So, I'm trying to wrap my head around my current problem and could use a little help.What we have: Office 365 with a verified custom domain (e.g. contoso.com)Exchange 2013 onPremalso the MX records for contoso.com point to the onPrem environmenttherefore all incoming mails for contoso.com will be routed through our onPrem environmentcustom domain (contoso.com) is also federatedAAD Connect and ADFS SSOtherefore I cannot set the Default Domain in Office 365 to our custom domain (contoso.com)is this correct? http://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_domains/cant-set-domain-to-default/bffaa60e-ea81-4bdb-9728-e900e13a2a7eExchange Online is connected to our onPrem Environment in a hybrid statedone with the Office 365 Hybrid WizardGroups Writeback has also been enabled I'm not sure if this was really necessary, since I do plan to move all mailboxes to Exchange Online, butI've completed all the steps (from https://technet.microsoft.com/library/mt668829(v=exchg.150).aspx) except Step 2 - adding the "new groups domain".Am I really supposed to add a new domain (in this case groups.contoso.com) to Office 365? When I try to do that, I get notified about this beeing a subdomain of my already configured custom domain and that I would have to do this through PowerShell (no further links added)Created Office 365 Groups, andchanged the primary SMTP address to groupname@contoso.com oradded an additionaly SMTP address to groupname@contoso.onmicrosoft.com (I've tried both variants)enabled Outside Senders for mentioned groupsTL;DRI'm not able to "reach" (send mail) our Office 365 Groups externally through our custom domain (contoso.com)I'm getting a NDR from our internal Exchange Environemnt: http://go.microsoft.com/fwlink/?LinkId=389365Remote Server returned '550 5.7.1 RESOLVER.RST.AuthRequired; authentication required' My Questions is, is this even supposed to work?I did find this article about Multi-Domain Support for Office 365 Groups (https://support.office.com/en-us/article/Multi-domain-support-for-Office-365-Groups-Admin-help-7cf5655d-e523-4bc3-a93b-3ccebf44a01a) I can send mails this group externally when sending to groupname@contoso.onmicrosoft.com (so, the Outside Senders parameters is working correctly).

I would log a call with Microsoft support and get some help to work through this scenario. It is definitely supported to have Office 365 groups synchronized back to an on-premises AD using the latest version of AADconnect. The multi-domain article you reference has nothing to do with hybrid interoperability.

Ankit,I believe that I have the identical issue/architecture as OP with regard to the on-premesis server returning 5.7.1 Authentication Required errors when an esternal sender trys to email an Office365 Group. You note that you are aware of this issue... is there any update/resolution? Thanks

Hi Ankit, I'm unsure how to verify this with ldp.exe.Best I've found are the following attributes, though none mention RemoteGroupMailbox. groupType: 0x8 = ( UNIVERSAL_GROUP );should this say RemoteGroupMailbox? Also unclear to me are the following attributes, could you clarify if these are correct for writtenback groups? msExchRequireAuthToSendTo: TRUE;this is basically the error my exchange server is returning when sending to an O365 groups custom domain addressSetting attribute manually to FALSE gets my external message pass the onPrem Exchange (finally)targetAddress: SMTP:groupname@custom.domainthis is also different than for user mailboxes, since migrated UserMailboxes have upn@tenant.mail.onmicrosoft.com as target addressesgroupname@tenant.mail.onmicrosoft.com as target addresss does not work - I get an O365 bounce (only with authreq set to FALSE above) 550 RESOLVER.ADR.RecipientNotFound.groupname@tenant.onmicrosoft.com as target address WORKS - finally I've done a lot testing with those 2 attributes and I can 100% confirm that by manually changing them, I was able to use my custom domain for writtenback O365 groups.So the question is, why is the O365 Hybrid Wizard and/or AAD Connect not doing this on its own? Also confusing, though unsure if related: When running the O365 Hybrid Configuration Wizard I get the option to configure groups.custom.domain in addition to custom.domain as well. Do I check that box or leave it alone?Since my initial goal is to get custom.domain to work with O365 Groups in a hybrid scenario (with MX pointing onPrem) I'm still unsure what to do with all that groups.domain.com configurations. *EDIT1*After further testing the culprit seems to be AAD Connect, which overwrites (with every delta sync) msExchRequireAuthToSendTo and sets it to TRUE and also resets targetAddress and sets it to identical with PrimarySMTPAddress.After that my groups are not reachable by custom.domain. Also alias SMTP addresses are reachable, as long as the target address is groupname@tenant.onmicrosoft.com.Additionally when manually setting a new Primary SMTP Address through powershell, a new @tenant.onmicrosoft.com address is not created. I'm unsure how AAD Connect is supposed to handle these changes, since mails only seem to go through with a proper targetAddress attribute that is not custom.domain.

