Jet Mariano

Tag: RequireSenderAuthenticationEnabled

  • Fixing “Sender not allowed” to an internal group (Exchange Online) — a quick forensic + runbook

    POST BODY

    When a partner emailed our all-hands list, they got an NDR:
    “the group only accepts messages from people in its organization or on its allowed senders list… sender not allowed.”

    We’d solved this once before and didn’t capture the steps. This time we did.

    Forensic summary (redacted)

    • group: all@[corp-redacted].com
    • external sender: firstname.lastname@[partner-redacted].com
    • symptom: NDR “sender not allowed”
    • root causes:
      1. the group required authenticated (internal) senders only, and
      2. the external wasn’t on the group’s allowed-senders list
    • gotcha we hit: New-MailContact failed with ProxyAddressExists — an existing MailUser already owned the external SMTP, so we reused it instead of creating a new contact

    Straight line (what fixed it)

    1. identify group by SMTP and check whether it’s a DL or a Microsoft 365 Group
    2. locate the external as an existing MailContact/MailUser (include soft-deleted objects)
    3. add that object to the group’s AcceptMessagesOnlyFromSendersOrMembers list
    4. allow the group to accept external senders (keeps the allow-list in effect)
    5. test and confirm with Message trace

    Reusable runbook (PowerShell, redacted)

    # 0) Connect
Connect-ExchangeOnline

# 1) Variables (edit these)
$GroupSmtp = "all@[corp-redacted].com"
$ExternalAddresses = @("firstname.lastname@[partner-redacted].com")

# 2) Resolve the group (works for DL or M365 Group)
$grp = Get-EXORecipient -Filter "PrimarySmtpAddress -eq '$GroupSmtp'"
$grp | fl Name,RecipientTypeDetails,PrimarySmtpAddress,Identity,ExternalDirectoryObjectId

# 3) Ensure each external exists as a recipient we can allow (MailContact/MailUser).
#    If already present (or soft-deleted), reuse it.
$recips = @()
foreach ($addr in $ExternalAddresses) {
  $r = Get-EXORecipient -ResultSize Unlimited -IncludeSoftDeletedRecipients `
       -Filter "PrimarySmtpAddress -eq '$addr'"
  if (-not $r) {
    try { New-MailContact -Name $addr -ExternalEmailAddress $addr | Out-Null
          $r = Get-EXORecipient -Filter "PrimarySmtpAddress -eq '$addr'" }
    catch { Write-Host "Contact already exists somewhere: $addr" }
  }
  $recips += $r
}
$recips | ft Name,RecipientTypeDetails,PrimarySmtpAddress -AutoSize

# 4) Add externals to allow-list AND allow external senders
if ($grp.RecipientTypeDetails -eq "GroupMailbox") {
  # Microsoft 365 Group (Unified Group)
  foreach ($r in $recips) {
    Set-UnifiedGroup -Identity $grp.ExternalDirectoryObjectId `
      -AcceptMessagesOnlyFromSendersOrMembers @{Add=$r.Identity}
  }
  Set-UnifiedGroup -Identity $grp.ExternalDirectoryObjectId -AllowExternalSenders:$true
  Get-UnifiedGroup -Identity $grp.ExternalDirectoryObjectId |
    fl DisplayName,PrimarySmtpAddress,AllowExternalSenders,AcceptMessagesOnlyFromSendersOrMembers
} else {
  # Distribution Group / Mail-enabled Security Group
  foreach ($r in $recips) {
    Set-DistributionGroup -Identity $grp.Identity `
      -AcceptMessagesOnlyFromSendersOrMembers @{Add=$r.Identity}
  }
  Set-DistributionGroup -Identity $grp.Identity -RequireSenderAuthenticationEnabled:$false
  Get-DistributionGroup -Identity $grp.Identity |
    fl DisplayName,PrimarySmtpAddress,RequireSenderAuthenticationEnabled,AcceptMessagesOnlyFromSendersOrMembers
}

# 5) Message trace (adjust window)
Get-MessageTrace -SenderAddress $ExternalAddresses[0] -RecipientAddress $GroupSmtp `
  -StartDate (Get-Date).AddHours(-2) -EndDate (Get-Date) |
  ft Received,Status,RecipientAddress,MessageId

    Common pitfalls we saw (and how we handled them)

    • ProxyAddressExists on New-MailContact → an existing MailUser/Contact already holds that SMTP; reuse it (or permanently remove the soft-deleted recipient first).
    • group can’t be found by display name → target by SMTP with Get-EXORecipient -Filter "PrimarySmtpAddress -eq '...'".
    • delivery still blocked after allow-list → the DL still required authenticated senders; set RequireSenderAuthenticationEnabled:$false (DL) or AllowExternalSenders:$true (M365 Group).

    Click-path (EAC, if you don’t want PowerShell)

    • Recipients → Contacts → add/find the partner’s contact
    • Recipients → Groups → open the group → Delivery management → “Accept messages from” → add the contact
    • For DLs: turn off “Require sender authentication”
    • For M365 Groups: enable “Allow external senders”

    Prevention / hygiene

    • keep an “Authorized External Senders — all” mail-enabled security group; allow that group on the DL/M365 Group, then just add/remove partner contacts over time
    • document the NDR verbatim and the message trace ID when you close an incident

    Redaction note

    All addresses and names are redacted. Replace with your real SMTPs when running the script.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!