I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).
Are those that are left on prem - are they actual users? If so, I'm curious why they can't be migrated?
Eventually all users will be migrated, so, yes, we still have real users on-prem.
This is outside the scope of the original question / scenario, but I've learned a good bit during this process with much of that learning validating a few things I already knew, such as the value of taking the necessary time to plan, and prep the environment for migration (removing unnecessary objects, etc.).
Have you done this? The link that includes admin seems like it would try to access the admin portion, not the specific user's quarantine. If this works as I need, I wonder if there is a policy to set this up, or if it would be a manual, one-by-one endeavor.
If you add SA to the original licenses - because you know the plan is the keep using Exchange going forward - it will raise the costs noticeably in the beginning, but come renewal time it will make it significantly less. Less enough to be under O365? not likely, hell, even the 5 year plan would be more expensive for onprem vs O365... but it might lower itself over time because of the SA difference.
SA is a scam to get more money. Always has been for the SMB. With negotiated pricing for Enterprise, it is the right thing.
If you're a company that only upgrades once every 10 years - then yeah... SA is a waste of money, but you're already talking about upgrading again in 5 years, so SA could very much make financial sense - show me the numbers before you poo poo it.
Using Exchange Online, newly migrated users from personal Gmail accounts. They created signatures and set the forwarding/reply with their signatures.
The issue they are having is how Exchange handles original formatting. If I email the user with a signature, they then forward that and it keeps the nice formatting (HTML). If they receive a scanned document from the copier, and then forward that email (PDF with likely plain text formatting), their signature is plain text and looks terrible.
I've messed around with the keep original formatting within Options > Mail, but still can't get their signature to display nicely with forwarding scanned docs from the copier.
I can't really just say "that's how it is with this new email system" because when they scanned to their Gmail account, their signatures showed images, font color, etc.
Do they have a transport rule for the email signatures? Usually the Email issue with Text Message format.
Is this purely a failed certificate issue? I mean that would make sense, but I've not done a lot with Exchange (and O365) besides dick-around with the settings as this organization has some major config issues.
We ran into this issue again after updating to the most recent version of Azure AD Sync. We needed to set the mailnickname attribute in AD for the mail users to be created again. This was in addition to having the targetAddress declared.
Related to the actual cause of the problem, I apparently was testing some SMTP stuff a while back and disabled my rule to block all SMTP outbound on my network, then forgot to turn it back on. That rule is enabled again, so now waiting to see when it gets hit to find out what the hell on my system is sending spam.
But, this still does not resolve the MS problem with the white listing until the CBL drops off.
Frankly it only makes sense for MS to allow all their services access to online versions of Office whenever possible, for example your EOP1 plan - that's really cool that they will open an Excel sheet in Online Excel when using OWA, if they didn't it would severely limit the use (not that we weren't limited for decades).