Nov 30 2018 04:11 PM
We setup message moderation for some of our distribution lists. We still have an Exchange 2010 server in hybrid with no mailboxes on premise that via AD Connect goes to Office 365 / Exchange Online. I have an odd problem that message moderation settings don't flow fully from local to cloud. I am able to edit it in cloud even though it is synchronized group luckily but not sure why it is happening?
Dec 01 2018 07:18 AM
I'm not at home currently so I cannot check this in my lab, however according to the documentation, the corresponding AD attributes should be synchronized to Exchange Online (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-syn...).
Two things come to mind: check whether there are modifications made to the default sync rules, and check whether the users/groups that are configured as moderators are in the scope of sync.
Dec 02 2018 08:32 AM
Like Vasil says, check the attributes are in the scope of sync. They should be but maybe someone has edited the synchronisation rules.
The only other thing I might ask is what is the version of the directory synchronisation tool? Having a quick look I cannot see a bug for moderation attributes but if it is old it would make sense to update it.
Dec 03 2018 10:21 AM
@Vasil Michev wrote:
I'm not at home currently so I cannot check this in my lab, however according to the documentation, the corresponding AD attributes should be synchronized to Exchange Online (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-syn...).
Two things come to mind: check whether there are modifications made to the default sync rules, and check whether the users/groups that are configured as moderators are in the scope of sync.
That group in question is definitely in scope of sync and I can manually add it. The other interesting thing is I can't enable message moderation for O365 side since it is AD based group, that must be synchronized. However once I enable it I can then edit properties only on O365 side?
Dec 03 2018 10:27 AM
@Oliver Moazzezi wrote:Like Vasil says, check the attributes are in the scope of sync. They should be but maybe someone has edited the synchronisation rules.
The only other thing I might ask is what is the version of the directory synchronisation tool? Having a quick look I cannot see a bug for moderation attributes but if it is old it would make sense to update it.
I was on 1.1.880 from August. I just installed 1.2.68 and will test again.
Dec 03 2018 01:09 PM
1.1.880 isn't particularly old so I don't think it will be that. I'll double check in my lab tomorrow for you.
Dec 04 2018 05:01 AM - edited Dec 04 2018 05:18 AM
Brian
I have checked in my lab and this is my experience. If I enabled moderation on a synchronised mail enabled distribution list, the updates are shown in the export in the Synchronisation Service Manager. Please check the attached pictures and make the changes in your environment to see if AADConnect is picking up the change and synchronising it.
You can see I made two changes, one to enable moderation and another to change moderation notifications - both are picked up by AADConnect and synchronised over.
Can you check this and report back your findings for synchronisation flow?
Dec 04 2018 08:10 AM
Thanks for testing that. I can confirm everything comes over except for when I put groups in the senders that don't require approval. I just added another group and will capture the synch and share it shortly.
Dec 04 2018 09:02 AM - edited Dec 04 2018 09:03 AM
Brian
I am getting the same experience as you for both Exchange 2010 and Exchange 2013 Hybrid labs. I haven't had the chance to test in Exchange 2016.
msExchBypassModerationLink is successfully synchronised from on-premises through AADConnect and reflected in Exchange Online EAC, however I can simply add and remove users at my desire for moderator bypass, where making other changes are blocked because the object is synchronised from on-premises via AADConnect.
Dec 04 2018 09:15 AM
SolutionReading here the msExchBypassModerationLink attributed has been supported by AADConnect since version 1.1.524.0
So it appears to be a bug where Azure AD isn't anchoring the attribute to only be controlled by on-premises.
Dec 04 2018 09:44 AM
Thanks for all your checking. It seems the attribute msExchBypassModerationFromDLMemebersLink is not being synchronized properly. Here is a screenshot from my service manager.
Dec 04 2018 09:46 AM
@Oliver Moazzezi wrote:Reading here the msExchBypassModerationLink attributed has been supported by AADConnect since version 1.1.524.0
So it appears to be a bug where Azure AD isn't anchoring the attribute to only be controlled by on-premises.
In looking at the link you shared it seems Bypass DL is not synchronized so I guess this is expected behavior. As a result they have to let you edit it on O365 or there would be no way to do it otherwise. Thanks for investigation. Probably a rarely used feature so down the list of things to implement.
Dec 04 2018 09:50 AM
Nice to have a better understanding of the qwerks of the system.
Have a great day!
Dec 04 2018 09:15 AM
SolutionReading here the msExchBypassModerationLink attributed has been supported by AADConnect since version 1.1.524.0
So it appears to be a bug where Azure AD isn't anchoring the attribute to only be controlled by on-premises.