Office 365: A different approach to handling Office 365 group mail flow…
In Exchange Online an Office 365 Group ( Unified Group / Modern Group ) allows for a new level of team collaboration. Office 365 Groups are created directly in Exchange Online and Azure Active Directory. This makes them cloud only objects. The membership and attributes of these objects are maintained directly in Office 365.
There are legitimate scenarios where on premises applications must be able to send email to the Office 365 groups. By default an Office 365 Group does not write back to on premises Active Directory and therefore is not a valid recipient for Exchange on-premises. To compensate for this Azure Active Directory Connect has a group writeback feature. The group writeback feature allows Office 365 groups to be represented in the on-premises Active Directory. The group membership cannot be managed using the on-premises Active Directory – any changes are overwritten by Azure Active Directory Connect.
When a group is written back to the on-premises active directory they are not mail enabled by default. Administrators must execute the update-recipient command in order to have the objects represented in the on-premises global address list and for full transport functionality. In some cases this can be an interesting task. There is another option to establish mail flow and have the object appear in the on-premises global address list.
Utilizing a mail contact…
The process starts by provisioning the Office 365 Group in either Exchange Online or in Azure Active Directory. When the group is provisioned the mail enabled attributes are created – of particular interest to us are the email addresses stamped on the group.
The group must be updated with an email address that includes domain.mail.onmicrosoft.com.
PS C:\> Set-UnifiedGroup Officers -emailaddresses:@{add=officers@domain.mail.onmicrosoft.com}
With the new email address present we can gather the attributes that we will use in future commands into a variable.
PS C:\> $group=Get-UnifiedGroup -Identity Officers
PS C:\> $group.EmailAddresses
smtp:officers@fortmillrescuesquad.mail.onmicrosoft.com
SMTP:Officers@fortmillems.org
smtp:Officers@fortmillrescue.com
SPO:SPO_8bd244fb-60f3-4710-a1ef-40bc7ef584ff@SPO_eefdeca8-5850-4ca5-a160-0716f2d8496e
smtp:Officers@FortMillRescueSquad.onmicrosoft.com
PS C:\> $group.DisplayName
Officers
PS C:\> $group.name
Officers_7ccca570b9
PS C:\> $group.alias
Officers
As with most mail enabled objects in Office 365 this group has a primary email address at the vanity domain @domain.org and a secondary email address at the tenant domain @domain.mail.onmicrosoft.com. I have also noted the other attributes that we will utilize later.
The next step is to locate or create an Organizational Unit in the on-premises Active Directory to store the on-premises objects we will associated with these groups. An important configuration step here is that the OU must NOT be included in objects that are replicated by Azure Active Directory Connect to Azure Active Directory. This is performed through the Azure Active Directory Connect configuration wizard.
The last step of the process is to provision mail enabled contacts within the non-sync OU. The mail enabled contacts will:
- Have a primary email address matching the primary email address of the mail enabled group in Office 365.
- Have an external email address matching the tenant specific email address.
- Any number of secondary addresses as necessary.
- Note – the primary and secondary email addresses may be defined automatically by the on-premises recipient policies and match the Office 365 Group depending on the configuration of the on-premises recipient policies.
In this example I will utilize powershell to create the mail enabled contact and the values previously gathered above.
[PS] C:\>New-MailContact -DisplayName "Officers" -Name "Officers_7ccca570b9" -ExternalEmailAddress "officers@domain.mail.onmicrosoft.com" -Alias "Officers" -PrimarySmtpAddress "officers@domain.org" -OrganizationalUnit "domain.local/TopLevelOU/Contacts/Office365-NoSync"
Name Alias RecipientType
---- ----- -------------
Officers_7ccca570b9 Officers MailContact
The contact creation can be verified with get-mailcontact and reviewing the individual attributes set.
