Remove EOL Automapping

Automapping is an Exchange & Exchange Online feature which automatically opens mailboxes with Full Access permissions in a delegate’s Outlook client.

Remove the access permissions. This also removes automapping.

Logon to Azure EOL (with MFA) is the mailbox being shared. is the account that has the access rights.

In EOL PowerShell

Remove-MailboxPermission -Identity “” -User “” -AccessRights FullAccess                                                   


Are you sure you want to perform this action?

Removing mailbox permission Identity:”” for user “” with access rights “‘FullAccess'”.

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is “Y”): select A

You might get this error

Can’t remove the access control entry on the object “User” for the user account because the ACE doesn’t exist on the object.

So use

Remove-MailboxPermission -Identity “” -User “” -AccessRights FullAccess –Confirm:$false –BypassMasterAccountSid

Re-add the permissions but without Automapping

Add-MailboxPermission -Identity “” -User “” -AccessRights FullAccess -AutoMapping:$false

Outlook with MFA keeps asking for password following AD password change


  • Outlook is disconnected
  • “Needs Password” shown in lower right side of client
  • No folders updated
  • When you click on “Needs Password” M365 sends you a text code. You input it, nothing happens and this loops.


By default, Microsoft Office 365 ProPlus (2016 version) uses Azure Active Directory Authentication Library (ADAL) framework-based authentication. Starting in build 16.0.7967, Office uses Web Account Manager (WAM) for sign-in workflows on Windows builds that are later than 15000 (Windows 10, version 1703, build 15063.138). There are generally two problems we see WAM causing:

Users unable to authenticate (particularly after a password reset)

WAM introduces new requirements for Identity Providers (IdP) used to federate Microsoft 365 (O365) logins. When a Windows 10 workstation is joined to an on-premise Active Directory, WAM/M365 requires the IdP to support the WS-Trust protocol. Currently this is not supported in the Duo Access Gateway (DAG). When a user’s access/refresh tokens become invalid, such as after a password reset, the WAM framework tries to re-authenticate the user. The expected end-user experience is a popup window showing the login page of the IdP asking the user to re-authenticate. When the IdP is the DAG, this process will fail causing the user to be unable to re-connect to M365 with applications such as Microsoft Outlook. The user will see the authentication window open briefly then immediately close while Outlook continues to show the message “Need Password”.


  • Log out of all O365 related web pages
  • Close Outlook
  • Open Registry and add the following 2 dwords



Mailbox Rules

Get rules list

Get-InboxRule -Mailbox <mailbox name or alias>

Get detail on each rule

Get-InboxRule -Mailbox <mailbox name or alias>  -Identity “<rule name>” | Select -Property *

Disable Rule

Disable-Inboxrule -identity “<Rule name>” -mailbox <mailbox name or alias>

Remove Rule

Remove-Inboxrule -identity <Rule Name> -mailbox <mailbox name or alias>

Purge Mailbox Deleted Items Folder

Get current Settings

Get-Mailbox | Format-List SingleItemRecoveryEnabled,RetainDeletedItemsFor

or use

Get-mailbox | fl *retention*,*retain*

Set New Settings

Set-Mailbox -Identity -SingleItemRecoveryEnabled $false -RetainDeletedItemsFor 1

#Purges folder deletes after 1 day

Delete Items in Dumpster

Search-mailbox -identity -SearchDumpsterOnly -DeleteContent

View Recoverable items in Dumpster

Get-MailboxFolderStatistics -FolderScope RecoverableItems | Format-List Name,FolderAndSubfolderSize