Office 365: A different approach to handling Office 365 group mail flow…


In Exchange Online an Office 365 Group ( Unified Group / Modern Group ) allows for a new level of team collaboration.  Office 365 Groups are created directly in Exchange Online and Azure Active Directory.  This makes them cloud only objects.  The membership and attributes of these objects are maintained directly in Office 365.


There are legitimate scenarios where on premises applications must be able to send email to the Office 365 groups.  By default an Office 365 Group does not write back to on premises Active Directory and therefore is not a valid recipient for Exchange on-premises.  To compensate for this Azure Active Directory Connect has a group writeback feature.  The group writeback feature allows Office 365 groups to be represented in the on-premises Active Directory.  The group membership cannot be managed using the on-premises Active Directory – any changes are overwritten by Azure Active Directory Connect. 


When a group is written back to the on-premises active directory they are not mail enabled by default.  Administrators must execute the update-recipient command in order to have the objects represented in the on-premises global address list and for full transport functionality.  In some cases this can be an interesting task.  There is another option to establish mail flow and have the object appear in the on-premises global address list.


Utilizing a mail contact…


The process starts by provisioning the Office 365 Group in either Exchange Online or in Azure Active Directory.  When the group is provisioned the mail enabled attributes are created – of particular interest to us are the email addresses stamped on the group.


The group must be updated with an email address that includes domain.mail.onmicrosoft.com.


PS C:\> Set-UnifiedGroup Officers -emailaddresses:@{add=officers@domain.mail.onmicrosoft.com}


With the new email address present we can gather the attributes that we will use in future commands into a variable.


PS C:\> $group=Get-UnifiedGroup -Identity Officers



PS C:\> $group.EmailAddresses

smtp:officers@fortmillrescuesquad.mail.onmicrosoft.com

SMTP:Officers@fortmillems.org

smtp:Officers@fortmillrescue.com

SPO:SPO_8bd244fb-60f3-4710-a1ef-40bc7ef584ff@SPO_eefdeca8-5850-4ca5-a160-0716f2d8496e

smtp:Officers@FortMillRescueSquad.onmicrosoft.com



PS C:\> $group.DisplayName

Officers


PS C:\> $group.name

Officers_7ccca570b9


PS C:\> $group.alias

Officers


As with most mail enabled objects in Office 365 this group has a primary email address at the vanity domain @domain.org and a secondary email address at the tenant domain @domain.mail.onmicrosoft.com.  I have also noted the other attributes that we will utilize later. 


The next step is to locate or create an Organizational Unit in the on-premises Active Directory to store the on-premises objects we will associated with these groups.  An important configuration step here is that the OU must NOT be included in objects that are replicated by Azure Active Directory Connect to Azure Active Directory.  This is performed through the Azure Active Directory Connect configuration wizard. 


image


The last step of the process is to provision mail enabled contacts within the non-sync OU.  The mail enabled contacts will:


  • Have a primary email address matching the primary email address of the mail enabled group in Office 365.
  • Have an external email address matching the tenant specific email address.
  • Any number of secondary addresses as necessary.
  • Note – the primary and secondary email addresses may be defined automatically by the on-premises recipient policies and match the Office 365 Group depending on the configuration of the on-premises recipient policies.


In this example I will utilize powershell to create the mail enabled contact and the values previously gathered above.


[PS] C:\>New-MailContact -DisplayName "Officers" -Name "Officers_7ccca570b9" -ExternalEmailAddress "officers@domain.mail.onmicrosoft.com" -Alias "Officers" -PrimarySmtpAddress "officers@domain.org" -OrganizationalUnit "domain.local/TopLevelOU/Contacts/Office365-NoSync"


Name                      Alias                                          RecipientType

----                      -----                                          -------------

Officers_7ccca570b9       Officers                                       MailContact


The contact creation can be verified with get-mailcontact and reviewing the individual attributes set.


[PS] C:\>$contact=get-mailContact Officers_7ccca570b9


[PS] C:\>$contact.displayName

Officers



[PS] C:\>$contact.name

Officers_7ccca570b9



[PS] C:\>$contact.ExternalEmailAddress




SmtpAddress        : officers@domain.mail.onmicrosoft.com

AddressString      : officers@domain.mail.onmicrosoft.com

ProxyAddressString : SMTP:officers@domain.mail.onmicrosoft.com

Prefix             : SMTP

IsPrimaryAddress   : True

PrefixString       : SMTP





[PS] C:\>$contact.Alias

Officers



[PS] C:\>$contact.PrimarySmtpAddress




Length         : 25

Local          : officers

Domain         : domain.org

Address        : officers@domain.org

IsUTF8         : False

IsValidAddress : True




[PS] C:\>$contact.OrganizationalUnit

domain.local/TopLevelOU/Groups/Office365-NoSync


The mail contact will appear in the on premises global address list.


image


When the contact is selected as a mail target the email will be received at address@domain.org and will forward to address@domain.onmicrosoft.com.  Here is an example from the on-premises message tracking logs.


[PS] C:\>Get-MessageTrackingLog -MessageId c652db0a537848d4bf43c6d435bbb79e@domain.org


Timestamp              EventId          Source        Sender                Recipients            MessageSubject

---------              -------          ------        ------                ----------            --------------

8/21/2018 8:23:03 PM   HAREDIRECTFAIL   SMTP          Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:03 PM   RECEIVE          SMTP          Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:17 PM   RESOLVE          ROUTING       Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:22 PM   AGENTINFO        AGENT         Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:25 PM   TRANSFER         ROUTING       Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:29 PM   SENDEXTERNAL     SMTP          Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:22:58 PM   RECEIVE          STOREDRIVER   Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:06 PM   SUBMIT           STOREDRIVER   Administrator@OOOO... {officers@OOOOOOOO... Test New Contact



The Exchange Online message tracking logs show the inbound transmission to Office 365.


PS C:\> Get-MessageTrace -RecipientAddress officers@domain.mail.onmicrosoft.com


Received             Sender Address                Recipient Address                                 Subject

--------             --------------                -----------------                                 -------

8/21/2018 8:23:28 PM Administrator@domain.org      officers@domain.mail.onmicrosoft.com              Test New Contact


When the full message headers are pulled from the message delivered to the group we can additionally validate that the authentication source is internal.  The messages are trusted.


26
X-MS-Exchange-Organization-AuthAs
Internal


When using this process the contact on-premises shows as a mail enabled contact.  It will not show as a distribution group – which may impact some peoples abilities to locate within the global address list – for example someone who selects all lists in the address book drop down.  If you prefer – you could utilize a distribution list with a single member to achieve the same results. 


Utilizing a distribution group…


The same pre-requisites must be followed.  We need to add the additional email address to the unified group, capture the values for the group, and have a prepared organizational unit not synchronized.  The process only deviates in how we create the relationship between the on-premises groups and the Office 365 Groups.


The steps of this process include provisioning a distribution group and a mail enabled contacts within the non-sync OU.


The distribution list will:


  • Have a primary email address matching the primary email address of the mail enabled group in Office 365.
  • Contain a mail enable contact with an external email address matching the domain.mail.onmicrosoft.com address of the Office 365 Group.
  • Any number of secondary addresses as necessary.
  • Note – the primary and secondary email addresses may be defined automatically by the on-premises recipient policies and match the Office 365 Group depending on the configuration of the on-premises recipient policies.


The mail enabled contact will:


  • Have an external email address matching the domain.mail.onmicrosoft.com address of the Office 365 Group.
  • Be a recipient hidden from the global address list.


In this example I will utilize powershell to create the mail enabled group and the values previously gathered above.


[PS] C:\>New-DistributionGroup -DisplayName "Officers" -Name "Officers_7cca570b9" -Alias "Officers" -PrimarySmtpAddress
"officers@domain.org" -OrganizationalUnit "domain.local/TopLevelOU/Groups/Office365-NoSync"




Name               DisplayName GroupType PrimarySmtpAddress

----               ----------- --------- ------------------

Officers_7cca570b9 Officers    Universal
officers@domain.org


Using powershell the mail enabled contact will be created.  To avoid any attribute collisions “–contact” was added to the end of each parameter.


[PS] C:\>New-MailContact -DisplayName "Officers-Contact" -Name "Officers_7ccca570b9-Contact" -ExternalEmailAddress "officers@domain.mail.onmicrosoft.com" -Alias "Officers-Contact" -PrimarySmtpAddress "officers-contact@domain.org" –OrganizatisonalUnit "domain.local/TopLevelOU/Contacts/Office365-NoSync"


Name                      Alias                                          RecipientType

----                      -----                                          -------------

Officers_7ccca570b9-Conta Officers-Contact                               MailContact

ct


The mail contact can then be hidden from the address list preventing users from locating it rather than the group created.


[PS] C:\>Set-MailContact Officers_7cca570b9-contact -HiddenFromAddressListsEnabled:$TRUE


With the mail contact provisioned it can be added to the distribution group as a member. 


[PS] C:\>Add-DistributionGroupMember -Identity Officers_7cca570b9 -Member Officers_7cca570b9-contact



[PS] C:\>Get-DistributionGroupMember -Identity Officers_7cca570b9


Name                       RecipientType

----                       -------------

Officers_7cca570b9-contact MailContact


Here is an example of the message tracking log on-premises.  The distribution list expansion and redirect to the external recipient can be reviewed.


[PS] C:\>Get-MessageTrackingLog -MessageId "4d19cf9cae67475cb4b41e011f28031d@domain.org"


Timestamp              EventId          Source        Sender                Recipients            MessageSubject

---------              -------          ------        ------                ----------            --------------

8/22/2018 2:08:05 PM   HAREDIRECTFAIL   SMTP          Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM   RECEIVE          SMTP          Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM   EXPAND           ROUTING       Administrator@OOOO... {officers-contact@... Distribution Grou...

8/22/2018 2:08:05 PM   RESOLVE          ROUTING       Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM   AGENTINFO        AGENT         Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM   TRANSFER         ROUTING       Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM   DROP             ROUTING       Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM   TRANSFER         ROUTING       Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:07 PM   SENDEXTERNAL     SMTP          Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM   RECEIVE          STOREDRIVER   Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM   SUBMIT           STOREDRIVER   Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...


A message trace in Office 365 confirms receipt of the message to the Office 365 Group.


PS C:\> Get-MessageTrace -RecipientAddress officers@fortmillrescuesquad.mail.onmicrosoft.com


Received             Sender Address                Recipient Address                                 Subject

--------             --------------                -----------------                                 -------

8/22/2018 2:08:06 PM Administrator@domain.org      officers@domain.mail.onmicrosoft.com              Distribution Gr...


When the full message headers are pulled from the message delivered to the group we can additionally validate that the authentication source is internal.  The messages are trusted.


26
X-MS-Exchange-Organization-AuthAs
Internal


Utilizing this method the on premises object appears as a mail enabled distribution group with a single member.  It will appear in the global address list as a group object and you can apply many of the same group properties – such as moderation and authentication – should it be required.


Senders and authentication…


The steps provided above yield email that arrives in Office 365 Groups as internal.  This considers the message to be trusted and authenticated.  In the testing performed above an on-premises mailbox was utilized as the source of the messages.  In many cases administrators are considering this plan or group writeback to allow the on premises organization to receive internet email as the primary MX and route to the Office 365 Groups <or> to allow internal applications to relay to Office 365 Groups.


When messages do not originate in the context of an authenticated user the connector status is utilized to determine the security of a message.  When the MX record points to an on premises server – it should be directed to a connector that has anonymous rights only.  This connector will not elevate messages received to an internal status.  In this test I utilized telnet to send an email through a connector where only the anonymous rights are present.  The header shows an authentication status of Anonymous.


24
X-MS-Exchange-Organization-AuthAs
Anonymous


When trusted internal applications require the ability to send securely to Office 365 Groups a connector can be leveraged that utilizes the externally secured permissions.  I have written a document here that some may find helpful.  https://blogs.technet.microsoft.com/timmcmic/2018/04/22/office-365-trusting-application-emails-sent-through-internal-relay/  In this test I utilized an MFP to send an email through a connector where the externally secured rights were applied and restrictions were in placed based on source IP address.  The header shows an authentication status of Internal.


25
X-MS-Exchange-Organization-AuthAs
Internal


This information can be useful in understanding how rights are applied to distribution groups and the security of inbound mail flow.


Comments (0)

Skip to main content