Forum Discussion

mohammad housaini's avatar
mohammad housaini
Copper Contributor
May 21, 2018

Exchange hybrid - Users with on-prem mailboxes are being considered 'unauthenticated'

Overview + Setup Information

This issue relates to Exchange, SharePoint Online and Office 365. 

Here's a quick summary of our setup:

  • We've integrated our on-prem AD with Azure AD via Azure AD Connect.
  • We have hybrid Exchange set up, with some mailboxes hosted on-prem (Exchange Server 2010 SP3) and others hosted on Exchange Online.
  • Inbound mail flow is directed to Exchange Online so that we can use EOP for anti-spam and anti-malware protection.

Issue

Users with on-prem mailboxes are unable to send emails to distribution groups using the 'Send by Email' functionality in SharePoint Online sites.

 

These users are able to select the distribution group and send the email, however, the message is not received by any of the members of the distribution group.

 

Solution

 

Disabling the 'Require that all senders are authenticated' option in EMC > Distribution Groups > [desired group] > Mail Flow Settings > Message Delivery Restrictions, fixes this issue. As in, members of the group will then receive emails that users with on-prem mailboxes send using the 'Send by Email' button on SharePoint Online.

 

FYI, the equivalent setting on Exchange Online seems to be EAC > Recipients > Groups > [desired group] > Delivery Management > Senders inside and outside my organization.

 

Issue with Solution

This is not an acceptable solution as it leaves the door open for external senders to send emails to all the members in our distribution groups. This is problematic for a number of reasons, particularly from a security perspective.

 

Question

It seems like either Exchange Online or our on-prem Exchange server is deeming these users (who have on-prem mailboxes) to be unauthenticated/outside the organization - as a reminder, our inbound mail flow goes through Exchange Online.

 

Hence, how can we make Exchange Online/on-prem Exchange consider these users to be authenticated/inside the organization? I am of course also open to trying other solutions that might fix the issue we're having.

 

Any help would be much appreciated.

  • Moreover those messages are sent from the SPO backend, so Exchange is not even involved. Have you tried allowing just the no-reply@sharepointonline.com address?

  • Adding no-reply@sharepointonline.com as a mail-enabled contact in AD and Exchange on-prem resolved the issue. 
     
    It seems like emails from this address are now being considered 'authenticated' given that they are going through to all distribution group members without my having to disable the 'Require that all senders are authenticated' option for the distribution group in EMC.
     
    Thanks VasilMichev - not sure if this is what you meant, but it gave me the idea anyway.
  • Mitch King's avatar
    Mitch King
    Iron Contributor

    The quick answer is...you can't. Exchange Online users are not authenticated on premise, the email originates from Exchange online which is essentially a federated organisation. Maybe MS could implement a separate tick box for "federated partners" but this is unlikely to happen.

    • mohammad housaini's avatar
      mohammad housaini
      Copper Contributor
      That is indeed unlikely to happen. Thanks for pointing that out anyway, hopefully there's another workaround.
    • VasilMichev's avatar
      VasilMichev
      MVP

      Moreover those messages are sent from the SPO backend, so Exchange is not even involved. Have you tried allowing just the no-reply@sharepointonline.com address?

Resources