Advanced Office 365 Routing: Locking Down Exchange On-Premises when MX points to Office 365

Anonymous
Feb 16, 2019
Hello Dustin, for the last scenario, we don't need X-OriginatingOrg exception because mail from your own tenant will be considered as from “Inside the organization”. So mail from your tenant will be exempted anyway.
- Anonymous
  Feb 16, 2019
  We are in the last scenario, MX records point to on premise 3rd party filtering, then routing through on prem to our ExO tenant (we have centralized mailflow). I can tell you from experience (and a case with support) that just adding the IPs is not enough. You'll need to Exempt 'calendaring' message types (or external messages sent to delegates will be blocked as 'external' when delegation sends it to the delegate on behalf of the 'boss'), and exempt messages with headers 'x-ms-exchange-organization-AuthAs' of 'internal' or internal Out of Office messages will be blocked.
  - Anonymous
    Feb 16, 2019
    Hello MRI503X, I tested the scenario you explained here, however I am unable to repro this in my lab. I tested few scenarios-
    Scenario1-
    Meeting is sent from External Domain to a user in tenant1 (say user1). User1 forwarded the Meeting to tenant2 whose MX is pointed to 3rd Party. I see the email is sent to 3rd party itself and not directly to tenant2. So the IP Address of 3rd party will be there in the header and the email won’t be blocked by the rule (because of IP exception)
    Scenario2-
    Meeting is Sent from External Domain to tenant1 (say user1). User1 on behalf of his manager forward the e-mail to an On-Prem user. Here the Auth-AS header is set to Internal. Again the email won’t be blocked by the rule (because the rule is only for external email, internal mails are bypassed)
    Did I miss the scenario? Could you please explain the exact problem scenario so that I can do more testing in my lab?

Blog Post

Advanced Office 365 Routing: Locking Down Exchange On-Premises when MX points to Office 365