Will contact support (or CSP in our case). I have them synced back onPrem, that's working "fine".What I'm unsure about, are Steps 2 and 3 for Groups Hybrid setup. What are they even for?why do I need to add a subdomain of my already verified vanity domainand how do I do it via PowerShell?what are the public DNS (MX and CNAME) for the this subdomain for?it's not like those groups suddenly have new email addresses like groupname@groups.contoso.comor is that how it supposed to work and I'm not supposed to use groupname@contoso.com?

Hi Tony, I've talked to our CSP and they weren't able to find any articles that confirm this functionality explicitly.I've managed to enable the subdomain (e.g. groups.contoso.com) for our tenant have that synced back to onPrem (e.g. groupsname@groups.contoso.com). Reminder: MX records for groups.contoso.com point to O365 directly.I've added additionaly aliases (groupsname@contoso.com) to the group, but I'm unable to get mail through to the group by using any aliases from external or internal. Reminder: MX records for contoso.com point onPrem. Do you have any documentation that mentions functioning vanity domains for Office 365 Groups in a federated (ADFS) environment?

Ivan54

Bronze Contributor

Sep 20, 2016

Custom Domain for O365 Groups in a Federated Hybrid Environment

So, I'm trying to wrap my head around my current problem and could use a little help.

What we have:

Office 365 with a verified custom domain (e.g. contoso.com)
Exchange 2013 onPrem
- also the MX records for contoso.com point to the onPrem environment
- therefore all incoming mails for contoso.com will be routed through our onPrem environment
custom domain (contoso.com) is also federated
- AAD Connect and ADFS SSO
- therefore I cannot set the Default Domain in Office 365 to our custom domain (contoso.com)
- is this correct? http://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_domains/cant-set-domain-to-default/bffaa60e-ea81-4bdb-9728-e900e13a2a7e
Exchange Online is connected to our onPrem Environment in a hybrid state
- done with the Office 365 Hybrid Wizard
- Groups Writeback has also been enabled
  - I'm not sure if this was really necessary, since I do plan to move all mailboxes to Exchange Online, but
  - I've completed all the steps (from https://technet.microsoft.com/library/mt668829(v=exchg.150).aspx) except Step 2 - adding the "new groups domain".
    - Am I really supposed to add a new domain (in this case groups.contoso.com) to Office 365? When I try to do that, I get notified about this beeing a subdomain of my already configured custom domain and that I would have to do this through PowerShell (no further links added)
Created Office 365 Groups, and
- changed the primary SMTP address to groupname@contoso.com or
- added an additionaly SMTP address to groupname@contoso.onmicrosoft.com (I've tried both variants)
- enabled Outside Senders for mentioned groups

TL;DR

I'm not able to "reach" (send mail) our Office 365 Groups externally through our custom domain (contoso.com)

I'm getting a NDR from our internal Exchange Environemnt: http://go.microsoft.com/fwlink/?LinkId=389365

Remote Server returned '550 5.7.1 RESOLVER.RST.AuthRequired; authentication required'

My Questions is, is this even supposed to work?

I did find this article about Multi-Domain Support for Office 365 Groups (https://support.office.com/en-us/article/Multi-domain-support-for-Office-365-Groups-Admin-help-7cf5655d-e523-4bc3-a93b-3ccebf44a01a)

I can send mails this group externally when sending to groupname@contoso.onmicrosoft.com (so, the Outside Senders parameters is working correctly).

exchange

groups

Office 365 Groups

19 Replies

TonyRedmond
MVP
Oct 06, 2016
I asked Mr. Van Hybrid about this issue. Here's his response:

So, I'm trying to wrap my head around my current problem and could use a little help.
What we have:

