Sometimes you may need to restrict email delivery to specific recipients. The most common scenario is the need to control messages sent to large distribution groups. Depending on your organization's requirements, you may also need to control the messages sent to executive mailboxes or partner contacts. You can use moderation to accomplish these tasks. When you configure a recipient for moderation, all messages sent to that recipient are subject to approval by the designated moderator.
Refer to this article for common message approval scenarios in Exchange Online.
Moderation is simple to setup and work with as an administrator, however if you need to troubleshoot it, you might need to know more. This post will cover such scenarios. We tried to include troubleshooting steps and log collection pointers, so if there is a need to report issues to Microsoft support, it is all ready for the support staff to jump in and help resolve the problem.
Let’s start with an overview of what happens when moderation is enabled on the recipient.
Moderation can be enabled in the following ways:
An example of enabling moderation on a mailbox, with two moderators (User1 and User2):
Set-Mailbox -ModeratedBy User1, User2 -Identity ModeratedMailbox -ModerationEnabled $true
When a sender sends an email then moderation email is received by both moderators from arbitration/system mailbox used for moderation.
An example of enabling moderation on a distribution group:
When someone sends an email to a moderated user/distribution group, the moderator will receive an email as shown below. The email will have approve / reject buttons.
If one of the moderators approves the email, the moderation approval email goes into the sent items of the moderator who approved the email and at the same time, the message will be moved to the deleted items folder of the second moderator (who did not approve it in their Inbox yet) to avoid any conflict in action taken.
Example of moderation email received:
Moderation email in Sent Items of moderator who approved the email:
If the message is rejected by any of the moderators, a rejection message is sent to the sender:
The following table covers which arbitration mailbox is being used when sending email to moderated group in a hybrid deployment:
Moderated group location |
Sender |
Moderator |
Arbitration mailbox |
Office 365 (synced) |
Office 365 |
Office 365 |
Office 365 |
Office 365 (synced) |
Office 365 |
On-premises |
Office 365 |
On-premises |
Office 365 |
Office 365 |
On-premises |
On-premises |
Office 365 |
On-premises |
On-premises |
Office 365 (synced) |
On-premises |
On-premises |
On-premises |
On-premises |
On-premises |
On-premises |
On-premises |
Office 365 (synced) |
On-premises |
Office 365 |
On-premises |
On-premises |
On-premises |
Office 365 |
On-premises |
PowerShell |
AD attribute |
ModerationEnabled |
msExchEnableModeration |
ModeratedBy |
msExchModeratedByLink |
ByPassModerationFromSendersOrMembers |
msExchBypassModerationLink |
SendModerationNotifications |
msExchModerationFlags |
Of particular interest might be the values of the msExchModerationFlags attribute, and what they mean:
msExchModerationFlags value |
Value effect |
6 |
Notify all senders when their messages aren’t approved |
2 |
Notify senders in your organization when their messages aren’t approved |
0 |
Don’t notify anyone when their message isn’t approved |
At least one arbitration mailbox is created in your Exchange on-premises. For reference, this is the naming convention/display name:
Arbitration mailbox Name |
Display name |
SystemMailbox{1f05a927-XXXX-XXXX-XXXX-XXXXXXXXXXXX} |
Microsoft Exchange Approval Assistant |
Hybrid Connector address space
In hybrid environment, when an on-premises moderator accepts/rejects a moderation message, the following NDR might be generated:
550 5.7.134 RESOLVER.RST.SenderNotAuthenticatedForMailbox; authentication required.
This issue arises when Office 365 users send email to moderated distribution group (synced) and moderator mailbox is on-premises. After Office 365 mailbox sends the email to the moderated group, an approval email is triggered from the Office 365 system mailbox to the on-premises moderator. The approval email will be sent from an address similar to SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@contoso.onmicrosoft.com. The approve/reject response from the moderator will also be sent to the same address which has a domain address “@contoso.onmicrosoft.com”. This address by default is not part of the Hybrid send connector “Outbound to Office 365”. As a result, on-premises will send the email using normal Internet send connector which won’t use the hybrid authentication with Office 365 and the email would be rejected by Office 365 with an error code SenderNotAuthenticatedForMailbox.
Solution:
DBEB causing issues with Hybrid moderation
When an on-premises moderator accepts/rejects a moderation message, the following NDR might be generated:
Remote Server returned '554 5.4.1 < #5.4.1 smtp; 550 5.4.1 [SPO_Arbitration_XXXX-XXX-XXXX-XXXX-XXXXXXXXXXX@contoso.onmicrosoft.com]: Recipient address rejected: Access denied [XY2APC01FT055.eop-APC01.prod.protection.outlook.com]
This issue arises when Office 365 users are sending email to a moderated distribution group (synced) and moderator mailbox is on-premises. When the on-premises moderator makes the decision (approve/reject) on the moderation email received from Office 365 arbitration mailbox, a response is triggered to the same arbitration mailbox in Office 365. As arbitration mailboxes that are hosted in Exchange Online do not sync to Azure AD, mails sent to them are blocked/rejected by DBEB (Directory Based Edge Blocking) with error code Recipient address rejected: Access denied.
Solution and recommendations:
In case the above two recommendations do not work for your organization, you can make changes in Office 365 to fix this:
Missing Accept/Reject button due to TNEF setting in Remote Domain configuration.
The moderator might not be getting the accept/reject buttons to act upon moderated emails in a hybrid setup.
This feature requires TNEF encoding to be understood correctly by the email recipient client and hence if TNEF is turned off, the buttons will not be visible.
Solution: Enable TNEF on the remote domain settings of the server from where email is being sent for moderation. Enabling TNEF under remote domain settings will ensure that moderator receives the approve/reject button to take desired action.
Example1: Office 365 user sends a mail to an Office 365 (synced) moderation enabled DG. Assuming the moderator's mailbox Joe@fabrikam.com is hosted on-premises; the Exchange Online arbitration mailbox will be used to send a decision email to this moderator. TNEF settings shall be as follows:
In Office 365 for hybrid domain fabrikam.com:
Set-Remotedomain fabrikam.com -TNEFEnabled $true
Example2: Office 365 user sends a mail to an on-premises moderation enabled DG. Assuming the moderator's mailbox John@fabrikam.com is hosted in Exchange Online; the on-premises arbitration mailbox will be used to send a decision email to this moderator. TNEF settings shall be as follows:
Set-Remotedomain fabrikam.mail.onmicrosoft.com -TNEFEnabled $true
Note: Mails routed from on-premises to cloud for migrated mailboxes resolve to their remote routing addresses; in this case john@fabrikam.mail.onmicrosoft.com. If the remote domain does not exist on-premises, you can create one using New-RemoteDomain.
More information on TNEF is available here and TNEF conversion options are listed here.
Sync issue when adding group in the moderation bypass list
When adding a DG/SG to the moderation bypass list on on-premises, the change does not get synchronized to Office 365.
Technically, the attribute MsExchByPassModerationFromDLMemberLink is not synchronized to AAD by default, and is not consumed from AAD by Exchange Online, as per documentation. Therefore, if you add a group in the moderation bypass list for synced DG from on-premises, changes are not synchronized to Office 365 however adding a user works as expected.
Solution: Add the required group under Bypass moderation settings on moderated recipient on-premises.
Then, use the command below in Exchange Online PowerShell to update the moderation bypass setting:
Set-DistributionGroup DG@contoso.com -BypassModerationFromSendersOrMembers Group@contoso.com
Moderated messages are not delivered to moderator and sender receives a NDR message
"550 5.6.0 APPROVAL.InvalidExpiry”; Cannot read expiry policy.
Solution: This problem occurs if the retention tag for moderation is missing. Ideally there is a default retention policy tag created for moderation that is used for message records management of system mailbox used for moderation.
It is not visible in the user interface, nor will it be returned in Get-RetentionPolicytag until explicitly specifying it:
Get-RetentionPolicyTag “moderatedrecipients”
Name Type Description
ModeratedRecipients Personal Managed Content Settings
IsdefaultModeratedRecipientsPolicyTag: True
AgeLimitForRetention: 2.00:00:00
In case you do not get any output when running the above command, we need to create it manually to avoid the mentioned NDR.
The following command can create a retention tag for moderation:
New-RetentionPolicyTag -IsDefaultModeratedRecipientsPolicyTag -Name ModerationTag -AgeLimitForRetention 2
That is all we wanted to cover; hopefully you find this useful when there are any moderation related problems!
We wanted to thank Arindam Thokder, Bhalchandra Atre and Nino Bilic for their review of this blog post.
Gagandeep Singh and Hitesh Sharma
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.