Distribution Group - Mail Flow Issue with few Exchange online users

Hi SheerazAnsari,

May I collect some information to analyze the issue?

1. How did you deploy Exchange hybrid?

The officially supported way is: use Hybrid Configuration Wizard (HCW) to configure hybrid between on-premise Exchange and Exchange Online.

2. How are Exchange Online users created? For example,

a. Both affected and un-affected online users are moved from on-premise Exchange to Exchange online

b. Both are directly created in Exchange Online.

c. Affected users are created in Exchange Online. Un-affected users are moved from on-premsie.

etc.

You can provide the detailed steps.

3. For the distribution group, is it created in on-premise Exchange, and also synced to Exchange Online?

If not, please let me know the detailed steps how you created the group.

4. Please provide the entire bounce back email (non-delivery report, NDR) “550 5.7.1 RESOLVER.RST.AuthRequired……”. (Should be the original NDR. Do not remove anything)

To protect your privacy, I have sent a private message to request the bounce back email. Please use this link to access the private message: https://community.office365.com/user/conversations

With the detailed information, I will further analyze the issue.

Thanks,

Young

1. How did you deploy Exchange hybrid?

The officially supported way is: use Hybrid Configuration Wizard (HCW) to configure hybrid between on-premise Exchange and Exchange Online.

- Yes, we used HCW wizard.

2. How are Exchange Online users created? For example,

a. Both affected and un-affected online users are moved from on-premise Exchange to Exchange online

- Both affected and un-affected users are moved from on premises to Exchange online.

b. Both are directly created in Exchange Online.

- No.

c. Affected users are created in Exchange Online. Un-affected users are moved from on-premsie.

etc.

- No.Both affected and un-affected users are moved from on premises to Exchange online.

You can provide the detailed steps.

3. For the distribution group, is it created in on-premise Exchange, and also synced to Exchange Online?

We are using DirSync server and nothing is created in Exchange online, all AD objects are created by DirSync server.

If not, please let me know the detailed steps how you created the group.

4. Please provide the entire bounce back email (non-delivery report, NDR) “550 5.7.1 RESOLVER.RST.AuthRequired……”. (Should be the original NDR. Do not remove anything)

- We have provided complete NDR, please see private link.

Hi SheerazAnsari,

Thanks for the information, I know more clearly about the situation. Let’s continue analyzing the issue.

1. With this option “Require that all senders are authenticated”, only internal users can send emails to the DG, including cross-premise emails from online users. If emails from online users are treated as external email incorrectly, the emails will be rejected.

In the message header, there is a header called X-MS-Exchange-Organization-AuthAs. For internal emails, the header value is always Internal.

So, please perform this test: let the affected online users send emails to another on-premise mailbox, and then check the message header. Make sure X-MS-Exchange-Organization-AuthAs is set to Internal.

You can provide the message header in private message.

2. The general mail flow is: Online mailbox -> on-premise mailbox -> DG. It is possible that the emails is rejected when it is being delivered to the on-premise mailbox.

From the NDR, I find the following clue:

Delivery has failed to these recipients or groups:

*** Email address is removed for privacy ***

Your message can't be delivered because delivery to this address is restricted.

Is *** Email address is removed for privacy *** just the on-premise mailbox?

If so, the email might be rejected by *** Email address is removed for privacy ***. I suggest you check this on-premsie mailbox’s Message Delivery Restrictions. Is it configured? You can send related screenshots. You can click Use rich formatting in the forum, and then click the insert image button to upload the screenshot.

Thanks,

Young

Well, i would like to know that in Hybrid Exchange, do Exchange online users consider as External Users for On premises Exchange?

Hi SheerazAnsari,

No.

In hybrid, emails from online to on-premise, or vice versa, are always considered as internal emails.

Online users are considered as internal users for on-premise users, vice versa.

Thanks,

Young

Hi SheerazAnsari,

If you need any further assistance, please feel free to let us know.

Always here to help you.

Thanks,

Young

Yes, we are still looking for resolution on this issue, well, by further troubleshooting we got to know that Exchange Online users can successfully send email to distribution group; *** Email address is removed for privacy *** but when any exchange online user send email to on premises mailbox *** Email address is removed for privacy *** it does not get forwarded to distribution group; *** Email address is removed for privacy ***

it is noted that it is happening with every Exchange Online user while On premises user can send email to on premises mailbox *** Email address is removed for privacy *** and it gets forwarded to distribution group; *** Email address is removed for privacy *** as per our requirement.

Well, it looks like some connectors Misconfiguration - can anyone please assist how can we change "X-MS-Exchange- Organization-AuthAs" from Anonymous to Internal for Exchange online users as pointed by you earlier Young Yang. Thanks.

Hi SheerazAnsari,

Thanks for your reply. According to your latest reply, I need to confirm some information for further analysis.

1. Previously, you said only some online users are affected. And other online users are not affected.

“while there are only few users who are getting NDR/ error message while other Exchange online users are able to send email to on premises mailbox (*** Email address is removed for privacy ***) and email is getting forwarded to distribution group *** Email address is removed for privacy ***”

Now, you said all online users are affected:

“it is noted that it is happening with every Exchange Online user”

Which one is situation, all online users affected, or just some?

2. Could you provide the message header of emails sent from online users to on-premise users?

So that, I can check the X-MS-Exchange- Organization-AuthAs attributes.

3. Sometimes, when X-MS-Exchange- Organization-AuthAs is not correct, the cause might be that hybrid configurations are not configured correctly. Please re-run hybrid Configuration Wizard (HCW). After that, please check the result.

You can send message header in private message: https://community.office365.com/user/conversations 

Thanks,

Young

Hi Young,

Here we go with Answers to your query:

1. Yes, all Exchange online users are affected. i.e When Exchange Online Users send email to On-Premises mailbox *** Email address is removed for privacy *** > it should be delivered to mailbox *** Email address is removed for privacy *** (which is ok) and it should also get forwarded to distribution group; *** Email address is removed for privacy *** (which is not happening) and Exchange Online Users are getting NDR like this:

"*** Email address is removed for privacy ***

Your message can't be delivered because delivery to this address is restricted.

#550 5.7.1 RESOLVER.RST.AuthRequired; authentication required ##rfc822; *** Email address is removed for privacy ***"

OUR OBJECTIVE: We require same behavior like it is currently Happening with On-Premises Exchange users, i.e When Exchange Online Users send email to On-Premises mailbox *** Email address is removed for privacy *** > it keeps copy of email to  mailbox *** Email address is removed for privacy *** (which is ok) and it should also get forwarded to distribution group; *** Email address is removed for privacy *** and Exchange Online Users should not get any NDR.

2. I have shared message header in private message.

if you are still unclear about our query - please let us know, thanks for your assistance.

Hi Young,

Here we go with Answers to your query:

1. Yes, all Exchange online users are affected. i.e When Exchange Online Users send email to On-Premises mailbox *** Email address is removed for privacy *** > it should be delivered to mailbox *** Email address is removed for privacy *** (which is ok) and it should also get forwarded to distribution group; *** Email address is removed for privacy *** (which is not happening) and Exchange Online Users are getting NDR like this:

"*** Email address is removed for privacy ***

Your message can't be delivered because delivery to this address is restricted.

#550 5.7.1 RESOLVER.RST.AuthRequired; authentication required ##rfc822; *** Email address is removed for privacy ***"

OUR OBJECTIVE: We require same behavior like it is currently Happening with On-Premises Exchange users, i.e When Exchange Online Users send email to On-Premises mailbox *** Email address is removed for privacy *** > it keeps copy of email to  mailbox *** Email address is removed for privacy *** (which is ok) and it should also get forwarded to distribution group; *** Email address is removed for privacy *** and Exchange Online Users should not get any NDR.

2. I have shared message header in private message.

if you are still unclear about our query - please let us know, thanks for your assistance.