Directory Based Edge Blocking for Exchange Online Protection

Problem: Exchange Hybrid didn’t forward mail to OnPrem Exchange mailboxes and sender receives NDR rejected.

Why: Directory Based Edge Blocking rejects mail to invalid addresses if it doesn’t exist a user With the target address attribute in Azure Active Directory.

Solution: In Your Exchange Admin Center for Exchange Online, we can change the Domain Type fra Authoratative to Internal Relay, letting Your OnPrem Exchange Servers reject the forwarded mail instead of Exchange Online Protection.

This can be needed for onprem shared mailboxes or smtp aliases that doesn’t have Active Directory User to synchronize to Azure Active Directory.

Why not: This is how Hybrid allways have configured domains as internal relay, but you could lower Your risk as email will be rejected before it hits Your internal network and bandwith can be reduced. But Exchange Online Protection will reject to many incoming mails anyway, so I don’t think it is any problem to keep using Internal Relay instead of having all users Objects be synchronized to Azure Active Directory.


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts