Exchange Onpremises Transport Rule

Brass Contributor

Hi All,

I am trying to create a transport rule in Onpremise Exchange environment, so that the rule applies to only recipients whose hosted in Onprem Exchange environment and not in office365.


So, wanted to reconfirm on one point/condition of the Transport Rule wherein if i set "Recipient is located Inside the organization" does that mean recipients within Exchange Onpremises organization?


9 Replies
Where is your MX record is pointed to O365 or your Ex on-premises ?
It is pointed to our proofpoint servers which ultimately routes those mails into our Onprem Exchange.
So, based on your email routing configuration every email whether from on-prem or from O365 needs to route to on-prem through Proofpoint servers and then go out to the external recipients. that mean that on-premises transport rules will continue to evaluate messages sent to or from mailboxes housed in Office 365 and your on-premises and o365 mailboxes will be considered as inside the organization.
In that case, how would i restrict the rule to trigger for only Onprem mailboxes?
If you're concerned about messages sent FROM on-prem mailboxes, you want the SenderADAttributeContainsWords condition. If instead it is messages sent TO on-prem mailboxes, you want the RecipientADAttributeContainsWords condition. There's one more problem - these conditions only support certain properties, and RecipientType/RecipientTypeDetails are not on the list of supported properties.

To get around this, I have used a PowerShell script which is run by a Scheduled Task, and sets a CustomAttribute(1-15) to a value based on whether the mailbox is on-prem or in EXO. For me, I've chosen to set CustomAttribute11 to 'EXO' when the RecipientTypeDetails is -LIKE 'Remote*Mailbox', or 'On-premises' when that is not the case. Then my transport rule uses CustomAttribute11 as the Sender/Recipient property contain the word(s) we specify with either of those aforementioned Transport Rule conditions.

I like to schedule tasks on an Exchange server, running those tasks as Local System. You can assign RBAC roles to your Exchange server's computer account, or add it to one of the pre-canned role groups, like Recipient Management, then it can do the stuff in your script (like Set-Mailbox <id> -CustomAttribute11 'On-premises', or Set-RemoteMailbox <id> -CustomAttribute11 'EXO').

Hope this helps. Again - if you know any good ways to tackle the UsedVersionBuckets issue, please do share.
you need to verify your mail flow first for the email send from O365 if its redirected to onprem or its send directly to the internet. if this is case that the transport rule will evaluate only the onpremises users
Thanks Jeremy, i could give the RecipientADAttributeContainsWords attribute a try, thanks for that suggestion.

Yes, usedversionBuckets........ That's a huge subject, i too need more info on that, we keep seeing these errors, even in Exchange 2019
For us, the scenario is for externally inbound mails and so the TR should hit only Onprem mailbox in Exchange Onprem and if not then we have another rule in place in Office365.

However, what I have observed is, since the rule adds a custom header to the message, this action isn't carried over to Office365, because I do not see the event log under custom data for the onprem rule in message trace in office365



Ok, before i close this thread, i have one last thing to discuss, when i trace mails to check whether this Transpor Rule has stamped email with headers or not, i see Action=Halt, but when i check the headers of the mail i actually see the header with correct value, so the Rule is doing it's job.

S:TRA=ETR|ruleId=c481c351-4126-42b6-af69-9661a29d64ed|st=5/15/2023 5:39:32 PM|action=SetHeader|action=Halt|sev=1|mode=Enforce;S:TRA=ETRP|ruleId=c481c351-4126-42b6-af69-9661a29d64ed|st=2023-05-15T17:39:32.0000000Z|ExecW=0|ExecC=0;S:TRA=ETRI|MsgType=Normal|Ex=|IsKnown=|FipsStatus=Success|AttchUns=|ceErr=|Synth=False-Na-ON;


What does action=Halt mean exactly here?