[PS] C:\>$contact=get-mailContact Officers_7ccca570b9
[PS] C:\>$contact.displayName
Officers
[PS] C:\>$contact.name
Officers_7ccca570b9
[PS] C:\>$contact.ExternalEmailAddress
SmtpAddress : officers@domain.mail.onmicrosoft.com
AddressString : officers@domain.mail.onmicrosoft.com
ProxyAddressString : SMTP:officers@domain.mail.onmicrosoft.com
Prefix : SMTP
IsPrimaryAddress : True
PrefixString : SMTP
[PS] C:\>$contact.Alias
Officers
[PS] C:\>$contact.PrimarySmtpAddress
Length : 25
Local : officers
Domain : domain.org
Address : officers@domain.org
IsUTF8 : False
IsValidAddress : True
[PS] C:\>$contact.OrganizationalUnit
domain.local/TopLevelOU/Groups/Office365-NoSync
The mail contact will appear in the on premises global address list.
When the contact is selected as a mail target the email will be received at address@domain.org and will forward to address@domain.onmicrosoft.com. Here is an example from the on-premises message tracking logs.
[PS] C:\>Get-MessageTrackingLog -MessageId c652db0a537848d4bf43c6d435bbb79e@domain.org
Timestamp EventId Source Sender Recipients MessageSubject
--------- ------- ------ ------ ---------- --------------
8/21/2018 8:23:03 PM HAREDIRECTFAIL SMTP Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
8/21/2018 8:23:03 PM RECEIVE SMTP Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
8/21/2018 8:23:17 PM RESOLVE ROUTING Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
8/21/2018 8:23:22 PM AGENTINFO AGENT Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
8/21/2018 8:23:25 PM TRANSFER ROUTING Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
8/21/2018 8:23:29 PM SENDEXTERNAL SMTP Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
8/21/2018 8:22:58 PM RECEIVE STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
8/21/2018 8:23:06 PM SUBMIT STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Test New Contact
The Exchange Online message tracking logs show the inbound transmission to Office 365.
PS C:\> Get-MessageTrace -RecipientAddress officers@domain.mail.onmicrosoft.com
Received Sender Address Recipient Address Subject
-------- -------------- ----------------- -------
8/21/2018 8:23:28 PM Administrator@domain.org officers@domain.mail.onmicrosoft.com Test New Contact
When the full message headers are pulled from the message delivered to the group we can additionally validate that the authentication source is internal. The messages are trusted.
26
X-MS-Exchange-Organization-AuthAs
Internal
When using this process the contact on-premises shows as a mail enabled contact. It will not show as a distribution group – which may impact some peoples abilities to locate within the global address list – for example someone who selects all lists in the address book drop down. If you prefer – you could utilize a distribution list with a single member to achieve the same results.
Utilizing a distribution group…
The same pre-requisites must be followed. We need to add the additional email address to the unified group, capture the values for the group, and have a prepared organizational unit not synchronized. The process only deviates in how we create the relationship between the on-premises groups and the Office 365 Groups.
The steps of this process include provisioning a distribution group and a mail enabled contacts within the non-sync OU.
The distribution list will:
- Have a primary email address matching the primary email address of the mail enabled group in Office 365.
- Contain a mail enable contact with an external email address matching the domain.mail.onmicrosoft.com address of the Office 365 Group.
- Any number of secondary addresses as necessary.
- Note – the primary and secondary email addresses may be defined automatically by the on-premises recipient policies and match the Office 365 Group depending on the configuration of the on-premises recipient policies.
The mail enabled contact will:
- Have an external email address matching the domain.mail.onmicrosoft.com address of the Office 365 Group.
- Be a recipient hidden from the global address list.
In this example I will utilize powershell to create the mail enabled group and the values previously gathered above.
[PS] C:\>New-DistributionGroup -DisplayName "Officers" -Name "Officers_7cca570b9" -Alias "Officers" -PrimarySmtpAddress
"officers@domain.org" -OrganizationalUnit "domain.local/TopLevelOU/Groups/Office365-NoSync"
Name DisplayName GroupType PrimarySmtpAddress
---- ----------- --------- ------------------
Officers_7cca570b9 Officers Universal officers@domain.org
Using powershell the mail enabled contact will be created. To avoid any attribute collisions “–contact” was added to the end of each parameter.
