Outlook Profile Configuration without the MSOL Client
There are a few scenarios where you may want to use Outlook to access an Exchange Online mailbox but cannot use the Microsoft Online Services Sign-In client. This could be due to installation or operating requirements of the client (some OS versions are unsupported) or maybe users don’t have the required permissions to install software but can at least modify Outlook profiles.
Take note that this is a completely unsupported approach and might not even work on some platforms. The intent is for accessing the mailbox in temporary situations and not for long-term deployment solutions. Not using the sign-in client can impact more than just single-sign-in user experience. It is a ‘best practice’ approach to deploy the client to end-users on supported platforms.
Additionally it was pointed out by a Microsoft Support Engineer that not using the Services Sign-In client prevents certificate downloads from BPOS which is required to support AutoDiscover. Thus Outlook clients will not be able to download the Offline Address Book or see any Free/Busy and Out of Office information.
The instructions in this article are simply a reverse-engineered look at what it is required to configure an Outlook profile to work with a mailbox hosted on Exchange Online/BPOS. This approach was tested using Outlook 2003, 2007, and 2010 against a mailbox hosted in the North American datacenters. I assume the same process would also work for other regions of the world with the correct URLs (red002 for EMEA and red003 for APAC).
The two main issues that can prevent administrators from successfully configuring profiles are related to (a) the order in which the profile is configured and (b) the confusing nature of the Exchange mailbox server names. But using the correct approach to the first issue takes care of the second.
Create New Outlook Profile
Start by creating a new Outlook profile using the Mail control panel applet. (In Windows 7 this can be found by searching for ‘mail’ in the Control Panel window.)
- Open the Mail (or "’Mail 32-bit’) Control Panel applet.
- Click Show Profiles…
- Click Add…
- Enter a unique, descriptive name for the new profile (e.g. firstname.lastname@example.org)
- Depending on the version of Outlook used select the available choice to create a new profile:
- Outlook 2003: Add a new e-mail account
- Outlook 2007/2010: Manually configure server settings or additional server types
- Select Microsoft Exchange (Server).
Now the first important step has been reached, as a valid server name will need to be supplied, but the odd thing is that internal, non-resolvable FQDNs are used by for the Exchange Online mailbox servers. If you have ever looked at a profile configured automatically by the sign-in client you would have noticed that the server names were typically in a REDxxx.local domain. So clearly a normal connection cannot be made to that server over the Internet as .local is not a publically supported DNS suffix. But Outlook Anywhere (aka RPC over HTTP) can be configured for the initial connection to the mailbox. This approach also works for all on-premises Exchange clients as well when trying to configure a profile to use Outlook Anywhere when Autodiscover is either not configured or supported.
There is a long list of possible Exchange mailbox server names that may change at any point as since this is an unsupported process Microsoft could modify them at any point during server upgrades/replacements. The name used in this example the may not work so I would recommend looking at the profile setting of another mailbox (or even the same mailbox) which was configured properly through the normal client procedure. If that mailbox server name resolves but is not the server which actually hosts this specific mailbox account the profile will still work as Exchange will redirect Outlook to the correct mailbox server in the organization. This can be verified by seeing that the server name changes to a different value after the profile is initially setup.
- Enter VA3DIAXVS101.RED001.local in the Microsoft Exchange server field. Verify that Use Cached Exchange Mode is selected.
- Enter the username of the desired mailbox, e.g. email@example.com or firstname.lastname@example.org, whichever format is the configured username of the online account.
- Click More Settings…
- An error message will appear stating “The action cannot be completed. The connection to Microsoft Exchange in unavailable. Outlook must be online or connected to complete this action.” Click OK.
- Another settings window labeled Microsoft Exchange will appear. Click OK again.
- Note: If you attempt to use the Check Name button in the previous window the process will always fail as the .local server name is not yet resolvable. Ignore that button.
At this point the profile settings window should be displayed as seen in the image below, allowing the remainder of the configuration to be completed manually. This allows for the RPC over HTTP settings to be configured so that the once unresolvable .local server name will now be valid.
Configure Profile Settings
Enter and confirm the following settings across the various properties tabs. All steps beginning with ‘Verify’ or ‘Confirm’ indicate that the default value is the desired setting. Steps labeled as ‘Select’ or ‘Enable’ indicate a change in the default profile setting.
Enter a descriptive account name (e.g. Exchange Online).
Select Automatically detect connection state.
- Verify that Used Cached Exchange Mode and Download shared folders are enabled.
- Verify that Encrypt data between Microsoft Office Outlook and Microsoft Exchange is enabled.
- Verify that Negotiate authentication is the selected Logon network security setting.
- Enable Connect to Microsoft Exchange using HTTP.
- Click Exchange Proxy Settings…
Exchange Proxy Settings
- In the Use this URL to connect to my proxy server for Exchange field, enter red001.mail.microsoftonline.com for mailboxes stored in North America datacenters. Substitute red002 or red003 for other regions.
- Enable the Only connect… or Mutually authenticate… setting (depending on the version of Outlook).
- Enter the proxy server value of msstd:*.mail.microsoftonline.com in the field below.
- Enable the setting On fast networks connect using HTTP first, then connect using TCP/IP.
- Verify the setting is enabled for On fast networks connect using HTTP first, then connect using TCP/IP.
- Verify that NTLM Authentication is the selected Proxy authentication setting.
Once completed with the steps above click OK to close and save the profile window, returning back to the original account creation wizard.
Click the Check Name button next to the User Name field and an authentication prompt should appear. Enter the password for the online account.
After a few seconds the Microsoft Exchange settings page on the wizard should have updated the information by updating the correct home mailbox server name as well as converting the username to the Display Name value. The underlined text format in both fields indicates a successful connection to the online mailbox, and thus the profile configuration is complete.
Click Next and Finish to complete the wizard.
Back at the original Mail applet window make sure that the Prompt for a profile to be used setting is enabled if there are now multiple Outlook Profiles configured on the same Windows user profile.