I'm currently facing a puzzling issue with a mail-enabled security group in our hybrid environment, where we only have AD sync and no exchange server. A bit of background: we migrated several groups and mailboxes to Office 365 back in 2020. However, one specific on-prem security group is unable to receive emails from external sources. In the exchange admin center, it's showing an option that states, "Sender options: Only allow messages from people inside my organization." I've checked the attributes in Active Directory (AD), and they all seem identical among the groups, particularly the "msExchRequireAuthToSendTo" attribute, which is set to "FALSE." The group's updates via AD connect work without issues, but I'm stumped about why external emails are getting blocked. I'm hesitant to delete and recreate this group since it's tied to various SharePoint and folder permissions. I wonder if there's something simple I've missed here?
2 Answers
Totally get your frustration. It's strange that only this specific group is acting up while others are fine. You mentioned trying forwarding rules, but they didn't work? That might indicate a deeper issue. Also, since it's an AD synced group, all changes must go through AD. Double-check that all necessary permissions are set, including the attributes affecting forwarding. If not, a potential fix could be temporarily removing the group from the AD sync, making the needed changes, and then re-adding it. It's not a fun solution, but worth considering!
That's an interesting point about removing it from sync. It sounds risky, but desperate times call for desperate measures!
It sounds like you're bumping into a design choice in the mail system. Security groups aren't meant to be exposed as email addresses to the outside world, which is likely why you're seeing that limitation. One workaround could be to set up a shared mailbox just for this purpose. You could have that mailbox forward any emails it gets to the security group. But if you're considering allowing emails from all sources to this group, remember there are risks. If that email address gets out, you could end up with spam or worse, compromising the group. So it's a bit of a double-edged sword!
Yeah, definitely think about the security risk. If a malicious actor gets their hands on that address, they could exploit it. Definitely not the ideal situation.
I'm with you on the security concern. Plus, it seems weird this group is acting differently when all the attributes look the same as others allowing external emails. Hope you find a fix soon!
Thanks for the tip! I’ll definitely look into those settings again to see if something slipped through the cracks.