Demystifying Moderation
Published Jul 20 2021 07:53 AM 34.3K Views

Sometimes you may need to restrict email delivery to specific recipients. The most common scenario is the need to control messages sent to large distribution groups. Depending on your organization's requirements, you may also need to control the messages sent to executive mailboxes or partner contacts. You can use moderation to accomplish these tasks. When you configure a recipient for moderation, all messages sent to that recipient are subject to approval by the designated moderator.

Refer to this article for common message approval scenarios in Exchange Online.

Moderation is simple to setup and work with as an administrator, however if you need to troubleshoot it, you might need to know more. This post will cover such scenarios. We tried to include troubleshooting steps and log collection pointers, so if there is a need to report issues to Microsoft support, it is all ready for the support staff to jump in and help resolve the problem.

Let’s start with an overview of what happens when moderation is enabled on the recipient.

What is the moderation workflow?

moderation01.jpg

 

  • An user sends an email to a moderated recipient.
  • The message marked for moderation is intercepted in the transport pipeline and is routed to the arbitration mailbox used for processing moderation emails.
  • Message is stored in the arbitration mailbox by StoreDriver component, and an approval email is triggered to the moderator.
  • The moderator acts (approve or reject)
  • The StoreDriver component marks the moderator’s decision on the original message stored in the arbitration mailbox.
  • The Approval Processing Agent reads the approval status on the message stored in the arbitration mailbox, and then processes the message depending on the moderator’s decision.
  • If the moderator has approved the message, the Approval Processing Agent resubmits the message to the submission queue, and the message is delivered to recipient(s).
  • If the moderator has rejected the message, the Approval Processing Agent notifies the sender that the message was rejected.

How to enable moderation?

Moderation can be enabled in the following ways:

  • Using PowerShell (a must if moderating mailboxes/mail users/mail contacts)
  • Using the Exchange Admin Center (EAC) for moderating mail enabled distribution group or mail-enabled security groups.
  • Using transport rules with action Forward the message for approval (you can use this option when you require approval for messages that match specific criteria or that are sent to a specific person). Transport rules do not allow us to select distribution group as moderator; if you try this, you will get the following error:

moderation02.jpg

 

An example of enabling moderation on a mailbox, with two moderators (User1 and User2):

Set-Mailbox -ModeratedBy User1, User2 -Identity ModeratedMailbox -ModerationEnabled $true

When a sender sends an email then moderation email is received by both moderators from arbitration/system mailbox used for moderation.

An example of enabling moderation on a distribution group:

  • Go to the Exchange admin center (EAC) > Recipients >Groups, edit the distribution group, and then select Message approval.
  • PowerShell: Set-DistributionGroup “DG@domain.com” -ModerationEnabled $true -ModeratedBy User1, User2

When someone sends an email to a moderated user/distribution group, the moderator will receive an email as shown below. The email will have approve / reject buttons.

If one of the moderators approves the email, the moderation approval email goes into the sent items of the moderator who approved the email and at the same time, the message will be moved to the deleted items folder of the second moderator (who did not approve it in their Inbox yet) to avoid any conflict in action taken.

Example of moderation email received:

moderation03.jpg

 

Moderation email in Sent Items of moderator who approved the email:

moderation04.jpg

 

If the message is rejected by any of the moderators, a rejection message is sent to the sender:

moderation05.jpg

Moderation in hybrid organizations

The following table covers which arbitration mailbox is being used when sending email to moderated group in a hybrid deployment:

Moderated group location

Sender

Moderator

Arbitration mailbox 

Office 365 (synced)

Office 365

Office 365

Office 365

Office 365 (synced)

Office 365

On-premises 

Office 365

On-premises

Office 365

Office 365

On-premises

On-premises

Office 365

On-premises

On-premises

Office 365 (synced)

On-premises

On-premises 

On-premises

On-premises

On-premises

On-premises 

On-premises

Office 365 (synced)

On-premises

Office 365

On-premises

On-premises

On-premises

Office 365

On-premises

Requirements for moderation when in hybrid

  • We need to have synchronization of moderation related attributes for the synced recipients in Office 365. The following is the list of moderation attributes to be synchronized for the recipient on which moderation is enabled:

PowerShell

AD attribute

ModerationEnabled

msExchEnableModeration

ModeratedBy

msExchModeratedByLink

ByPassModerationFromSendersOrMembers

msExchBypassModerationLink

SendModerationNotifications

msExchModerationFlags

 

