One of the functionalities in Microsoft Exchange for Distribution Groups (or mail-enabled groups for that matter) is ability to setup approval workflow. This means you can require any message to be manually approved before it's delivered to user mailboxes. It's a standard functionality for Microsoft Exchange and generally works out of the box. Until it doesn't… Of course it doesn't stop by itself. It's strictly related to Exchange On-Premise in a hybrid scenario with Exchange Online and it manifested itself when some people were moved to Exchange Online, while another group stayed on-premise. There were simply no Approve / Deny buttons in the message that was sent to Approvers.
It happens because you have disabled TNEF. And to fix it, you just need to (you guessed it!) make sure to enable TNEF (Transport Neutral Encapsulation Format). Before you go and enable it for the whole world you should stop and read about what it is actually and what are the consequences of it. Microsoft TNEF Conversion provides good overview. The short version of it is that if you enable it for everyone you will end up with Winmail.dat in your customer mailboxes. And you don't want that! To stay on the safe side you just have to enable TNEF to be utilized between Exchange On-Premise and Exchange Online. By default any messages sent within Exchange On-Premise have TNEF enabled and so things work just fine. If you enable HYBRID with Office 365 you need couple more steps for things to be in order.
As you most likely know already your Office 365 should have 2 domains that come with it:
Trick is you have to make sure that both of your Tenant domains and your on-premise domain are sending messages with TNEF Enabled.
On your on-premise server:
Get-RemoteDomain | Select Name, DomainName, TNEF*, Trust*, AllowedOOF*, IsIn*
Which should show at least Default (which is basically every undefined domain out there) and 2 additional remote domains called Hybrid Domain – ….
Name : Default DomainName : * TNEFEnabled : TrustedMailOutboundEnabled : False TrustedMailInboundEnabled : False AllowedOOFType : External IsInternal : False Name : Hybrid Domain - tenant.mail.onmicrosoft.com DomainName : tenant.mail.onmicrosoft.com TNEFEnabled : True TrustedMailOutboundEnabled : False TrustedMailInboundEnabled : False AllowedOOFType : External IsInternal : False Name : Hybrid Domain - tenant.onmicrosoft.com DomainName : tenant.onmicrosoft.com TNEFEnabled : True TrustedMailOutboundEnabled : False TrustedMailInboundEnabled : True AllowedOOFType : External IsInternal : False
If it's not showing TNEFEnabled set to true for your Hybrid Domain you won't get Approval Workflow working. While not necessary needed for this scenario you may as well change those as well… the important bits Except TNEFEnabled are the rest of the settings out there. So make sure to set those up properly as well.
# Domain 1 Set-RemoteDomain 'Hybrid Domain - <tentant>.mail.onmicrosoft.com' -TNEFEnabled $true -TrustedMailInboundEnabled $True -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy # Domain 2 Set-RemoteDomain 'Hybrid Domain - <tentant>.onmicrosoft.com' -TNEFEnabled $true -TrustedMailInboundEnabled $True -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy
Similarly you have to do the same thing on the Office 365 side only for your main domain. For example evotec.pl
Get-RemoteDomain | Select Name, DomainName, TNEF*, Trust*, AllowedOOF*, IsIn*
Check if your main domain is created already as remote domain? If it's not… create it.
New-RemoteDomain -Name 'Evotec' -DomainName 'evotec.pl'
Finally fix settings for it.
# Domain 1 Set-RemoteDomain 'Evotec.pl' -TNEFEnabled $true -TrustedMailInboundEnabled $True -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy
And that's it. After both ends cover Remote Domains with TNEFEnabled you will be able to approve/deny requests (as in buttons Approve / Reject will be available for you). In case you run into NDR after approving email… Microsoft Exchange Approval Assistant – Your message couldn’t be delivered because delivery to this address is restricted to authenticated senders just follow this article.