[PS] C:\>New-MailContact -DisplayName "Officers-Contact" -Name "Officers_7ccca570b9-Contact" -ExternalEmailAddress "officers@domain.mail.onmicrosoft.com" -Alias "Officers-Contact" -PrimarySmtpAddress "officers-contact@domain.org" –OrganizatisonalUnit "domain.local/TopLevelOU/Contacts/Office365-NoSync"
Name Alias RecipientType
---- ----- -------------
Officers_7ccca570b9-Conta Officers-Contact MailContact
ct
The mail contact can then be hidden from the address list preventing users from locating it rather than the group created.
[PS] C:\>Set-MailContact Officers_7cca570b9-contact -HiddenFromAddressListsEnabled:$TRUE
With the mail contact provisioned it can be added to the distribution group as a member.
[PS] C:\>Add-DistributionGroupMember -Identity Officers_7cca570b9 -Member Officers_7cca570b9-contact
[PS] C:\>Get-DistributionGroupMember -Identity Officers_7cca570b9
Name RecipientType
---- -------------
Officers_7cca570b9-contact MailContact
Here is an example of the message tracking log on-premises. The distribution list expansion and redirect to the external recipient can be reviewed.
[PS] C:\>Get-MessageTrackingLog -MessageId "4d19cf9cae67475cb4b41e011f28031d@domain.org"
Timestamp EventId Source Sender Recipients MessageSubject
--------- ------- ------ ------ ---------- --------------
8/22/2018 2:08:05 PM HAREDIRECTFAIL SMTP Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:05 PM RECEIVE SMTP Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:05 PM EXPAND ROUTING Administrator@OOOO... {officers-contact@... Distribution Grou...
8/22/2018 2:08:05 PM RESOLVE ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:06 PM AGENTINFO AGENT Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:06 PM TRANSFER ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:06 PM DROP ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:06 PM TRANSFER ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:07 PM SENDEXTERNAL SMTP Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:05 PM RECEIVE STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
8/22/2018 2:08:05 PM SUBMIT STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...
A message trace in Office 365 confirms receipt of the message to the Office 365 Group.
PS C:\> Get-MessageTrace -RecipientAddress officers@fortmillrescuesquad.mail.onmicrosoft.com
Received Sender Address Recipient Address Subject
-------- -------------- ----------------- -------
8/22/2018 2:08:06 PM Administrator@domain.org officers@domain.mail.onmicrosoft.com Distribution Gr...
When the full message headers are pulled from the message delivered to the group we can additionally validate that the authentication source is internal. The messages are trusted.
26
X-MS-Exchange-Organization-AuthAs
Internal
Utilizing this method the on premises object appears as a mail enabled distribution group with a single member. It will appear in the global address list as a group object and you can apply many of the same group properties – such as moderation and authentication – should it be required.
Senders and authentication…
The steps provided above yield email that arrives in Office 365 Groups as internal. This considers the message to be trusted and authenticated. In the testing performed above an on-premises mailbox was utilized as the source of the messages. In many cases administrators are considering this plan or group writeback to allow the on premises organization to receive internet email as the primary MX and route to the Office 365 Groups <or> to allow internal applications to relay to Office 365 Groups.
When messages do not originate in the context of an authenticated user the connector status is utilized to determine the security of a message. When the MX record points to an on premises server – it should be directed to a connector that has anonymous rights only. This connector will not elevate messages received to an internal status. In this test I utilized telnet to send an email through a connector where only the anonymous rights are present. The header shows an authentication status of Anonymous.
24
X-MS-Exchange-Organization-AuthAs
Anonymous
When trusted internal applications require the ability to send securely to Office 365 Groups a connector can be leveraged that utilizes the externally secured permissions. I have written a document here that some may find helpful. https://blogs.technet.microsoft.com/timmcmic/2018/04/22/office-365-trusting-application-emails-sent-through-internal-relay/ In this test I utilized an MFP to send an email through a connector where the externally secured rights were applied and restrictions were in placed based on source IP address. The header shows an authentication status of Internal.
25
X-MS-Exchange-Organization-AuthAs
Internal
This information can be useful in understanding how rights are applied to distribution groups and the security of inbound mail flow.