question

MCob-8241 avatar image
0 Votes"
MCob-8241 asked sikumars-msft edited

Bypassing or turning off "Reserved Aliases" when creating groups

I'm unable to create groups with aliases such as abuse@domain or postmaster@domain. According to this document, "Groups with the following highly privileged email aliases can only be created by an Azure AD global administrator." However, I still get an error message "Email address is not available" when I try with a global admin account. Is there a way to disable this restriction completely?


azure-active-directoryoffice-exchange-online-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered

I seem to be able to repro this when using the Exchange cmdlets to create mail-enabled security group. Ignoring naming policy switch doesn't seem to help, so let me ask around.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars-msft avatar image
0 Votes"
sikumars-msft answered sikumars-msft commented

Hello @MCob-8241,

Thanks for reaching out.

Unfortunately, no we can't disable default Reserved aliases however these highly privileged email aliases can only be created by an Azure AD global administrator.

Are you facing issue with Azure as well on Office 365 admin portal ? also wondering are you getting unauthorize error when you try form Azure AD module New-UnifiedGroup and O365 module New-UnifiedGroup ? try sharing ReguestID and TimeStamp as shown below which would help me getting more insight on this issue. Thanks.

127809-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (54.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So, when running the command above exactly as you typed (to create a security group with name/alias "abuse"), as a global AD admin, I don't get an error. It works fine.

But if I try to create an O365 group, or try to create a distribution group by running an Exchange PowerShell command, then it fails:

The value specified for property Alias is incorrect.
Reason: ContainsBlockedWord DualWrite (Graph)
RequestId: f1ece4b6-551f-46d8-9db7-1c0dc0af45da

I get this same error from the Office 365 Admin Portal and from the Exchange Admin Center.

0 Votes 0 ·

Thanks for the update.

I verified with our product team and understand that Distribution Group (NOT M365 group) creation having block policy inplace even for Global administrator role which block to create alias with reserved names and team working to fix the issue unfortunately no ETA for now.

However, I would request you to contact Microsoft support for M365 group creation issue since this would require further investigation and live troubleshooting. If you don't have support plan then I can help you with one-time free support.

Hope this helps. Thanks

0 Votes 0 ·
MCob-8241 avatar image
0 Votes"
MCob-8241 answered

Thanks for the reply, @sikumars-msft. I had already contacted Office 365 support, and they escalated the ticket internally a few times over almost 3 weeks now. In the end, the answer was (paraphrasing) "Sorry, that's how it is now." I asked why the change was made, or even when, and why there's no documentation anywhere (atypical for a system-wide modification like this) -- they said there is internal documentation on the change, but not released to the public.

They also informed me of a workaround: create the group with a different name/alias/email. Then use PowerShell to add the email with the blocked word as an additional SMTP handler to the group. It's more work, but it completely bypasses the restriction. Then why have this obscure restriction at all?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JD-1935 avatar image
0 Votes"
JD-1935 answered MCob-8241 commented

Sorry but this kind of indifference in the product doesn't make any sense.

We can create the alias on one object class but not another?

We don't need to create M365 Groups for everything.
We don't need to create Security Groups just to have an email address that isn't going to be used anywhere.

It's a rather ridiculous enforcement policy to be honest - and as stated above , the errors and lack of documentation aren't just frustrating, it's unnecessary.


https://office365itpros.com/2021/08/30/nconsistency-dealing-with-reserved-email-aliases-in-microsoft-365/

Is the only complete list I can find and for Microsoft to introduce what is effective a breaking change without communicating with the community - at least, nothing I've seen - is also short sighted.



https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/configure-external-postmaster-address
This is the only documentation that I can find on configuring a postmaster address and to be frank, it's only use is for sending NDRs.

The default behavior of adding an EMAIL DOMAIN should be to configure this option and allow it to be overwritten by other methods.

By putting in this breaking change, I now cannot modify distribution lists that were created with postmaster/abuse@domain.




It should also be noted that executing:

 Get-AzureADDirectorySetting | Select -ExpandProperty Values

Returns the following:

 PS C:\Windows\system32> Get-AzureADDirectorySetting | Select -ExpandProperty Values
    
 Name                          Value
 ----                          -----
 EnableMIPLabels               false
 CustomBlockedWordsList
 EnableMSStandardBlockedWords  false
 ClassificationDescriptions
 DefaultClassification
 PrefixSuffixNamingRequirement
 AllowGuestsToBeGroupOwner     false
 AllowGuestsToAccessGroups     true
 GuestUsageGuidelinesUrl
 GroupCreationAllowedGroupId
 AllowToAddGuests              true
 UsageGuidelinesUrl
 ClassificationList
 EnableGroupCreation           false


Notice that EnableMSStandardBlockedWords is set to False and you still can't use abuse/postmaster etc?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Notice that EnableMSStandardBlockedWords is set to False and you still can't use abuse/postmaster etc?

I pointed this out to multiple layers of tech support too. They didn't seem to think this was a problem.


It's a rather ridiculous enforcement policy to be honest

Agreed, it is a ridiculous rule, enforced only during object creation but then allowing ways to edit the object and bypass the policy. Imagine NTFS security enforced the same way: you can't create files on this folder, but if you created them in another folder then we'll allow you to copy them here. Stupid.

0 Votes 0 ·