moderator approved emails are failing


We have a DLP policies setup for group of users that require approval before sending messages to external parties. The moderator receives the approval email just fine but when approved or rejected, the NDR is being received as below.


Delivery has failed to these recipients or groups:

'Microsoft Exchange Approval Assistant' (email address removed for privacy reasons)
Your message couldn't be delivered because messages to the recipient require approval by a message moderator and no moderator was found.

This is likely a temporary problem. Try to resend the message. If it can't be delivered a second time, forward this message to your email admin.

For Email Administrators
This error occurs if the system can't find the message moderators for an address. This is usually a temporary condition. (For example, a moderator's address changes after the approval message is created but before approval is granted.) This issue can usually be resolved by sending the message a second time after changes to the moderator's address have had time to replicate throughout the system.

For more information, see DSN 5.7.126 Errors in Exchange Online and Office 365.

Diagnostic information for administrators:

Generating server:

email address removed for privacy reasons
Remote Server returned '550 5.7.126 APPROVAL.NotAuthorized; Your message wasn't approved for delivery to this recipient [Stage: OnCreatedEvent][Agent: Approval Processing Agent]'


tried to search online but nothing found for this issue. any help would be greatly appreciated.

4 Replies
Best open a support case and report this.
Thanks Vasil.

It appears that this only happens when mail-enabled security group is added DLP rule for moderator. tried with adding individual users as moderator in DLP rule and it works.

Just wondering if mail-enabled security group or any distribution list is not supported?
Opened up a case with Microsoft and Microsoft PG confirmed that this is a limitation and DL can not be used for moderator approval. they only allow individual users or shared mailbox.

wondering why Microsoft allows to add distribution list in DLP moderator approvers field if not supported.
They might not have even tested this scenario... Thanks for circling back :)