Custom Domain for O365 Groups in a Federated Hybrid Environment

I asked Mr. Van Hybrid about this issue. Here's his response:

So, I'm trying to wrap my head around my current problem and could use a little help.

What we have:

• Office 365 with a verified custom domain (e.g. contoso.com)
• Exchange 2013 onPrem
• also the MX records for contoso.com point to the onPrem environment
• therefore all incoming mails for contoso.com will be routed through our onPrem environment
• custom domain (contoso.com) is also federated
• AAD Connect and ADFS SSO
• therefore I cannot set the Default Domain in Office 365 to our custom domain (contoso.com) --> [MVH] correct; because a user must be synced for it to be able to authenticate.
• is this correct? http://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_domains/cant-set-domain-to-...
• Exchange Online is connected to our onPrem Environment in a hybrid state
• done with the Office 365 Hybrid Wizard
• Groups Writeback has also been enabled 
• I'm not sure if this was really necessary, since I do plan to move all mailboxes to Exchange Online, but
• I've completed all the steps (from https://technet.microsoft.com/library/mt668829(v=exchg.150).aspx) except Step 2 - adding the "new groups domain".
• Am I really supposed to add a new domain (in this case groups.contoso.com) to Office 365? When I try to do that, I get notified about this beeing a subdomain of my already configured custom domain and that I would have to do this through PowerShell (no further links added) [MVH]: I don't believe this is necessary. The groups write-back feature will already stamp the group with a target address that matches the routing domain (which he mentions below), that will take care of mail flow for the group. I am working with Christophe to get the guidance on TN updated to reflect this.
• Created Office 365 Groups, and
• changed the primary SMTP address to groupname@contoso.com or
• added an additionaly SMTP address to groupname@contoso.onmicrosoft.com (I've tried both variants)
• enabled Outside Senders for mentioned groups

TL;DR

I'm not able to "reach" (send mail) our Office 365 Groups externally through our custom domain (contoso.com)

I'm getting a NDR from our internal Exchange Environemnt: DSN-Code 5.7.1 in Exchange Online

Remote Server returned '550 5.7.1 RESOLVER.RST.AuthRequired; authentication required'

[MVH]: It's hard to tell what the problem is. To me it looks like the hybrid mail flow might not be setup correctly. If it were, the mail would hit the on-prem servers which would then forward the email to the target address of the group (over the hybrid connector) to Office 365. The connector is authenticated (explicit tls with domain auth.), so that error should not appear. Hence why I believe something might be wrong there.