Tuesday, 5 August 2014

Office 365 / Exchange Online hybrid configuration and moderated distribution groups

We're testing out Office 365 in hybrid configuration with our on-premises Exchange 2010 organization, using Exchange 2013 hybrid servers in order to give us access to on-premises public folders from Exchange Online mailboxes. We've hit a few teething problems along the way, one of which was getting moderated distribution groups to work between Exchange Online and on-premises Exchange.

I had to make a number of adjustments to the configuration put in place by the hybrid configuration wizard to get this up and running, so I thought I'd document what I did in case anyone else finds it useful. Throughout, text in magenta needs to be replaced with appropriate values for your organization.

On-premises changes

All changes were made using the Exchange Management Shell.

Create a remote domain for the actual tenant domain

The HCW creates a remote domain in the on-premises organization for the hybrid coexistence domain (TenantName.mail.onmicrosoft.com), but emails regarding moderated groups come from an arbitration mailbox in the tenant with email address SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@TenantName.onmicrosoft.com, so I had to add an additional remote domain:

New-RemoteDomain -Name "Hybrid Domain - TenantName.onmicrosoft.com" -DomainName tenantname.onmicrosoft.com

Update hybrid remote domain settings

I'd manually created the on-premises connector for our hybrid coexistence domain, so it didn't have the required settings to allow things like internal out-of-office messages to be passed. I updated the settings for both Exchange Online domains. Note that the option to enable TNEF is crucial - without this, you won't get the voting buttons on emails from the tenant, which breaks approval altogether!

Set-RemoteDomain -Name "Hybrid*" -IsInternal $true -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -MeetingForwardNotificationEnabled $true -TrustedMailOutboundEnabled $true -TrustedMailInboundEnabled $true -UseSimpleDisplayName $true -TNEFEnabled $true

Update Office 365 send connector

The last on-premises change was to update the Office 365 send connector to include the tenant domain, otherwise responses to moderation requests were NDR'd with an 'Authentication Required' message.

Set-SendConnector "Outbound to Office 365" -AddressSpaces @{Add="tenantname.onmicrosoft.com"}

Exchange Online changes

All changes were made using PowerShell connected to the Exchange Online provider.

Create a remote domain for each hybrid domain

It's necessary to create a remote domain in the tenant for each SMTP domain included in a ProxyAddress in your on-premises organization. You can see which domains Exchange Online is aware of using Get-AcceptedDomain; for each one that's not a tenant or coexistence domain, you'll need to run the following, substituting each of your domains in turn.

New-RemoteDomain -Name "Hybrid Domain - domainname.tld" -DomainName domainname.tld

Update hybrid remote domain settings

Finally, you'll need to update the Exchange Online remote domains in the same way that you updated the on-premises domains. Conveniently, if you created them as suggested above, you can run the exact same PowerShell command in Exchange Online. Again, TNEFEnabled is crucial to get the voting buttons displayed - if you leave it at the default of $null, messages get converted to HTML and the voting buttons are lost.

Set-RemoteDomain -Identity "Hybrid*" -IsInternal $true -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -MeetingForwardNotificationEnabled $true -TrustedMailOutboundEnabled $true -TrustedMailInboundEnabled $true -UseSimpleDisplayName $true -TNEFEnabled $true

At this point, everything should spring into life. Test by emailing an on-premises moderated group from an Exchange Online mailbox and see if you get a moderation message with voting buttons that you can approve.