Exchange Online - Enable group moderation and sending restrictions

Exchange Online - Enable group moderation and sending restrictions

·

4 min read

Whether it be a large group or one that has restricted users, you may need to limit who can send to these mail enabled security groups. In addition, you may even want to enable moderation to allow specific users to approve/deny messages from reaching the members.

The good news is that all this can be done by using AD and Exchange to enable group moderation.

Configuring moderation in an Exchange Online / Active Directory environment

These steps are geared towards environments which have their Active Directory schema extended with Exchange attributes and that sync to AAD with Azure AD Connect. In this scenario, Exchange is not in hybrid mode.

Getting to know your attributes

NameAD AttributeDescriptionValues
Allow send from (user)authOrigList of senders (users) that are allowed to send to the groupList of user distinguished names (dn)
Block send from (user)unAuthOrigList of senders (users) that are blocked from sending to the groupList of user distinguished names (dn)
Allow send from (group)dlMemSubmitPermsList of senders (groups) that are allowed to send to the group. This is used in place of authOrig if you need to specify groups*List of group distinguished names (dn)
Block send from (group)dlMemRejectPermsList of senders (groups) that are blocked from sending to the group. This is used in place of unAuthOrig if you need to specify groups*List of group distinguished names (dn)
Require senders to be authenticatedmsExchRequireAuthToSendToUsed to limit senders to only Authenticated users (inside organization)Require sending from authenticated source = True, Allow sending from any source = False
Enable group moderationmsExchEnableModerationIs moderation configured for this group?Moderation enabled = True, Moderation disabled = False
List of moderatorsmsExchModeratedByLinkList of users who will receive and manage the approve/deny emails. The maximum number of moderators is 10 (more information). If you specify more than 10 then Exchange will throw an exception and moderation will not work as intended.List of user distinguished names
Skip email approvalmsExchBypassModerationLinkList of users who can send emails without requiring approval/moderationList of user distinguished names
Sender notificationmsExchModerationFlagsWhat notification (if any) will the sender receive when their email is not approvedNotify all senders when their messages aren’t approved. = 6 . Notify senders in your organization when their messages aren’t approved. = 2. Don’t notify anyone when a message isn’t approved. = 0
Hide from address book listsmsExchHideFromAddressListsIs this group hidden from address books in Exchange?Hidden from address books = True, Visible in address books = False
Managed bymanagedByUsers who can manage the membership of the groupList of users
MembersmemberList of users who are members of the group, they will receive any approved emails sent to the groupList of users

Notes about restricting send from

authOrig/unauthOrig are used to store a list of DNs of specific users who have/do not have permission to send to the object.

dlMemSubmitPerms/dlMemRejectPerms are used to store a list of DNs of groups whose members are considered to have/not have permission to send to the object.

dlMemSubmitPerms/dlMemRejectPerms cannot be used to store DNs of specific users you want to allow/deny access to. The values in these attributes are always interpreted as groups. User objects aren't groups, and listing a user DN in one of these attributes would have the same effect as listing an empty group instead.

authOrig and dlMemSubmitPerms are used to grant access to specified users/groups. If either of these attributes is present, anyone not listed under authOrig or who is not a member of a group listed under dlMemSubmitPerms will be denied access.

unauthOrig and dlMemRejectPerms are used to deny access to specified users/groups. If either of these attributes is present, anyone not listed under unauthOrig or who is not a member of a group listed under dlMemRejectPerms with automatically be granted access.

Taken from https://groups.google.com/forum/#!topic/microsoft.public.exchange.development/clYIH052JXw

Further reading

Examples

Turn on moderation for a group

Enable moderation of group, require authenticated senders and specify a moderator

Set-ADObject -Identity [GROUP_IDENTIFIER] -Replace @{msExchEnableModeration = $true; msExchRequireAuthToSendTo = $true; msExchModeratedByLink = @("[DN_OF_A_USER]")}

Enable restricted sending for a group

Allow only users in a specific group to send to the group

Set-ADObject -Identity [GROUP_IDENTIFIER] -Replace @{dlMemSubmitPerms= @("[DN_OF_ALLOWED_GROUP]")}

Enable specific users to bypass moderation

Allow specific users to bypass moderation and send directly to members of the group

Set-ADObject -Identity [GROUP_IDENTIFIER] -Replace @{msExchBypassModerationLink = @("[DN_OF_ALLOWED_USER]")}