Forum Discussion

Polite603's avatar
Polite603
Copper Contributor
Apr 03, 2024

Mailtips - deliveryRestriction returns incorrect result with acceptedSenders having nested lists

Hello Graph Community, 

 

I'm in the process of developing a graph solution where I can check if a mailbox or from address has permission to send to a Distribution list when that list has acceptedSenders, meaning only members added to "Specified Senders" in Exchange can send to that list. If they are not a member they generally will receive a tooltip and an NDR if they hit send. 

 

 

GOAL – We want to be able to determine if a user has access to send to a restricted Distribution List (DL) before sending via our product. 
 
DLs have a property –- acceptedSenders – which can be individual addresses or other DLs. Members belonging to this list have permission to send to the DL.
 
In the Exchange Admin Center (EAC) this can be set by going to... 
Recipients -> Groups -> Distribution List -> <select a list> -> Settings -> Delivery management -> add specified senders -> Save
 
 
 
This can also be viewed in the Powershell Exchange Online module

 

 

 

 

 

$(Get-DistributionGroup "<DL HERE>") | select GroupType, alias, AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers ​

 

 

 

 

 

 
 
When a user that is NOT a member of this list, they will receive a MailTip in Outlook that states they cannot use this list. They can still send but they will receive an NDR if they do so. 
 
PROBLEM – When a DL that is part of the acceptedSenders list has a NESTED DL, the response from the API will ALWAYS return false. The MailTip also does not appear in Outlook. the NDR does still function. 
 
This behavior is noted in the documented here -- Restricted Recipient
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips
 
A tech unknowingly may add a nested DL to a DL that is used for deliveryRestriction, and break the expected behavior.
 
 
ATTEMPTED SOLUTION #1 – Mailtips
https://learn.microsoft.com/en-us/graph/api/user-getmailtips?view=graph-rest-1.0&tabs=http

 

GET - https://graph.microsoft.com/v1.0/users/%3C/getMailTips 
 
Scopes – Delegated/Application - Mail.Read
 
Body
{
    "EmailAddresses": [
<list of DLs/Recipients>
    ],
    "MailTipsOptions": "deliveryRestriction"
}
 
Response
deliveryRestricted : True
emailAddress       : @{name=; address=lockedDL@@contoso.org}
 
TEST CASE
Assuming I want to use my email and I am NOT a member of the acceptedSenders list
 
If acceptedSenders  has just a few approved senders -> deliveryRestricted = TRUE
If acceptedSenders  has just a DL -> deliveryRestricted = TRUE
If acceptedSenders  has just a DL and a few approved senders -> deliveryRestricted = TRUE
If acceptedSenders  has just a DL (with NESTED DL) and a few approved senders -> deliveryRestricted = FALSE
 
All cases above --> NDR will be received if the message is sent
 
This is a huge problem because a tech may add a nested DL to a deliveryRestricted list by mistake and now the list appears available to EVERYONE. OWA/Outlook will successfully send to the restricted list, only to be blocked at the Exchange level via NDR. 
 
ATTEMPTED SOLUTION #2 – beta/groups/<id>/acceptedSenders
 
Option 2 – beta – groups/<id>/acceptedSenders
Alternatively, there appears to be an effort in the Graph Beta to allow /beta/groups/<id>/acceptedSenders but this still has not been implemented nor appears functional when I try it. 
 
https://learn.microsoft.com/en-us/graph/api/group-list-acceptedsenders?view=graph-rest-1.0&tabs=http 
 
Thanks,
Cameron
api
App
office 365
Office Graph

3 Replies

  • VasilMichev's avatar
    VasilMichev
    MVP
    Apr 04, 2024
    Graph is not the best tool for this, as it has very limited support for Exchange operations. If you must use Graph methods, I'd suggest expanding the group membership (/transitivemembers) or getting the user's transitive membership (/transitiveMemberOf) in order to check whether he is a member of any listed groups, potentially with nested membership.
    Also keep in mind that MailTips might be disabled in the organization.
    • Polite603's avatar
      Polite603
      Copper Contributor
      Apr 10, 2024

      Mailtips being disabled is possible, it does however function in most cases when it is enabled.

      Without knowing the acceptedSenders population prior though, its not possible to query those nested lists.

      There does seem to be an effort to make this "acceptedSenders" property available. I've attempted to use the /acceptedSenders endpoint but its under the beta flag. How can I test this endpoint to see if it would be a viable solution in a future graph version?

      https://learn.microsoft.com/en-us/graph/api/group-list-acceptedsenders?view=graph-rest-1.0&tabs=http