Office 365 with a verified custom domain (e.g. contoso.com)
Exchange 2013 onPrem
also the MX records for contoso.com point to the onPrem environment
therefore all incoming mails for contoso.com will be routed through our onPrem environment
custom domain (contoso.com) is also federated
AAD Connect and ADFS SSO
therefore I cannot set the Default Domain in Office 365 to our custom domain (contoso.com) --> [MVH] correct; because a user must be synced for it to be able to authenticate.
is this correct? http://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_domains/cant-set-domain-to-...
Exchange Online is connected to our onPrem Environment in a hybrid state
done with the Office 365 Hybrid Wizard
Groups Writeback has also been enabled
I'm not sure if this was really necessary, since I do plan to move all mailboxes to Exchange Online, but
I've completed all the steps (from https://technet.microsoft.com/library/mt668829(v=exchg.150).aspx) except Step 2 - adding the "new groups domain".
Am I really supposed to add a new domain (in this case groups.contoso.com) to Office 365? When I try to do that, I get notified about this beeing a subdomain of my already configured custom domain and that I would have to do this through PowerShell (no further links added) [MVH]: I don't believe this is necessary. The groups write-back feature will already stamp the group with a target address that matches the routing domain (which he mentions below), that will take care of mail flow for the group. I am working with Christophe to get the guidance on TN updated to reflect this.
Created Office 365 Groups, and
changed the primary SMTP address to groupname@contoso.com or
added an additionaly SMTP address to groupname@contoso.onmicrosoft.com (I've tried both variants)
enabled Outside Senders for mentioned groups

TL;DR
I'm not able to "reach" (send mail) our Office 365 Groups externally through our custom domain (contoso.com)
I'm getting a NDR from our internal Exchange Environemnt: DSN-Code 5.7.1 in Exchange Online
Remote Server returned '550 5.7.1 RESOLVER.RST.AuthRequired; authentication required'

[MVH]: It's hard to tell what the problem is. To me it looks like the hybrid mail flow might not be setup correctly. If it were, the mail would hit the on-prem servers which would then forward the email to the target address of the group (over the hybrid connector) to Office 365. The connector is authenticated (explicit tls with domain auth.), so that error should not appear. Hence why I believe something might be wrong there.
TonyRedmond
MVP
Sep 20, 2016
I would log a call with Microsoft support and get some help to work through this scenario. It is definitely supported to have Office 365 groups synchronized back to an on-premises AD using the latest version of AADconnect. The multi-domain article you reference has nothing to do with hybrid interoperability.
- Ivan54
  Bronze Contributor
  Oct 04, 2016
  Hi Tony, I've talked to our CSP and they weren't able to find any articles that confirm this functionality explicitly.
  I've managed to enable the subdomain (e.g. groups.contoso.com) for our tenant have that synced back to onPrem (e.g. groupsname@groups.contoso.com). Reminder: MX records for groups.contoso.com point to O365 directly.
  I've added additionaly aliases (groupsname@contoso.com) to the group, but I'm unable to get mail through to the group by using any aliases from external or internal. Reminder: MX records for contoso.com point onPrem.
  
  Do you have any documentation that mentions functioning vanity domains for Office 365 Groups in a federated (ADFS) environment?
  - Ankit Kapoor
    Copper Contributor
    Oct 06, 2016
    Hello Ivan,
    
    Could you verify if the send-Connector is configured correctly for groups.contoso.com as mentioned in the point 4 of https://technet.microsoft.com/en-us/library/mt668829(v=exchg.150).aspxdoc. If the connector was not configured then group should be configured to receive mails for external senders.
    
    Could you share the NDR error details?
    
    Thanks
- Ivan54
  Bronze Contributor
  Sep 21, 2016
  Will contact support (or CSP in our case).
  I have them synced back onPrem, that's working "fine".
  What I'm unsure about, are Steps 2 and 3 for Groups Hybrid setup. What are they even for?
  why do I need to add a subdomain of my already verified vanity domain
  and how do I do it via PowerShell?
  what are the public DNS (MX and CNAME) for the this subdomain for?
  it's not like those groups suddenly have new email addresses like groupname@groups.contoso.com
  or is that how it supposed to work and I'm not supposed to use groupname@contoso.com?

Forum Discussion

Custom Domain for O365 Groups in a Federated Hybrid Environment

19 Replies

Resources