This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 57.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
DBEB in Exchange Online Protection should reject inbound emails to addresses not found in the internal directory. If I send an email to a made-up address (john.doe@mycompany.org) from an external mailbox, I do get a NDR saying 5.4.1 access denied. So far so good. But when I send an email that we deleted back in year 2011, from our internal AD and onprem Exchange, the email is accepted by the DBEB and processed by the MTA. The result gives an NDR as well, but with "not found in the smtp addressbook". Why is DBEB accepting a user that we deleted 10 years ago, a user that was deleted many years before AD Sync to Azure and the Exchange Hybrid setup? I assume there are something left in AD/Exchange, but where shall I look for it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Is there any update about your issue?
Any progress so far?
According to your information above, the user is deleted before you configure Exchange hybrid and sync to cloud. And DBEB not working for this account.
DBEB block all messages sent to email addresses that aren’t present in Azure Active Directory.
Try using the commands below to see any result returned back about the user:
Get-AzureADUser -ObjectId "testUpn@tenant.com"
Get-Recipient -Identity <MailUserIdentity> | Format-List
Detailed information Manage mail users in standalone EOP
In addition, have you checked in onprem AD that the deleted user is not able to be found?
Could you please provide the complete NDR you received for that account?
Some further information about DBEB attached here as well: In Deployment: Directory Based Edge Blocking for Exchange Online Protection
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.