What’s the purpose of the Office 365 CNAME record for MSOID?


You may wonder why you need to add the “MSOID” CNAME record in Office 365. This is a record that has to be added for all custom domains, no matter which subscription you use. Why do you need it? It’s a little technical, but essentially, it’s so that you’ll be directed to the best server for certain authentication processes, so you’ll get faster response.

Technical details: When you run a client application that works with Office 365 such as Skype for Business Online, Outlook, Windows PowerShell or Microsoft Azure Active Directory Sync tool, your credentials must be authenticated. Office 365 uses a CNAME record to point to the correct authentication endpoint for your location, which ensures rapid authentication response times.

If this CNAME record is missing for your domain, these applications will use a default authentication endpoint in the United States, which means authentication might be slower. If this CNAME record isn’t configured properly—for example, if you have a typo in the Points to address—these applications won’t be able to authenticate.

If Office 365 manages your domain’s DNS records,, Office 365 sets up this CNAME record for you.

If you are managing DNS records for your domain at your DNS host, to create this record, you create this record yourself by following the instructions for your DNS host.

If you’re planning an Office 365 deployment and want to learn more about all the DNS records that you may need to add or update, read about them in http://go.microsoft.com/fwlink/?LinkId=579013.


Adding Exclusions to a Dynamic Distribution Group in Office 365 and Exchange

It does not currently seem possible to add exclusions via the Office 365 portal however straight forward to do via powershell. The Office 365 already has a filter in place and this would need modifying.  Examples for Office 365 shown below. To exclude a specific user Steven from a custom Everyone distribution group (https://stevenwatsonuk.wordpress.com/2015/06/19/creating-everyone-group-in-office-365/

You will need to connect to O365 via PowerShell first (https://stevenwatsonuk.wordpress.com/2015/10/21/connect-to-office365-using-powershell/)

set-dynamicdistributiongroup -identity Everyone -RecipientFilter {((RecipientType -eq ‘UserMailbox’) -and (-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’)) -and (-not(RecipientTypeDetailsValue -eq ‘MailboxPlan’)) -and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) -and (-not(name -like ‘steven’)))}

To make it easer for administrators to manage via Office 365 portal filter on an attribute that can be easily updated.  Example below filters on the customattribute1 field if set to ‘exclude’

set-dynamicdistributiongroup -identity Everyone -RecipientFilter {((RecipientType -eq ‘UserMailbox’) -and (-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’)) -and (-not(RecipientTypeDetailsValue -eq ‘MailboxPlan’)) -and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) -and (-not(CustomAttribute1 -like ‘exclude’)))}

11/5/16 UPDATE

It now appears that the behaviour has changed of the set-dynamicdistributiongroup has changed therefore only the following is required as the other filters are automatically appended to this

set-DynamicDistributionGroup -Identity everyone -RecipientFilter {(-not(CustomAttribute1 -like ‘exclude’))}

Any further exclusions can then be added using the 365 portal by setting the customattribute1 field to the value exclude.