD. Exchange Online receives the message and assigns a unique message ID. The message is initially stored in the sender's Sent Items folder and simultaneously processed for transport.
Transport rules and policy evaluation
Exchange Online evaluates the message against all active transport rules (mail flow rules) in order. Conditions such as sender, recipient, subject keywords, or attachment type are checked. If a rule matches, actions are applied (e.g., add a disclaimer, redirect to a moderator, or reject the message). Rules can also generate incident reports or apply compliance labels. This step happens before any spam filtering.
Anti-spam and anti-malware scanning by EOP
The message is routed through Exchange Online Protection. EOP performs multiple scans: 1) Connection filtering checks sender IP reputation against Microsoft's dynamic IP allow/block lists. 2) Content filtering evaluates the message body and headers using machine learning models, assigning a spam confidence level (SCL) from -1 (not spam) to 9 (definite spam). 3) Malware scanning uses multiple antivirus engines, including Microsoft Defender for Office 365. If malware is detected, the message is quarantined and not delivered. If SCL >= 5, the message is marked as spam and either delivered to Junk Email folder or quarantined based on policy.
Mail routing and delivery
After scanning, Exchange Online determines the recipient location. If the recipient is in the same tenant, the message is delivered directly to the recipient's mailbox database (which may be in a different datacenter). If the recipient is external, the message is queued for outbound delivery. Exchange Online performs DNS MX lookup for the recipient's domain, establishes an SMTP session with the target server (typically over TLS), and transmits the message. If delivery fails, the message is retried for up to 2 days with increasing intervals (default 15 minutes, then 30, 60, etc.) and then a non-delivery report (NDR) is generated.
Inbound mail reception
When an external server sends email to your domain, it first resolves your MX record (e.g., contoso-com.mail.protection.outlook.com). The sender's SMTP server connects to Microsoft's datacenter edge servers. The incoming message is processed by EOP connection filtering (IP reputation), then content filtering, and finally transport rules. If the message passes all checks, it is delivered to the recipient's mailbox. If not, it is quarantined, rejected, or delivered to Junk Email.
Scenario 1: Hybrid Deployment for a Large Enterprise
A multinational company with 10,000 users has an on-premises Exchange Server 2016. They want to migrate to Exchange Online gradually. They deploy a hybrid configuration using the Hybrid Configuration Wizard (HCW). The HCW creates connectors between on-premises and Exchange Online, configures OAuth authentication, and enables free/busy sharing. Mail flow is configured so that mail for migrated users goes directly to Exchange Online, while mail for on-premises users is routed through the on-premises server. The organization uses a third-party email archiving system that requires journaling. They configure journaling rules in Exchange Online to send copies of all emails to the archiving service via an outbound connector. Common issues: certificate mismatches causing TLS failures, misconfigured accepted domains causing mail loops, and throttling limits when migrating large mailboxes.
Scenario 2: Compliance and eDiscovery for a Financial Firm
A financial services firm must retain all email for 7 years due to regulatory requirements. They place all mailboxes on Litigation Hold (or use retention policies). They also enable auto-expanding archiving for users with large mailboxes. The compliance team uses eDiscovery (Content Search) in the Microsoft Purview compliance portal to search for specific keywords across all mailboxes. They also set up supervision policies to monitor email of traders. Performance considerations: eDiscovery searches on large numbers of mailboxes can take hours; they use search filters to narrow results. Common pitfalls: forgetting to enable the archive mailbox for all users, or setting retention policies that conflict with litigation hold.
Scenario 3: Shared Mailbox for Customer Support
A mid-size company uses a shared mailbox (support@contoso.com) for their customer support team. The mailbox has 10 members who all need to read and reply to incoming emails. They configure the shared mailbox with a 50 GB quota (no license needed). To track responses, they enable automatic mapping so the mailbox appears in each user's Outlook automatically. They also set up a transport rule to forward emails from specific domains to the shared mailbox. Issues: users accidentally sending from their own mailbox instead of the shared mailbox; they need to grant "Send As" or "Send on Behalf" permissions. Also, shared mailboxes cannot be accessed by mobile devices without a license assigned to the user.
What MS-900 Tests on Exchange Online
Objective 2.2: Describe the productivity solutions of Microsoft 365. Specific sub-topics: Exchange Online features (email, calendar, contacts), mailbox types, licensing (Plan 1 vs Plan 2 vs Kiosk), security features (EOP, anti-spam, anti-malware), and hybrid deployment concepts. Expect scenario-based questions where you choose the correct mailbox type or licensing for a given user.
Common Wrong Answers and Why
Choosing 'SharePoint Online' for email storage: Candidates often confuse Exchange Online with SharePoint. Remember: Exchange is for email and calendars; SharePoint is for document management.
Assigning an Exchange Online license to a shared mailbox: Shared mailboxes do not require a license if under 50 GB. Many candidates think all mailboxes need licenses.
Selecting 'POP3' as the recommended protocol for Outlook: Outlook uses MAPI/HTTP. POP3 is legacy and not recommended. EAS is for mobile.
Thinking EOP is an add-on service: EOP is included with all Exchange Online plans. It is not an extra cost item.
Specific Numbers and Terms on the Exam
Mailbox quotas: Plan 1 = 50 GB, Plan 2 = 100 GB, Kiosk = 2 GB.
Archive mailbox: auto-expanding up to 1.5 TB (requires Plan 2 or add-on).
EOP: included, not an add-on.
Transport rules: up to 300 rules.
Hybrid deployment: requires Azure AD Connect and Hybrid Configuration Wizard.
Accepted domain types: Authoritative, Internal Relay, External Relay.
Default spam threshold: SCL 5.
Edge Cases and Exceptions
Resource mailboxes (room/equipment) do not require a user license but do require a resource mailbox license (free) or an Exchange Online license if you need advanced features.
Public folders are still supported but not recommended for new deployments; Microsoft 365 Groups are preferred.
In-Place Hold vs Litigation Hold: In-Place Hold is deprecated; use Litigation Hold or retention policies.
Exchange Online can be used with on-premises Active Directory without Azure AD Connect? No, you need Azure AD Connect for directory synchronization.
How to Eliminate Wrong Answers
If a question mentions 'email server in the cloud', it's Exchange Online, not SharePoint or OneDrive.
If a question asks about 'mailbox size', recall the exact numbers: 50, 100, 2 GB.
If a question involves 'anti-spam', the answer is EOP, not Microsoft Defender for Office 365 (which is an add-on for advanced protection).
If a question mentions 'coexistence with on-premises', think hybrid deployment with connectors and Azure AD Connect.
Exchange Online is Microsoft's cloud email service, part of M365, with 99.9% SLA.
Mailbox quotas: Plan 1 = 50 GB, Plan 2 = 100 GB, Kiosk = 2 GB.
Shared mailboxes under 50 GB do not require a license.
EOP (Exchange Online Protection) is included in all plans for anti-spam and anti-malware.
Transport rules (mail flow rules) allow up to 300 rules per tenant.
Hybrid deployment requires Azure AD Connect and the Hybrid Configuration Wizard.
Outlook uses MAPI/HTTP, not POP3 or IMAP by default.
Archive mailboxes auto-expand up to 1.5 TB with Plan 2 or add-on.
Resource mailboxes (room/equipment) do not require a user license.
Default spam confidence level threshold is SCL 5.
These come up on the exam all the time. Here's how to tell them apart.
Exchange Online Plan 1
50 GB mailbox storage
No archive mailbox (unless add-on)
Included in Microsoft 365 Business Basic/Standard
No litigation hold or eDiscovery features
No unlimited archive
Exchange Online Plan 2
100 GB mailbox storage
Auto-expanding archive mailbox (up to 1.5 TB)
Included in Microsoft 365 E3/E5
Includes litigation hold, eDiscovery, retention policies
Unlimited archiving capability
Mistake
Exchange Online requires a separate subscription from Microsoft 365.
Correct
Exchange Online is included in most Microsoft 365 business and enterprise plans (Business Basic, Standard, Premium, E3, E5). Standalone Exchange Online plans are available but not required.
Mistake
All mailboxes in Exchange Online require a user license.
Correct
Shared mailboxes up to 50 GB do not require a license. Resource mailboxes (room/equipment) also do not require a user license, but they need a resource mailbox license (free).
Mistake
Exchange Online Protection (EOP) is an optional add-on.
Correct
EOP is included with all Exchange Online plans at no extra cost. It provides built-in anti-spam and anti-malware protection.
Mistake
You can access Exchange Online only through Outlook desktop or OWA.
Correct
Exchange Online supports multiple protocols: MAPI/HTTP (Outlook), EWS (custom apps), IMAP/POP (legacy), ActiveSync (mobile), and SMTP (mail flow).
Mistake
Exchange Online has unlimited storage for all users.
Correct
Standard mailbox quotas are 50 GB (Plan 1) or 100 GB (Plan 2). Archive mailboxes start at 100 GB and auto-expand up to 1.5 TB. Only archive mailboxes have unlimited growth, but the primary mailbox quota is fixed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Plan 1 provides a 50 GB mailbox and basic features. Plan 2 provides a 100 GB mailbox, auto-expanding archive (up to 1.5 TB), and advanced compliance features like litigation hold and eDiscovery. Plan 2 is included in Microsoft 365 E3/E5, while Plan 1 is in Business Basic/Standard.
No, shared mailboxes up to 50 GB do not require a license. For larger shared mailboxes, you need an Exchange Online Plan 2 license or an Exchange Online Archiving add-on. Each user accessing the shared mailbox needs a license for their own mailbox.
When a user sends an email, it is submitted to Exchange Online, processed by transport rules, scanned by EOP, and then routed to the recipient. Inbound mail arrives via the MX record, goes through EOP, and is delivered to the mailbox. External mail uses SMTP.
EOP is Microsoft's cloud-based email filtering service that protects against spam, malware, and policy violations. It is included in all Exchange Online plans. It uses connection filtering, content filtering, and multiple antivirus engines.
Yes, you can set up a hybrid deployment. This requires Azure AD Connect for directory synchronization, the Hybrid Configuration Wizard to configure connectors and OAuth, and optionally an Edge Transport server for mail flow.
Exchange Online supports MAPI/HTTP (Outlook), Exchange Web Services (EWS), IMAP4, POP3, SMTP, and Exchange ActiveSync (EAS). Outlook on the Web uses HTTPS.
Go to https://admin.exchange.microsoft.com (or via the Microsoft 365 admin center under Admin centers > Exchange). You can also use Exchange Online PowerShell.
You've just covered Exchange Online — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?