Of particular interest might be the values of the msExchModerationFlags attribute, and what they mean:

msExchModerationFlags value

Value effect

6

Notify all senders when their messages aren’t approved

2

Notify senders in your organization when their messages aren’t approved

0

Don’t notify anyone when their message isn’t approved

 

At least one arbitration mailbox is created in your Exchange on-premises. For reference, this is the naming convention/display name:

Arbitration mailbox Name

Display name

SystemMailbox{1f05a927-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
(for example, SystemMailbox{1f05a927-9350-4efe-a823-5529c2d64109}; most of the mailbox names are unique to your organization)

Microsoft Exchange Approval Assistant

 

  • To help you re-create arbitration mailbox in case it's missing on your local Exchange Server, please see this article.
  • At least one arbitration mailbox needs to exist in Exchange Online (created by default in Office 365).
  • Set the DomainType to InternalRelay for “domain.onmicrosoft.com” in Office 365 and Exchange on-premises under Accepted domains.
  • Preservation of the cross-premises headers. Refer to the following article for detailed understanding on header preservation in hybrid setup with Office 365: Demystifying and troubleshooting hybrid mail flow: when is a message internal?
  • TNEF must be enabled to ensure the Accept/Reject button is available for the moderator to take desired action. This is discussed in detail under the troubleshooting section.
  • For the scenario where the moderator of an on-premises distribution list is in Exchange Online and the sender is on-premises, the best recommendation is to make sure that the distribution group and the moderator's mailbox are located in the same place. Refer to this article for more information. If it is not possible to keep the distribution group and the moderator's mailbox in the same location, the suggestion is to create mail contacts in Exchange Online for all on-premises arbitration mailboxes.

Troubleshooting issues with moderation

Hybrid Connector address space

In hybrid environment, when an on-premises moderator accepts/rejects a moderation message, the following NDR might be generated:

550 5.7.134 RESOLVER.RST.SenderNotAuthenticatedForMailbox; authentication required.

This issue arises when Office 365 users send email to moderated distribution group (synced) and moderator mailbox is on-premises. After Office 365 mailbox sends the email to the moderated group, an approval email is triggered from the Office 365 system mailbox to the on-premises moderator. The approval email will be sent from an address similar to SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@contoso.onmicrosoft.com. The approve/reject response from the moderator will also be sent to the same address which has a domain address “@contoso.onmicrosoft.com”. This address by default is not part of the Hybrid send connector “Outbound to Office 365”. As a result, on-premises will send the email using normal Internet send connector which won’t use the hybrid authentication with Office 365 and the email would be rejected by Office 365 with an error code SenderNotAuthenticatedForMailbox.

Solution:

  • We need to make sure the approval/reject email response from on-premises is sent through the Hybrid send connector. Add “Contoso.onmicrosoft.com” address space to the Hybrid send connector “Outbound to Office 365”.
  • Also ensure that “domain.onmicrosoft.com” is present as an accepted domain in on-premises and DomainType is set to Internal relay.

 

DBEB causing issues with Hybrid moderation

When an on-premises moderator accepts/rejects a moderation message, the following NDR might be generated:

Remote Server returned '554 5.4.1 < #5.4.1 smtp; 550 5.4.1 [SPO_Arbitration_XXXX-XXX-XXXX-XXXX-XXXXXXXXXXX@contoso.onmicrosoft.com]: Recipient address rejected: Access denied [XY2APC01FT055.eop-APC01.prod.protection.outlook.com]

This issue arises when Office 365 users are sending email to a moderated distribution group (synced) and moderator mailbox is on-premises. When the on-premises moderator makes the decision (approve/reject) on the moderation email received from Office 365 arbitration mailbox, a response is triggered to the same arbitration mailbox in Office 365. As arbitration mailboxes that are hosted in Exchange Online do not sync to Azure AD, mails sent to them are blocked/rejected by DBEB (Directory Based Edge Blocking) with error code Recipient address rejected: Access denied.

Solution and recommendations:

  • This issue will not occur if the moderator and recipient on which moderation is applied are hosted in the same environment.
  • Do not synchronize moderated DG (Distribution Groups); instead create its mail contact in Office 365 (this way, on-premises arbitration mailbox will be used thus DBEB issue will not occur).

