Directory-Based Edge Blocking works - but user with valid mail also blocked

Question

Hi everyone,
We activated DBEB 2 days ago as our mailboxes are all migrated to the cloud. The MX records also directs to EXO.
This way we want to achieve that the EXCH on prem is only there for management of the synced identities.

Today we received a ticket that one user could not be addressed from external (gmail, gmx and our customers).
We checked the account and everything looked fine.
I then edited the mail address - deleted the input - and wrote the mailaddress by hand into the form. Synced the users. Everything is working fine now for her.
BUT what if there are more users out there?
I also found this blog article describing the exact same problem: https://www.undocumented-features.com/2020/07/23/exchange-online-protection-550-5-4-1-recipient-address-rejected-access-denied-as201806281/

How can we get a log of all "access denied" users from EXO for the last 3 days? I could then use excel to XLOOKUP against our GAL to check if there are other cases and fix them one by one.

Best regards
Stephan

Answer 1

Those would be in the SMTP protocol logs, so not available for you to see using message trace.

Personally, I would open a case with 365 support and explain the issue and ask them to investigate and provide any logs if they could

BTW, I question the value of enabling DBEB and would recommend not using it in these cases. Maybe wait till you can remove hybrid

Answer 2

Totally understand. But of course, with hybrid you can just allow port 25 from ExO and block 443 and that will allow it to "check" on-prem as well for a valid recipient...

Sadly, support should be able to help you better. :(