Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders


Until now, our on-premises customers who use  Mail Enabled Public Folders (MEPF) could not use services like Directory Based Edge Blocking (DBEB). If DBEB is enabled, any mails sent to Mail Enabled Public Folders (MEPF) will be dropped at the service network perimeter. This is because, DBEB queries Azure Active Directory (AAD) to find out if a given mail address is valid or not. Because Mail Enabled Public Folders (MEPF) are not synced to Azure Active Directory, all MEPF address are considered as invalid by DBEB. Sender of the mail to MEPF would receive following NDR:

‘550 5.4.1 [<sampleMEPF>@<recipient_domain>]: Recipient address rejected: Access denied’.

To resolve this issue, in the latest Azure AD Connect tool update, we are introducing an option to synchronize MEPFs from on-premises AD to AAD. Admins can do this through the newly introduced option – ‘Exchange Mail Public Folders’ in Optional Features page of Custom installation during Azure AD Connect tool installation/upgrade.

When you select this option, and performs a full sync, all the Mail Enabled Public Folders from on-prem AD(s) will be synced to AAD. Once synced, you can enable DBEB. Mail Enabled Public Folders addresses will no longer considered invalid addresses by DBEB. And messages will be delivered to them like they are delivered to any other recipient.

Details of version of AAD Connect tool required

This feature is available in 1.1.524.0 (May 2017) version or any later versions of Azure AD Connect tool.

Azure AD Connect tool can be downloaded from following location: Download Azure AD Connect.

For more details, here is the link for version history of Azure AD Connect

IMPORTANT NOTES:

  • Directory Based Edge Blocking is not yet supported for Mail Enabled Public Folders hosted in Exchange Online. Current feature enables DBEB support only for Mail Enabled Public Folders hosted On-premises.
  • For Exchange Online Protection (EOP) Standalone i.e., customers who have only Exchange on-premises configured but no presence in Exchange Online, and no “advanced” features of EOP, this synchronization through AAD Connect tool is enough for DBEB to work.
  • For Exchange Online (ExO) & EOP i.e., customers who have both on-premises Exchange & Exchange Online configured, or who are using features such as DLP or ATP, this feature does not create the actual public folder objects in the Exchange Online directory. Additional synchronization via PowerShell is required for DBEB to work if you are using Exchange Online.
  • For customers who are planning to migrate Public Folders from on-premises to Exchange Online: nothing in the migration procedure has changed with this feature support. One extra point you should take care of before starting Public Folder migration to EXO is – ensure ‘Exchange Mail Public Folder’ option in Azure AD Connect tool is *not* checked. If it is checked, uncheck it before you start migration. By default, it will be unchecked.

Customers who had a work-around in place

There were some customers who did not want to disable DBEB despite having Mail Enabled Public Folders. These customers have opted for a work-around of creating MSOL objects (like EOPMailUser, MailUser or MailContact) in Azure Active Directory with same SMTP addresses as Mail Enabled Public Folders so that these addresses are considered as valid addresses by DBEB. Customers who opted for this work-around are requested to remove all such MSOL objects before performing the sync of Mail Enabled Public Folders through AAD Connect tool. If the ‘impersonation objects’ have not been removed prior to the new synchronization, they are likely to cause a soft-match error. In soft-match error case, sync of Mail Enabled Public Folder from on-prem AD to Azure Active Directory will not succeed, and an email similar to the following will be received:

“Identity synchronization Error Report: <Date>”

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:SampleMEPF@mail.contoso.com,smtp:SampleMEPF@contoso.com;Mail SampleMail@mail.contoso.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

As mentioned in the description, you can correct or remove the entries with duplicate SMTP address. Below are corresponding links for each scenario:

Once the objects have been cleaned up, performing a full sync will ensure Mail Enabled Public Folders are successfully synced to Azure Active Directory. More info here: http://support.microsoft.com/kb/2647098.

Public Folder Team

Comments (9)

  1. Gavin says:

    Great move Exchange team!

    Many of my customers have used the scripts here (https://www.microsoft.com/en-us/download/details.aspx?id=46381) on the advice of TechNet to configure legacy public folder coexistence.

    I find it odd that this article doesn’t mention the scripts at all, and suggest this is considered a ‘workaround’ rather than something that should have been done.

  2. Do you sync all proxy addresses to DBEB or only the Primary SMTP one?

    1. Pavan Sonty says:

      All proxy addresses will be synced.

  3. Thomas Antony says:

    I still have a problem with MEPF ‘s (On-Premise Exchange 2010 only) and EOP.

    If a MEPF is member of a E-Mail activated security group and a mail is sent to this group, the mail won’t get delivered to this MEPF.
    Only the other members like mailboxes or other E-Mail activated groups receive the mail.
    No NDR is sent to the sender.

    Within Exchange Admin Center the MEPF isn’t displayed as member.

    If i sent an E-mail directly to the MEPF E-Mail address it will be delivered to the MEPF…..

    Is this a supported scenario?
    Any ideas what could be the reason why the mail is not sent to the MEPF?

    1. This is not a scenario that is in the scope of currently introduced MEPF feature in AAD Connect tool. You can raise a ticket to initiate further investigation on the issue.

  4. All proxy addresses of a Mail Enabled Public Folder will be synced.

  5. Kiran Ramesh says:

    Thanks Team :) Just enabled DBEB in my Hybrid Environment this morning to get rid of the “Local Loop Detected” issue for the Invalid Recipients. Thank God I dont have MEPF. Nice article.

  6. Jim Mangan says:

    When will Mail Enabled Public Folders hosted in Exchange Online have the same protection without creating MailContacts? Seems this should have been a priority

    1. Jim,
      Work for enabling protection of Mail Enabled Public Folders in Exchange online is in progress.

Skip to main content