Office 365: A different approach to handling Office 365 group mail flow…

In Exchange Online an Office 365 Group ( Unified Group / Modern Group ) allows for a new level of team collaboration.  Office 365 Groups are created directly in Exchange Online and Azure Active Directory.  This makes them cloud only objects.  The membership and attributes of these objects are maintained directly in Office 365.

There are legitimate scenarios where on premises applications must be able to send email to the Office 365 groups.  By default an Office 365 Group does not write back to on premises Active Directory and therefore is not a valid recipient for Exchange on-premises.  To compensate for this Azure Active Directory Connect has a group writeback feature.  The group writeback feature allows Office 365 groups to be represented in the on-premises Active Directory.  The group membership cannot be managed using the on-premises Active Directory – any changes are overwritten by Azure Active Directory Connect. 

When a group is written back to the on-premises active directory they are not mail enabled by default.  Administrators must execute the update-recipient command in order to have the objects represented in the on-premises global address list and for full transport functionality.  In some cases this can be an interesting task.  There is another option to establish mail flow and have the object appear in the on-premises global address list.

Utilizing a mail contact…

The process starts by provisioning the Office 365 Group in either Exchange Online or in Azure Active Directory.  When the group is provisioned the mail enabled attributes are created – of particular interest to us are the email addresses stamped on the group.

The group must be updated with an email address that includes domain.mail.onmicrosoft.com.

PS C:\> Set-UnifiedGroup Officers -emailaddresses:@{add=officers@domain.mail.onmicrosoft.com}

With the new email address present we can gather the attributes that we will use in future commands into a variable.

PS C:\> $group=Get-UnifiedGroup -Identity Officers

PS C:\> $group.EmailAddresses

smtp:officers@fortmillrescuesquad.mail.onmicrosoft.com

SMTP:Officers@fortmillems.org

smtp:Officers@fortmillrescue.com

SPO:SPO_8bd244fb-60f3-4710-a1ef-40bc7ef584ff@SPO_eefdeca8-5850-4ca5-a160-0716f2d8496e

smtp:Officers@FortMillRescueSquad.onmicrosoft.com

PS C:\> $group.DisplayName

Officers

PS C:\> $group.name

Officers_7ccca570b9

PS C:\> $group.alias

Officers

As with most mail enabled objects in Office 365 this group has a primary email address at the vanity domain @domain.org and a secondary email address at the tenant domain @domain.mail.onmicrosoft.com.  I have also noted the other attributes that we will utilize later. 

The next step is to locate or create an Organizational Unit in the on-premises Active Directory to store the on-premises objects we will associated with these groups.  An important configuration step here is that the OU must NOT be included in objects that are replicated by Azure Active Directory Connect to Azure Active Directory.  This is performed through the Azure Active Directory Connect configuration wizard. 

image

The last step of the process is to provision mail enabled contacts within the non-sync OU.  The mail enabled contacts will:

  • Have a primary email address matching the primary email address of the mail enabled group in Office 365.
  • Have an external email address matching the tenant specific email address.
  • Any number of secondary addresses as necessary.
  • Note – the primary and secondary email addresses may be defined automatically by the on-premises recipient policies and match the Office 365 Group depending on the configuration of the on-premises recipient policies.

In this example I will utilize powershell to create the mail enabled contact and the values previously gathered above.

[PS] C:\>New-MailContact -DisplayName "Officers" -Name "Officers_7ccca570b9" -ExternalEmailAddress "officers@domain.mail.onmicrosoft.com" -Alias "Officers" -PrimarySmtpAddress "officers@domain.org" -OrganizationalUnit "domain.local/TopLevelOU/Contacts/Office365-NoSync"

Name Alias RecipientType

---- ----- -------------

Officers_7ccca570b9 Officers MailContact

The contact creation can be verified with get-mailcontact and reviewing the individual attributes set.

[PS] C:\>$contact=get-mailContact Officers_7ccca570b9

[PS] C:\>$contact.displayName

Officers

[PS] C:\>$contact.name

Officers_7ccca570b9

[PS] C:\>$contact.ExternalEmailAddress

SmtpAddress : officers@domain.mail.onmicrosoft.com

AddressString : officers@domain.mail.onmicrosoft.com

ProxyAddressString : SMTP:officers@domain.mail.onmicrosoft.com

Prefix : SMTP

IsPrimaryAddress : True

PrefixString : SMTP

[PS] C:\>$contact.Alias

Officers

[PS] C:\>$contact.PrimarySmtpAddress

Length : 25

Local : officers

Domain : domain.org

Address : officers@domain.org

IsUTF8 : False

IsValidAddress : True

[PS] C:\>$contact.OrganizationalUnit

domain.local/TopLevelOU/Groups/Office365-NoSync

The mail contact will appear in the on premises global address list.

image

When the contact is selected as a mail target the email will be received at address@domain.org and will forward to address@domain.onmicrosoft.com.  Here is an example from the on-premises message tracking logs.

[PS] C:\>Get-MessageTrackingLog -MessageId c652db0a537848d4bf43c6d435bbb79e@domain.org

Timestamp EventId Source Sender Recipients MessageSubject

--------- ------- ------ ------ ---------- --------------

8/21/2018 8:23:03 PM HAREDIRECTFAIL SMTP Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:03 PM RECEIVE SMTP Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:17 PM RESOLVE ROUTING Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:22 PM AGENTINFO AGENT Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:25 PM TRANSFER ROUTING Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:29 PM SENDEXTERNAL SMTP Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:22:58 PM RECEIVE STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

8/21/2018 8:23:06 PM SUBMIT STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Test New Contact

The Exchange Online message tracking logs show the inbound transmission to Office 365.

PS C:\> Get-MessageTrace -RecipientAddress officers@domain.mail.onmicrosoft.com

Received Sender Address Recipient Address Subject

-------- -------------- ----------------- -------

8/21/2018 8:23:28 PM Administrator@domain.org officers@domain.mail.onmicrosoft.com Test New Contact

When the full message headers are pulled from the message delivered to the group we can additionally validate that the authentication source is internal.  The messages are trusted.

26
X-MS-Exchange-Organization-AuthAs
Internal

When using this process the contact on-premises shows as a mail enabled contact.  It will not show as a distribution group – which may impact some peoples abilities to locate within the global address list – for example someone who selects all lists in the address book drop down.  If you prefer – you could utilize a distribution list with a single member to achieve the same results. 

Utilizing a distribution group…

The same pre-requisites must be followed.  We need to add the additional email address to the unified group, capture the values for the group, and have a prepared organizational unit not synchronized.  The process only deviates in how we create the relationship between the on-premises groups and the Office 365 Groups.

The steps of this process include provisioning a distribution group and a mail enabled contacts within the non-sync OU.

The distribution list will:

  • Have a primary email address matching the primary email address of the mail enabled group in Office 365.
  • Contain a mail enable contact with an external email address matching the domain.mail.onmicrosoft.com address of the Office 365 Group.
  • Any number of secondary addresses as necessary.
  • Note – the primary and secondary email addresses may be defined automatically by the on-premises recipient policies and match the Office 365 Group depending on the configuration of the on-premises recipient policies.

The mail enabled contact will:

  • Have an external email address matching the domain.mail.onmicrosoft.com address of the Office 365 Group.
  • Be a recipient hidden from the global address list.

In this example I will utilize powershell to create the mail enabled group and the values previously gathered above.

[PS] C:\>New-DistributionGroup -DisplayName "Officers" -Name "Officers_7cca570b9" -Alias "Officers" -PrimarySmtpAddress
"officers@domain.org" -OrganizationalUnit "domain.local/TopLevelOU/Groups/Office365-NoSync"

Name DisplayName GroupType PrimarySmtpAddress

---- ----------- --------- ------------------

Officers_7cca570b9 Officers Universal officers@domain.org

Using powershell the mail enabled contact will be created.  To avoid any attribute collisions “–contact” was added to the end of each parameter.

[PS] C:\>New-MailContact -DisplayName "Officers-Contact" -Name "Officers_7ccca570b9-Contact" -ExternalEmailAddress "officers@domain.mail.onmicrosoft.com" -Alias "Officers-Contact" -PrimarySmtpAddress "officers-contact@domain.org" –OrganizatisonalUnit "domain.local/TopLevelOU/Contacts/Office365-NoSync"

Name Alias RecipientType

---- ----- -------------

Officers_7ccca570b9-Conta Officers-Contact MailContact

ct

The mail contact can then be hidden from the address list preventing users from locating it rather than the group created.

[PS] C:\>Set-MailContact Officers_7cca570b9-contact -HiddenFromAddressListsEnabled:$TRUE

With the mail contact provisioned it can be added to the distribution group as a member. 

[PS] C:\>Add-DistributionGroupMember -Identity Officers_7cca570b9 -Member Officers_7cca570b9-contact

[PS] C:\>Get-DistributionGroupMember -Identity Officers_7cca570b9

Name RecipientType

---- -------------

Officers_7cca570b9-contact MailContact

Here is an example of the message tracking log on-premises.  The distribution list expansion and redirect to the external recipient can be reviewed.

[PS] C:\>Get-MessageTrackingLog -MessageId "4d19cf9cae67475cb4b41e011f28031d@domain.org"

Timestamp EventId Source Sender Recipients MessageSubject

--------- ------- ------ ------ ---------- --------------

8/22/2018 2:08:05 PM HAREDIRECTFAIL SMTP Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM RECEIVE SMTP Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM EXPAND ROUTING Administrator@OOOO... {officers-contact@... Distribution Grou...

8/22/2018 2:08:05 PM RESOLVE ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM AGENTINFO AGENT Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM TRANSFER ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM DROP ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:06 PM TRANSFER ROUTING Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:07 PM SENDEXTERNAL SMTP Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM RECEIVE STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

8/22/2018 2:08:05 PM SUBMIT STOREDRIVER Administrator@OOOO... {officers@OOOOOOOO... Distribution Grou...

A message trace in Office 365 confirms receipt of the message to the Office 365 Group.

PS C:\> Get-MessageTrace -RecipientAddress officers@fortmillrescuesquad.mail.onmicrosoft.com

Received Sender Address Recipient Address Subject

-------- -------------- ----------------- -------

8/22/2018 2:08:06 PM Administrator@domain.org officers@domain.mail.onmicrosoft.com Distribution Gr...

When the full message headers are pulled from the message delivered to the group we can additionally validate that the authentication source is internal.  The messages are trusted.

26
X-MS-Exchange-Organization-AuthAs
Internal

Utilizing this method the on premises object appears as a mail enabled distribution group with a single member.  It will appear in the global address list as a group object and you can apply many of the same group properties – such as moderation and authentication – should it be required.

Senders and authentication…

The steps provided above yield email that arrives in Office 365 Groups as internal.  This considers the message to be trusted and authenticated.  In the testing performed above an on-premises mailbox was utilized as the source of the messages.  In many cases administrators are considering this plan or group writeback to allow the on premises organization to receive internet email as the primary MX and route to the Office 365 Groups <or> to allow internal applications to relay to Office 365 Groups.

When messages do not originate in the context of an authenticated user the connector status is utilized to determine the security of a message.  When the MX record points to an on premises server – it should be directed to a connector that has anonymous rights only.  This connector will not elevate messages received to an internal status.  In this test I utilized telnet to send an email through a connector where only the anonymous rights are present.  The header shows an authentication status of Anonymous.

24
X-MS-Exchange-Organization-AuthAs
Anonymous

When trusted internal applications require the ability to send securely to Office 365 Groups a connector can be leveraged that utilizes the externally secured permissions.  I have written a document here that some may find helpful.  https://blogs.technet.microsoft.com/timmcmic/2018/04/22/office-365-trusting-application-emails-sent-through-internal-relay/  In this test I utilized an MFP to send an email through a connector where the externally secured rights were applied and restrictions were in placed based on source IP address.  The header shows an authentication status of Internal.

25
X-MS-Exchange-Organization-AuthAs
Internal

This information can be useful in understanding how rights are applied to distribution groups and the security of inbound mail flow.