Fixing Office 365 Anonymous Group Write-back and External Delivery

Yes, Hell has frozen over. The cows have come home. The lady of size has sung.

I have come up with a "best case" solution for the Office 365 hybrid group write-back problem.



For the long(er) background, you'll probably want to go see this post.

For the tl;dr readers:

  1. Office 365 Groups can be written-back to on-premises environments to make them visible to on-premises users.
  2. If your MX record is pointed to an on-premises environment and you have Office 365 Group write-back turned on and some of those groups are configured for anonymous receive (ie, allowed to receive unauthenticated or anonymous messages from the internet), external senders will receive an NDR with the ever-popular and cryptic message "You do not have permission to send to this recipient."

As was previously discussed in the post, this is because AAD Connect writes a constant value of True for the msExchRequireAuthToSendTo attribute of a written-back group. The synchronization service cannot read the actual value of the attribute from the cloud, which is why a constant needs to be used.

The calamity.

Solution overview and limitations

So, here is how to fix it the best way we can at the moment.  It involves changing the constant value of msExchRequireAuthToSendTo from True to False.  This will allow the on-premises system to route the mail to Office 365, where the value stamped on the actual object will be evaluated.  If the cloud value is True, Office 365 will generate an NDR and relay it back out.  If the cloud value on the group is False, the message will be delivered.

The caveat is this:

Mail will be delivered to any on-premises mailboxes that are members of any Office 365 groups regardless of the cloud value if this configuration change is made to the attribute globally.

To minimize this risk, I recommend modifying the Description attribute of all the Office 365 groups that will require anonymous (external) delivery with a value that you can use as a scoping filter--that way, we can target updating only groups that have a specific keyword in the description of the group.  For this exercise, I modified the description attribute to start with the word EXTERNAL.

Pre-pend description field with EXTERNAL

  1. Connect to Office 365 via PowerShell.

     $Credential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Credential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
  2. List all the groups that allow external senders.

     Get-UnifiedGroup -ResultSize Unlimited | ? { $_.RequireSenderAuthenticationEnabled -eq $false } | Select Alias,Name,Notes

  3. Update the description (Notes) field to prepend the text to use as a scoping filter (in this case, EXTERNAL).

     Get-UnifiedGroup -ResultSize Unlimited | ? { $_.RequireSenderAuthenticationEnabled -eq $false } | % { Set-UnifiedGroup $_.Identity -Notes "EXTERNAL - $($_.Notes)" }

  4. Verify the update.

     Get-UnifiedGroup -ResultSize Unlimited | ? { $_.RequireSenderAuthenticationEnabled -eq $false } | Select Alias,Name,Notes

  5. Wait for an AAD Connect delta sync cycle to run (or initiate one yourself from the AAD Connect server's PowerShell interface with the following command):

     Start-ADSyncSyncCycle -PolicyType Delta

Note: This is a one-time update.  Going forward, you'll need to train your users to both:

  • Ensure the "Let people outside the organization email the group" checkbox is selected in the group configuration
  • Update the description of the Office 365 groups they manage that need to accept mail from external senders to include the text that's going to be used as the scoping filter.  They can do this by editing the group in Outlook (Select Group from Outlook navigation pane | Group Settings | Description) or in Outlook Web App (People | Groups | Edit Group | Description) and putting the necessary text in that you want to use as a scoping filter in the description field.

Create an outbound to Active Directory rule to modify the attribute value

  1. Launch the Synchronization Rules Editor (Start | Synchronization Rules Editor).
  2. Under the Direction label, select Outbound.   Click Add New Rule.
  3. Enter a Name for the rule, select your Active Directory connector under Connected System, and then select group for both the Connected System Object Type and the Metaverse Object Type.  Ensure the Link Type is set to Join, and then enter a low precedence number (such as 50). Click Next when finished. If you have more than one Active Directory forest configured in AAD Connect, select the forest to which Office 365 groups are written back.
  4. On the Scoping filter page, click Add group.
  5. Click Add clause.
  6. In the Attribute column drop-down, select cloudMastered.  Under Operator, select EQUAL. In the Value box, type true.  Click Add clause, select description. Under Operator, select STARTSWITH. In the Value box, type EXTERNAL.  Click Next.
  7. On the Join rules page, just click Next without adding anything.
  8. Click the Add transformation button.
  9. Under the FlowType drop-down, select Constant.  Under the Target Attribute, select msExchRequireAuthToSendTo.  Under Source, enter false and click Add.
  10. Close the Synchronization Rules Editor.

Preview the objects

  1. From the Synchronization Service user interface, select the Active Directory connector.  If you have more than one Active Directory connector, select the connector representing the directory where the Office 365 groups will be written back.
  2. Right-click on the connector and select Search Connector Space.
  3. Under Scope, select RDN, and in the Specify relative distinguished name (RDN) or anchor value box, enter CN=Group_ (all Office 365 groups written back on-premises are prefaced with Group_ ) and click Search.
  4. Select a group from the list and click Preview. Note: You may want to select Column Settings... and add the Display Name column so you can more easily identify your synchronized groups.
  5. Select the Full Synchronization radio button and click Generate Preview.
  6. Expand Connector Updates | CN=Group_<guid> | Export Attribute Flow, and then look in the window for the msExchRequireAuthToSendTo attribute.  Note the value in the column should be false.
  7. Click Close twice to close the Preview and Search Connector Space dialog boxes.

Make it so

  1. Right-click the Active Directory connector, click Run.
  2. Select the Full Synchronization option and then click OK.  This will run the synchronization rule on all in-scope objects and stage the changes for export.
  3. After the run profile task has completed, right-click the Active Directory connector, select Run, select Export and click OK.  This will write the changes to Active Directory.
  4. After the run profile task has completed, launch Active Directory Users and Computers, navigate to the organizational unit containing the written-back Office 365 Groups, expand a group, and on the Attribute Editor tab, view the value for msExchRequireAuthToSendTo. Or, alternately, add the msExchRequireAuthToSendTo column to ADUC and review them all.

Now, your external senders should be able to relay to your Office 365 groups via your on-premises gateway.  Woo!