Sometimes you may need to restrict email delivery to specific recipients. The most common scenario is the need to control messages sent to large distribution groups. Depending on your organization's requirements, you may also need to control the messages sent to executive mailboxes or partner contacts. You can use moderation to accomplish these tasks. When you configure a recipient for moderation, all messages sent to that recipient are subject to approval by the designated moderator.
Refer to this article for common message approval scenarios in Exchange Online.
Moderation is simple to setup and work with as an administrator, however if you need to troubleshoot it, you might need to know more. This post will cover such scenarios. We tried to include troubleshooting steps and log collection pointers, so if there is a need to report issues to Microsoft support, it is all ready for the support staff to jump in and help resolve the problem.
Let’s start with an overview of what happens when moderation is enabled on the recipient.
What is the moderation workflow?
- An user sends an email to a moderated recipient.
- The message marked for moderation is intercepted in the transport pipeline and is routed to the arbitration mailbox used for processing moderation emails.
- Message is stored in the arbitration mailbox by StoreDriver component, and an approval email is triggered to the moderator.
- The moderator acts (approve or reject)
- The StoreDriver component marks the moderator’s decision on the original message stored in the arbitration mailbox.
- The Approval Processing Agent reads the approval status on the message stored in the arbitration mailbox, and then processes the message depending on the moderator’s decision.
- If the moderator has approved the message, the Approval Processing Agent resubmits the message to the submission queue, and the message is delivered to recipient(s).
- If the moderator has rejected the message, the Approval Processing Agent notifies the sender that the message was rejected.
How to enable moderation?
Moderation can be enabled in the following ways:
- Using PowerShell (a must if moderating mailboxes/mail users/mail contacts)
- Using the Exchange Admin Center (EAC) for moderating mail enabled distribution group or mail-enabled security groups.
- Using transport rules with action Forward the message for approval (you can use this option when you require approval for messages that match specific criteria or that are sent to a specific person). Transport rules do not allow us to select distribution group as moderator; if you try this, you will get the following error:
An example of enabling moderation on a mailbox, with two moderators (User1 and User2):
Set-Mailbox -ModeratedBy User1, User2 -Identity ModeratedMailbox -ModerationEnabled $true
When a sender sends an email then moderation email is received by both moderators from arbitration/system mailbox used for moderation.
An example of enabling moderation on a distribution group:
- Go to the Exchange admin center (EAC) > Recipients >Groups, edit the distribution group, and then select Message approval.
- PowerShell: Set-DistributionGroup “DG@domain.com” -ModerationEnabled $true -ModeratedBy User1, User2
When someone sends an email to a moderated user/distribution group, the moderator will receive an email as shown below. The email will have approve / reject buttons.
If one of the moderators approves the email, the moderation approval email goes into the sent items of the moderator who approved the email and at the same time, the message will be moved to the deleted items folder of the second moderator (who did not approve it in their Inbox yet) to avoid any conflict in action taken.
Example of moderation email received:
Moderation email in Sent Items of moderator who approved the email:
If the message is rejected by any of the moderators, a rejection message is sent to the sender:
Moderation in hybrid organizations
The following table covers which arbitration mailbox is being used when sending email to moderated group in a hybrid deployment:
Moderated group location |
Sender |
Moderator |
Arbitration mailbox |
Office 365 (synced) |
Office 365 |
Office 365 |
Office 365 |
Office 365 (synced) |
Office 365 |
On-premises |
Office 365 |
On-premises |
Office 365 |
Office 365 |
On-premises |
On-premises |
Office 365 |
On-premises |
On-premises |
Office 365 (synced) |
On-premises |
On-premises |
On-premises |
On-premises |
On-premises |
On-premises |
On-premises |
Office 365 (synced) |
On-premises |
Office 365 |
On-premises |
On-premises |
On-premises |
Office 365 |
On-premises |
Requirements for moderation when in hybrid
- We need to have synchronization of moderation related attributes for the synced recipients in Office 365. The following is the list of moderation attributes to be synchronized for the recipient on which moderation is enabled:
PowerShell |
AD attribute |
ModerationEnabled |
msExchEnableModeration |
ModeratedBy |
msExchModeratedByLink |
ByPassModerationFromSendersOrMembers |
msExchBypassModerationLink |
SendModerationNotifications |
msExchModerationFlags |
Of particular interest might be the values of the msExchModerationFlags attribute, and what they mean:
msExchModerationFlags value |
Value effect |
6 |
Notify all senders when their messages aren’t approved |
2 |
Notify senders in your organization when their messages aren’t approved |
0 |
Don’t notify anyone when their message isn’t approved |
At least one arbitration mailbox is created in your Exchange on-premises. For reference, this is the naming convention/display name:
Arbitration mailbox Name |
Display name |
SystemMailbox{1f05a927-XXXX-XXXX-XXXX-XXXXXXXXXXXX} |
Microsoft Exchange Approval Assistant |
- To help you re-create arbitration mailbox in case it's missing on your local Exchange Server, please see this article.
- At least one arbitration mailbox needs to exist in Exchange Online (created by default in Office 365).
- Set the DomainType to InternalRelay for “domain.onmicrosoft.com” in Office 365 and Exchange on-premises under Accepted domains.
- Preservation of the cross-premises headers. Refer to the following article for detailed understanding on header preservation in hybrid setup with Office 365: Demystifying and troubleshooting hybrid mail flow: when is a message internal?
- TNEF must be enabled to ensure the Accept/Reject button is available for the moderator to take desired action. This is discussed in detail under the troubleshooting section.
Troubleshooting issues with moderation
Hybrid Connector address space
In hybrid environment, when an on-premises moderator accepts/rejects a moderation message, the following NDR might be generated:
550 5.7.134 RESOLVER.RST.SenderNotAuthenticatedForMailbox; authentication required.
This issue arises when Office 365 users send email to moderated distribution group (synced) and moderator mailbox is on-premises. After Office 365 mailbox sends the email to the moderated group, an approval email is triggered from the Office 365 system mailbox to the on-premises moderator. The approval email will be sent from an address similar to SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@contoso.onmicrosoft.com. The approve/reject response from the moderator will also be sent to the same address which has a domain address “@contoso.onmicrosoft.com”. This address by default is not part of the Hybrid send connector “Outbound to Office 365”. As a result, on-premises will send the email using normal Internet send connector which won’t use the hybrid authentication with Office 365 and the email would be rejected by Office 365 with an error code SenderNotAuthenticatedForMailbox.
Solution:
- We need to make sure the approval/reject email response from on-premises is sent through the Hybrid send connector. Add “Contoso.onmicrosoft.com” address space to the Hybrid send connector “Outbound to Office 365”.
- Also ensure that “domain.onmicrosoft.com” is present as an accepted domain in on-premises and DomainType is set to Internal relay.
DBEB causing issues with Hybrid moderation
When an on-premises moderator accepts/rejects a moderation message, the following NDR might be generated:
Remote Server returned '554 5.4.1 < #5.4.1 smtp; 550 5.4.1 [SPO_Arbitration_XXXX-XXX-XXXX-XXXX-XXXXXXXXXXX@contoso.onmicrosoft.com]: Recipient address rejected: Access denied [XY2APC01FT055.eop-APC01.prod.protection.outlook.com]
This issue arises when Office 365 users are sending email to a moderated distribution group (synced) and moderator mailbox is on-premises. When the on-premises moderator makes the decision (approve/reject) on the moderation email received from Office 365 arbitration mailbox, a response is triggered to the same arbitration mailbox in Office 365. As arbitration mailboxes that are hosted in Exchange Online do not sync to Azure AD, mails sent to them are blocked/rejected by DBEB (Directory Based Edge Blocking) with error code Recipient address rejected: Access denied.
Solution and recommendations:
- This issue will not occur if the moderator and recipient on which moderation is applied are hosted in the same environment.
- Do not synchronize moderated DG (Distribution Groups); instead create its mail contact in Office 365 (this way, on-premises arbitration mailbox will be used thus DBEB issue will not occur).
In case the above two recommendations do not work for your organization, you can make changes in Office 365 to fix this:
- For accepted domain “domain.onmicrosoft.com” in Exchange Online, set the DomainType to Internal relay. This will disable DBEB for the specified domain and hence resolve the problem.
Missing Accept/Reject button due to TNEF setting in Remote Domain configuration.
The moderator might not be getting the accept/reject buttons to act upon moderated emails in a hybrid setup.
This feature requires TNEF encoding to be understood correctly by the email recipient client and hence if TNEF is turned off, the buttons will not be visible.
Solution: Enable TNEF on the remote domain settings of the server from where email is being sent for moderation. Enabling TNEF under remote domain settings will ensure that moderator receives the approve/reject button to take desired action.
Example1: Office 365 user sends a mail to an Office 365 (synced) moderation enabled DG. Assuming the moderator's mailbox Joe@fabrikam.com is hosted on-premises; the Exchange Online arbitration mailbox will be used to send a decision email to this moderator. TNEF settings shall be as follows:
In Office 365 for hybrid domain fabrikam.com:
Set-Remotedomain fabrikam.com -TNEFEnabled $true
Example2: Office 365 user sends a mail to an on-premises moderation enabled DG. Assuming the moderator's mailbox John@fabrikam.com is hosted in Exchange Online; the on-premises arbitration mailbox will be used to send a decision email to this moderator. TNEF settings shall be as follows:
Set-Remotedomain fabrikam.mail.onmicrosoft.com -TNEFEnabled $true
Note: Mails routed from on-premises to cloud for migrated mailboxes resolve to their remote routing addresses; in this case john@fabrikam.mail.onmicrosoft.com. If the remote domain does not exist on-premises, you can create one using New-RemoteDomain.
More information on TNEF is available here and TNEF conversion options are listed here.
Sync issue when adding group in the moderation bypass list
When adding a DG/SG to the moderation bypass list on on-premises, the change does not get synchronized to Office 365.
Technically, the attribute MsExchByPassModerationFromDLMemberLink is not synchronized to AAD by default, and is not consumed from AAD by Exchange Online, as per documentation. Therefore, if you add a group in the moderation bypass list for synced DG from on-premises, changes are not synchronized to Office 365 however adding a user works as expected.
Solution: Add the required group under Bypass moderation settings on moderated recipient on-premises.
Then, use the command below in Exchange Online PowerShell to update the moderation bypass setting:
Set-DistributionGroup DG@contoso.com -BypassModerationFromSendersOrMembers Group@contoso.com
Moderated messages are not delivered to moderator and sender receives a NDR message
"550 5.6.0 APPROVAL.InvalidExpiry”; Cannot read expiry policy.
Solution: This problem occurs if the retention tag for moderation is missing. Ideally there is a default retention policy tag created for moderation that is used for message records management of system mailbox used for moderation.
It is not visible in the user interface, nor will it be returned in Get-RetentionPolicytag until explicitly specifying it:
Get-RetentionPolicyTag “moderatedrecipients”
Name Type Description
ModeratedRecipients Personal Managed Content Settings
IsdefaultModeratedRecipientsPolicyTag: True
AgeLimitForRetention: 2.00:00:00
In case you do not get any output when running the above command, we need to create it manually to avoid the mentioned NDR.
The following command can create a retention tag for moderation:
New-RetentionPolicyTag -IsDefaultModeratedRecipientsPolicyTag -Name ModerationTag -AgeLimitForRetention 2
Additional limitations related to moderation, to be aware of
- Accept/Reject Button missing for Approver using Outlook for Mac 2016
- Outlook for iOS/Android mobile app and native mail app in mobile phones do not show approve/reject button.
- Accept/Reject button missing for OWA on mobile device browsers. The buttons will appear if you open the desktop version of the website on the mobile device browser.
- For DGs with more than 5000 recipients, configuring delivery management or message approval options is must else sender will receive NDR similar to: rejected with error: “550 5.7.125 RESOLVER.GRP.Blocked.NeedsSenderRestrictions; DL expansion needs sender restrictions or message approval configured.”
That is all we wanted to cover; hopefully you find this useful when there are any moderation related problems!
We wanted to thank Arindam Thokder, Bhalchandra Atre and Nino Bilic for their review of this blog post.
Posted at https://sl.advdat.com/3hPQbUn