Exchange

Not able to accept or deny messages sent to group in Exchange Hybrid Scenario

One of the functionalities in Microsoft Exchange for Distribution Groups (or mail-enabled groups for that matter) is ability to setup approval workflow. This means you can require any message to be manually approved before it's delivered to user mailboxes. It's a standard functionality for Microsoft Exchange and generally works out of the box. Until it doesn't… Of course it doesn't stop by itself. It's strictly related to Exchange On-Premise in a hybrid scenario with Exchange Online and it manifested itself when some people were moved to Exchange Online, while another group stayed on-premise. There were simply no Approve / Deny buttons in the message that was sent to Approvers.

Why this happens and how can I fix this?

It happens because you have disabled TNEF. And to fix it, you just need to (you guessed it!) make sure to enable TNEF (Transport Neutral Encapsulation Format). Before you go and enable it for the whole world you should stop and read about what it is actually and what are the consequences of it. Microsoft TNEF Conversion provides good overview. The short version of it is that if you enable it for everyone you will end up with Winmail.dat in your customer mailboxes. And you don't want that! To stay on the safe side you just have to enable TNEF to be utilized between Exchange On-Premise and Exchange Online. By default any messages sent within Exchange On-Premise have TNEF enabled and so things work just fine. If you enable HYBRID with Office 365 you need couple more steps for things to be in order. 

As you most likely know already your Office 365 should have 2 domains that come with it:

<your-tenant>.mail.onmicrosoft.com
<your-tenant>.onmicrosoft.com

Trick is you have to make sure that both of your Tenant domains and your on-premise domain are sending messages with TNEF Enabled.

This part should be done on Exchange 2013/2016/2019 On-Premise

On your on-premise server:

Get-RemoteDomain | Select Name, DomainName, TNEF*, Trust*, AllowedOOF*, IsIn*

Which should show at least Default (which is basically every undefined domain out there) and 2 additional remote domains called Hybrid Domain – ….

Name                       : Default
DomainName                 : *
TNEFEnabled                :
TrustedMailOutboundEnabled : False
TrustedMailInboundEnabled  : False
AllowedOOFType             : External
IsInternal                 : False

 
Name                       : Hybrid Domain - tenant.mail.onmicrosoft.com
DomainName                 : tenant.mail.onmicrosoft.com
TNEFEnabled                : True
TrustedMailOutboundEnabled : False
TrustedMailInboundEnabled  : False
AllowedOOFType             : External
IsInternal                 : False

 
Name                       : Hybrid Domain - tenant.onmicrosoft.com
DomainName                 : tenant.onmicrosoft.com
TNEFEnabled                : True
TrustedMailOutboundEnabled : False
TrustedMailInboundEnabled  : True
AllowedOOFType             : External
IsInternal                 : False

 

If it's not showing TNEFEnabled set to true for your Hybrid Domain you won't get Approval Workflow working. While not necessary needed for this scenario you may as well change those as well… the important bits Except TNEFEnabled are the rest of the settings out there. So make sure to set those up properly as well.

# Domain 1
Set-RemoteDomain 'Hybrid Domain - <tentant>.mail.onmicrosoft.com' -TNEFEnabled $true -TrustedMailInboundEnabled $True -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy

# Domain 2
Set-RemoteDomain 'Hybrid Domain - <tentant>.onmicrosoft.com' -TNEFEnabled $true -TrustedMailInboundEnabled $True -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy
This part should be done on Office 365

Similarly you have to do the same thing on the Office 365 side only for your main domain. For example evotec.pl

Get-RemoteDomain | Select Name, DomainName, TNEF*, Trust*, AllowedOOF*, IsIn*

Check if your main domain is created already as remote domain? If it's not… create it.

New-RemoteDomain -Name 'Evotec' -DomainName 'evotec.pl'

Finally fix settings for it.

# Domain 1
Set-RemoteDomain 'Evotec.pl' -TNEFEnabled $true -TrustedMailInboundEnabled $True -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy

And that's it. After both ends cover Remote Domains with TNEFEnabled you will be able to approve/deny requests (as in buttons Approve / Reject will be available for you). In case you run into NDR after approving email… Microsoft Exchange Approval Assistant – Your message couldn’t be delivered because delivery to this address is restricted to authenticated senders just follow this article.

This post was last modified on %s = human-readable time difference 11:46

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

1 month ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

3 months ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

7 months ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

11 months ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 year ago