Moderated Group scenario in Hybrid configuration

  • Article

If we have a Hybrid Environment and we want to use Distribution Groups (Lists) with moderation, I will not work "out of the box" and several types of errors can be received.
In this article we will what additional steps must be performed to make it work.

Why we need moderation?
Because sometimes it makes sense to have a second set of eyes on a message before the message is delivered. As an Exchange administrator, you can set this up. This process is called moderation, and the approver is called the moderator.
The moderator can perform one of the following 3 actions: approve, reject, ignore / delete the moderation request email.

Workflow showing options for approving a messageAn email sent to a group with moderator will have the following path:
arbitration-mailbox-work-flow

1. A mail user sends an email to a moderated group.
2. The transport service intercepts the email, marks for moderation and then re-routes it to the arbitration mailbox.
3. The store driver component stores the message in the arbitration mailbox and sends an approval request to the moderator.
4. The moderator takes an action.
5. The store driver marks the moderator’s decision on the original message stored in the arbitration mailbox.
6. The Information Assistant reads the approval status on the message stored in the arbitration mailbox, and then process the message depending on the moderator’s decision.
6a. If the moderator has approved the message, the Information Assistant resubmits the message to the submission queue, and the message is delivered to the recipient(s).
6b. If the moderator has rejected the message, the Information Assistant deletes the message from the arbitration mailbox and notifies the sender that the message was rejected.

**********

In our scenario, because we have Hybrid Configuration, the mail authority is the on-prem exchange server. So, we have a moderated group, a few mailboxes, members of the group, a group moderator. All were created in on-prem and were synced to the cloud (part of the OU that is synced in the cloud).
Everything works great, no issues, mailboxes that are part of the Distribution List are on-premises. The moderation process will work as expected.
What will happen if we will migrate the moderator mailbox to the cloud?

  1. The moderation buttons: Approve / Reject are missing and you are not able to moderate the message.

costin-001

 

You will have to enable TNEF for the recipient. In fact, I recommend to enable TNEF in cloud and in local exchange server for the remote domains:

1a. Connect with PowerShell to ExchangeOnline and run the command:
Get-RemoteDomain | Set-RemoteDomain -TNEFEnabled $true

1b. On the on-prem Exchange open EMS and run the command:
Get-RemoteDomain | Set-RemoteDomain -TNEFEnabled $true

Now the email received by the moderator should look like:
costin-0022. The moderator approve the message, but receives an NDR email with a message like:

Reported error: 550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup
Recipient Address: MSExchApproval1f05a927-3be2-4fb9-aa03-b59fe3b56f4c@contoso.com or
Recipient Address: SystemMailbox{1f05a927-0187-4b92-9585-6abbc666a347}@contoso.com

For solving this error, you must:

  • be sure that the on-prem distribution List is synchronized to the cloud.
  • create a mail contact for the email address MSExchApproval1f05a927-3be2-4fb9-aa03-b59fe3b56f4c@contoso.com or SystemMailbox{1f05a927-0187-4b92-9585-6abbc666a347}@contoso.com in the Exchange Online Admin Center. This will trick the Exchange Online to re route the email to your on premises Exchange server, where on premise transport will process the approval accordingly.

3.  The moderator approve the message, but receives an NDR email with a message like:

Remote Server returned '550 5.7.1 APPROVAL.InvalidContent; Invalid content. [Stage: OnCreatedEvent][Agent: Approval Processing Agent]'

For solving this error, you must be sure that all bellow requirements are satisfied:

  • Synchronization of moderation attributes of mail-enabled objects (mailboxes and groups were created in on-prem and were synced and migrated to the cloud).
  • At least one arbitration mailbox created in your on-premises organization.
  • You will need to manually create a mail contact with a SMTP address on the cloud for each on-prem arbitration mailbox and set the DomainType to InternalRelay.
  • Preservation of the headers and TNEF format between the two organizations.

Please note that I tested all above in my test environment and the resolution was not immediate. The issue was solved twelve hours after performing above steps.

**********