We saw how the moderation works in previous post… here we will see how the email moderation works in a Hybrid Exchange Environment.
Hybrid Exchange environment is a configuration/deployment that provides seamless experience for an Exchange Organization between an On-Premise Exchange Organization and Exchange Online in Office 365. So, 2 Exchange environment are combined to show as a single exchange organization. If you see the below environment, Company superhybirdcloud.com is having an Office 365 Tenant with the name superhybridcloud.onmicrosoft.com and mailboxes are available in both Exchange On-Premise and in Exchange Online with the Hybrid Configuration.
Arbitration Mailbox will be available in both the Exchange environment and based on the sender location, respective arbitration mailbox will process the email moderation and the moderator can be in Exchange On-Premise or Exchange online.
For this topic on how the E-Mail Moderation works in Hybrid Exchange Environment, we will see below 2 scenarios for better understanding.
- On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.
- Exchange Online User sent an email to Moderated DL and Moderator Mailbox is in On-Premise Exchange.
On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.
In this scenario, Arbitration Mailbox in On-Premise Exchange will do the Email Moderation. Below diagram explains the moderations flow when On-Premise Users sent an email to Moderated DL and Moderator Mailbox is in Exchange Online.
- On-Premise User send an email to Moderation enabled distribution group
- Categorizer identifies the email to be moderated and it will reroute the email to Arbitration Mailbox.
- Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email. Email from email@example.com arbitration mailbox sent to moderator with approve/reject option.
- Moderator mailbox is in Exchange Online and On-Premise Transport server will route the email to Exchange Online to approve/reject the email, and the moderator’s decision will be send back to firstname.lastname@example.org arbitration mailbox, which is in On-Premise.
- Store Drive component on the Transport Role will mark the Moderators decision on the copy email available in On-Premise Exchange Arbitration Mailbox
Information assistant process the email based on the Moderator decision,
6.a If the moderator approve the email, then the email will be delivered to the recipients (distribution group members). Members can be in On-Premise Exchange and Exchange Online, On-Premise transport server will resolve the recipient and deliver the email accordingly.
6.b If the moderator reject the email, then the rejected notification will be sent to the sender.
- If moderator did not take any action, then the message will expire and message expiration notification will be sent to the Sender.
Exchange Online User sent an email to Moderated DL and Moderator Mailbox is in On-Premise Exchange
In this scenario, as you guessed… Arbitration Mailbox in Exchange Online will do the Email Moderation. As on date, this is not a working scenario and Microsoft Product Engineering Team working on it.
- Exchange Online User send an email to Moderation enabled distribution group. Since the Distribution Group objects along with Moderation details are synced from On-Premise Active Directory to Azure AD, DL moderation enabled details will be available in Exchange Online.
- Categorizer identifies the email to be moderated and it will reroute the email to Exchange Online Arbitration Mailbox with the email address email@example.com
- Store drive stores the email in Arbitration Mailbox and send a request to Moderator to approve or reject the email. Exchange Online Arbitration mailbox (firstname.lastname@example.org) will send an email to On-Premise Exchange moderator with approve/reject option.
- Moderator mailbox is in Exchange On-Premise and the moderator’s decision will be send back to arbitration mailbox email@example.com, which is in Exchange Online.
Directory Based Edge Blocking is a feature in Exchange Online Protection where it will see whether Azure AD is having the recipient address available or not and if it is not available, EOP will drop the email.
Here on step 4, moderator approval or rejection email will be sent to Exchange Online Arbitration Mailbox with email address as firstname.lastname@example.org and if you see by default, this address will not be available in Azure AD. EOP will drop the email and next steps will not continue.
Microsoft Support Team is aware of this issue and they are working on permanent fix.
As a work around, if the moderator is in Exchange Online for the email sent from On-Premise Exchange and Exchange Online, the email moderation will work without any issues.
Post your comments if any details required.