In case the above two recommendations do not work for your organization, you can make changes in Office 365 to fix this:

  • For accepted domain “domain.onmicrosoft.com” in Exchange Online, set the DomainType to Internal relay. This will disable DBEB for the specified domain and hence resolve the problem.

 

Missing Accept/Reject button due to TNEF setting in Remote Domain configuration.

The moderator might not be getting the accept/reject buttons to act upon moderated emails in a hybrid setup.

This feature requires TNEF encoding to be understood correctly by the email recipient client and hence if TNEF is turned off, the buttons will not be visible.

Solution: Enable TNEF on the remote domain settings of the server from where email is being sent for moderation. Enabling TNEF under remote domain settings will ensure that moderator receives the approve/reject button to take desired action.

Example1: Office 365 user sends a mail to an Office 365 (synced) moderation enabled DG. Assuming the moderator's mailbox Joe@fabrikam.com is hosted on-premises; the Exchange Online arbitration mailbox will be used to send a decision email to this moderator. TNEF settings shall be as follows:

In Office 365 for hybrid domain fabrikam.com:

Set-Remotedomain fabrikam.com -TNEFEnabled $true

Example2: Office 365 user sends a mail to an on-premises moderation enabled DG. Assuming the moderator's mailbox John@fabrikam.com is hosted in Exchange Online; the on-premises arbitration mailbox will be used to send a decision email to this moderator. TNEF settings shall be as follows:

Set-Remotedomain fabrikam.mail.onmicrosoft.com -TNEFEnabled $true

Note: Mails routed from on-premises to cloud for migrated mailboxes resolve to their remote routing addresses; in this case john@fabrikam.mail.onmicrosoft.com. If the remote domain does not exist on-premises, you can create one using New-RemoteDomain.

More information on TNEF is available here and TNEF conversion options are listed here.

 

Sync issue when adding group in the moderation bypass list

When adding a DG/SG to the moderation bypass list on on-premises, the change does not get synchronized to Office 365.

Technically, the attribute MsExchByPassModerationFromDLMemberLink is not synchronized to AAD by default, and is not consumed from AAD by Exchange Online, as per documentation. Therefore, if you add a group in the moderation bypass list for synced DG from on-premises, changes are not synchronized to Office 365 however adding a user works as expected.

Solution: Add the required group under Bypass moderation settings on moderated recipient on-premises.

Then, use the command below in Exchange Online PowerShell to update the moderation bypass setting:

Set-DistributionGroup DG@contoso.com -BypassModerationFromSendersOrMembers Group@contoso.com

 

Moderated messages are not delivered to moderator and sender receives a NDR message

"550 5.6.0 APPROVAL.InvalidExpiry”; Cannot read expiry policy.

Solution: This problem occurs if the retention tag for moderation is missing. Ideally there is a default retention policy tag created for moderation that is used for message records management of system mailbox used for moderation.

It is not visible in the user interface, nor will it be returned in Get-RetentionPolicytag until explicitly specifying it:

Get-RetentionPolicyTag “moderatedrecipients”
Name    Type      Description
ModeratedRecipients    Personal             Managed Content Settings
IsdefaultModeratedRecipientsPolicyTag: True
AgeLimitForRetention: 2.00:00:00

In case you do not get any output when running the above command, we need to create it manually to avoid the mentioned NDR.

The following command can create a retention tag for moderation:

New-RetentionPolicyTag -IsDefaultModeratedRecipientsPolicyTag -Name ModerationTag -AgeLimitForRetention 2

Additional limitations related to moderation, to be aware of

  • Accept/Reject Button missing for Approver using Outlook for Mac 2016
  • Outlook for iOS/Android mobile app and native mail app in mobile phones do not show approve/reject button.
  • Accept/Reject button missing for OWA on mobile device browsers. The buttons will appear if you open the desktop version of the website on the mobile device browser.
  • For DGs with more than 5000 recipients, configuring delivery management or message approval options is must else sender will receive NDR similar to: rejected with error: “550 5.7.125 RESOLVER.GRP.Blocked.NeedsSenderRestrictions; DL expansion needs sender restrictions or message approval configured.”

That is all we wanted to cover; hopefully you find this useful when there are any moderation related problems!

We wanted to thank Arindam Thokder, Bhalchandra Atre and Nino Bilic for their review of this blog post.

Gagandeep Singh and Hitesh Sharma

6 Comments
Co-Authors
Version history
Last update:
‎Jan 24 2024 11:43 AM
Updated by: