DBEB working randomly

Mikael Bohlin 6 Reputation points

DBEB in Exchange Online Protection should reject inbound emails to addresses not found in the internal directory. If I send an email to a made-up address (john.doe@mycompany.org) from an external mailbox, I do get a NDR saying 5.4.1 access denied. So far so good. But when I send an email that we deleted back in year 2011, from our internal AD and onprem Exchange, the email is accepted by the DBEB and processed by the MTA. The result gives an NDR as well, but with "not found in the smtp addressbook". Why is DBEB accepting a user that we deleted 10 years ago, a user that was deleted many years before AD Sync to Azure and the Exchange Hybrid setup? I assume there are something left in AD/Exchange, but where shall I look for it?

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,300 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,426 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Joyce Shen - MSFT 16,646 Reputation points

    Hi @Mikael Bohlin

    According to your information above, the user is deleted before you configure Exchange hybrid and sync to cloud. And DBEB not working for this account.

    DBEB block all messages sent to email addresses that aren’t present in Azure Active Directory.

    Try using the commands below to see any result returned back about the user:

    Get-AzureADUser -ObjectId "testUpn@tenant.com"  
    Get-Recipient -Identity <MailUserIdentity> | Format-List     

    Detailed information Manage mail users in standalone EOP

    In addition, have you checked in onprem AD that the deleted user is not able to be found?

    Could you please provide the complete NDR you received for that account?

    Some further information about DBEB attached here as well: In Deployment: Directory Based Edge Blocking for Exchange Online Protection

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments