Directory-Based Edge Blocking works - but user with valid mail also blocked

StephanG 811 Reputation points
2021-12-15T09:49:38.97+00:00

Hi everyone,
We activated DBEB 2 days ago as our mailboxes are all migrated to the cloud. The MX records also directs to EXO.
This way we want to achieve that the EXCH on prem is only there for management of the synced identities.

Today we received a ticket that one user could not be addressed from external (gmail, gmx and our customers).
We checked the account and everything looked fine.
I then edited the mail address - deleted the input - and wrote the mailaddress by hand into the form. Synced the users. Everything is working fine now for her.
BUT what if there are more users out there?
I also found this blog article describing the exact same problem: https://www.undocumented-features.com/2020/07/23/exchange-online-protection-550-5-4-1-recipient-address-rejected-access-denied-as201806281/

How can we get a log of all "access denied" users from EXO for the last 3 days? I could then use excel to XLOOKUP against our GAL to check if there are other cases and fix them one by one.

Best regards
Stephan

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,042 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,213 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,781 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 137.9K Reputation points MVP
    2021-12-15T12:39:11.89+00:00

    Those would be in the SMTP protocol logs, so not available for you to see using message trace.

    Personally, I would open a case with 365 support and explain the issue and ask them to investigate and provide any logs if they could

    BTW, I question the value of enabling DBEB and would recommend not using it in these cases. Maybe wait till you can remove hybrid


1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 137.9K Reputation points MVP
    2021-12-15T13:02:20.313+00:00

    Totally understand. But of course, with hybrid you can just allow port 25 from ExO and block 443 and that will allow it to "check" on-prem as well for a valid recipient...

    Sadly, support should be able to help you better. :(