Recipient Moderation
Recipient moderation in Exchange Online (and on premises) is a straightforward and easy process once understood.
However, scenarios in which these emails "disappear into thin air" are often and finding the right place to start can present itself as a small challenge.
In this article, I will provide related examples, explain each step, why it makes sense and how to get the details of the roadblock.
Checking moderation:
First things first, we need to understand the difference between moderator and moderated: The moderator will decide if the moderated recipient will receive or not the email.
Make sure you have a good understanding of who is what by checking using in PowerShell:
Get-Mailbox replace_with_moderated_recipient | fl *moder*
x@thehruxcom - moderated recipient (UserMailbox)
admin@thehruxcom - moderator of x@thehruxcom
a-admart@microsoft - external sender
Sample of approved email:
Notice:
- Sender is "Microsoft Exchange Approval Assistant" on behalf of the external sender (in my example, a-admart@microsoftcom is an external MailContact saved as <<MS>>)
- The email was approved before the screenshot
- The Subject included Approval Requested
Breaking down the moderation process in PowerShell
Best case scenario, you can repro the issue. If this is possible, I strongly suggest sending a new email with a specific Subject, for easier tracking (ex: 12345678 - approved).
Otherwise, try to search for the email by an unique Subject part.
Use in PowerShell:
Get-MessageTrace -StartDate MM/DD/YYYY -EndDate MM/DD/YYYY | ? {$_.Subject -match "type unique string here"} | sort Received | ft received, subject, sender*, recipient*, status
Note: scope the Get-MessageTrace cmdlet by using dates (before and after the email was received). Do not use sender/recipient address since this will impact the results. You can add any other output you need, but this was enough for me.
- Each of the above is a separate email. In other words, approving an email for a moderated recipient is generating six actions in the background
- Reading the Subjects of the items should help in understanding the process
Taking the events one by one
- Office 365 received an email from a-admart@microsoftcom sent to x@thehruxcom
- Recipient has a ModeratedBy admin@thehruxcom and ModerationEnabled $true
- Hence, the moderation process is initiated and a separate copy is created and picked up by an Arbitration mailbox
- Arbitration mailboxes are used for managing approval workflow. For example, an arbitration mailbox is used for handling moderated recipients and distribution group membership approval
- These mailboxes cannot be moved/renamed/modified by administrators with in Exchange Online
- They are used for other processes (example: generating on premises Offline Address Book)
- The 1st email (from a-admart@microsoftcom to x@thehruxcom) will have status Failed, while it waits for the moderator decision
- If you check the details of this Event by using Get-MessageTraceDetail, you will see that:
LED=250 2.1.5 Resolver.MT.StartModeration; recipient is moderated
- The arbitration mailbox presents the copy to the Moderator. Subject is prepended by Approval Requested
- The Moderator cliscks the button associated with the "verdict" and it is handled by the Arbitration mailbox. Subject is prepended by Approve/Reject
- Moderator "verdict" is handled by the Arbitration mailbox. Subject is prepended by Decision processed
- Status of original email (see step 4 above) is changed to Delivered (if the email was delivered)
Other examples:
The process in other pictures:
Rejected email:
- External sender will receive a notification (if it was clicked by the Moderator), stating that:
Your message was rejected by a moderator for these recipients.
Not processed email(moderator did not select & send any response):
- If the email is not approved within 48 hours (Exchange Online, typically 5 days for on premises Exchange), the sender gets an expiration notice, stating that:
Your message has expired without any moderator decision for the following recipients.
To change the default expiration setting we can use the following PowerShell command:
Get-RetentionPolicyTag <moderatedrecipients> | Set-RetentionPolicyTag -AgeLimitForRetention <NO of days>
Valid values for the number of days can vary from 1.00:00:00 to 24855.03:14:07
Troubleshooting:
For questions like:
"Emails that should be moderated email disappear"
"An approved email did not reach the final recipient"
"We cannot find anything related to the moderated email"
"Sender received a moderation expired notification"
"Moderation is not working"
In order to start troubleshooting this scenario, you need to find out where the fail occurs in the above steps.
Once you have a good understanding of the successful process, you can compare it with what you are facing and see where it stops.
The failing/dropped event will be investigated in PowerShell by using the Get-MessageTraceDetail.
Example of troubleshooting when the email is lost in the moderation process:
Email with Subject "Failed #1" was sent by a-admart@microsoftcom to moderated recipient x@thehruxcom and no one received anything about this.
Since we know the Subject and approximate dates, we can go straight to PowerShell and see where the process failed:
Get-MessageTrace -StartDate 8/22/2017 -EndDate 8/23/2017 | ? {$_.Subject -match "Failed #1"} | sort Received | ft received, subject, sender*, recipient*, status
By checking only, the Subjects, we see that an NDR (Undeliverable) was generated somewhere along the process and also that Moderators cannot be reached.
We will select the event by adding -index X the cmdlet, where the index represents the entry number and the first row is 0.
Moving forward, the legit step that failed the process is Approval Requested (status Failed)
- We will not check the Undeliverable because it is the NDR generated by the previous step failure. The details of the NDR are in its body and we will not be able to access it (see sender & recipient of the event)
- We will not check the Moderators cannot be reached since it is a standard reply when one of the process steps is failing
We will use the index 2 in order to isolate the event:
Get-MessageTrace -StartDate 8/22/2017 -EndDate 8/23/2017 | ? {$_.Subject -match "Failed #1"} | sort Received | select -index 2
And export it's full details by using Get-MessageTraceDetail | fl at the end:
Get-MessageTrace -StartDate 8/22/2017 -EndDate 8/23/2017 | ? {$_.Subject -match "Failed #1"} | sort Received | select -index 2 | Get-MessageTraceDetail | fl
In the Fail event details we see that the Arbitration mailbox could not deliver the Approval Requested email to the moderator because of LED=550 5.7.129 RESOLVER.RST.RestrictedToRecipientsPermission; not authorized to send to recipient because the sender isn't on the recipient's list of senders to accept mail from
By checking the moderator admin@thehruxcom mailbox permissions, we see that he is accepting emails only from y@thehruxcom:
get-mailbox admin@thehruxcom | fl *accept*
We remove the limitation for admin@thehruxcom, if possible, and re-test the moderation process by using a Failed #2 subject:
The moderator now received the moderation request and clicked on Approve but the email did not reach the recipient:
Get-MessageTrace -StartDate 8/22/2017 -EndDate 8/23/2017 | ? {$_.Subject -match "Failed #2"} | sort Received | ft received, subject, sender*, recipient*, status
We see the email Failed
to the final recipient x@thehruxcom
and try to get more details about the event (we will not use | fl after Get-MessageTraceDetail and just export the Events summary):
Get-MessageTrace -StartDate 8/22/2017 -EndDate 8/23/2017 | ? {$_.Subject -match "Failed #2"} | sort Received | select -index 2 | Get-MessageTraceDetail
- The first DROP event was discussed above and is expected until Decission is processed or otherwise
- The second DROP event is showing us that x@thehruxcom is actually forwarding emails to receive@thehruxcom
Other resources
Configure a moderated recipient in Exchange Online - https://technet.microsoft.com/en-us/library/jj983442(v=exchg.150).aspx
Manage message approval - https://technet.microsoft.com/en-us/library/dd297936(v=exchg.150).aspx
Return to
Exchange Online Support Corner main page.