I’ve been using Exchange 2016 in a hybrid configuration for a few years now and have a few moderated groups I manage. An issue I ran into with this is that when messages come in for moderation I did not have Accept\Reject buttons coming up in Outlook or in OWA. After some research, I found that some changes were needed both in Exchange 2016 and EXO configs, all of which need to be done with PowerShell.

The issue stems from the approval messages coming in from SystemMailbox{}@.onmicrosoft.com. But the Hybrid configuration wizard only sets up a remote domain entry for .mail.onmicrosoft.com, using the New-RemoteDomain cmdlet. This cmdlet registers and SMTP namespace so policies and mail-flow can be controlled for it specifically, via the Set-RemoteDomain cmdlet

You can check your current remote domain list by running: Get-RemoteDomain. This should return a Default\* entry and one for each SMTP domain you are using with EXO. By default these hybrid entries are named “Hybrid Domain – “, you should at least have one called “Hybrid Domain – YourTenant.mail.onmicrosoft.com” with a DomainName of .mail.onmicrosoft.com.

Note: The YourTenant value is your tenant’s short name setup in Office 365, mine is izken.onmicrosoft.com for example.

To fix the issue, so you can Accept\Reject moderated messages you need to do the following on-premises

1. Create a new remote domain entry for YourTenant.onmicrosoft.com, using the cmdlet below

New-RemoteDomain -Name "Hybrid Domain - YourTenant.onmicrosoft.com" -DomainName YourTenant.onmicrosoft.com

2. Update the setting for these new RemoteDomain entry to make it a trusted domain

Set-RemoteDomain -Name "Hybrid Domain - YourTenant.onmicrosoft.com" -IsInternal $true -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -MeetingForwardNotificationEnabled $true -TrustedMailOutboundEnabled $true -TrustedMailInboundEnabled $true -UseSimpleDisplayName $true -TNEFEnabled $true

3. Add YourTenant.onmicrosoft.com to Send Connector to Exchange online.
   Below my Send Connector is called “Send to EXO”, this name will vary. Run Get-SendConnector if needed to get the name.

Set-SendConnector "Send to EXO" -AddressSpaces: @{Add=YourTenant.onmicrosoft.com"}

Then you need to do the following to update Exchange Online:

4. Connect to EXO, run the below cmdlet from any PowerShell prompt

$UserCredential= Get-Credential ; $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic -AllowRedirection ; Import-PSSession $Session

5. Create a new RemoteDomain entry for YourDomain.onmicrosoft.com
6. Repeat the step below for each of your domains, replacing “YourTenant.onmicrosoft.com” with the DNS domain name for each hybrid SMTP domain.
   Note: You should have a RemoteDomain entry for each of your SMTP domains, where messages need to be routed back to on-premises.

New-RemoteDomain -Name "Hybrid Domain YourTenant.onmicrosoft.com" -DomainName YourTenant.onmicrosoft.com

7. Set this new remote domain as trusted, internal, and several other settings using the following cmlet
   Repeat this for the other remote domains to, or replace “YourTenant.onmicrosoft.com” in the -Name parameter with just “*” to update them all at once.

Set-RemoteDomain -Name "Hybrid Domain YourTenant.onmicrosoft.com" -IsInternal $true -TargetDeliveryDomain $true -AllowedOOFType InternalLegacy -MeetingForwardNotificationEnabled $true -TrustedMailOutboundEnabled $true -TrustedMailInboundEnabled $true -UseSimpleDisplayName $true -TNEFEnabled $true

Once the cmdlets are run above, moderated message approval should start working.

In my research, I found this blog post, that covers the same info I did above: http://seanblee.blogspot.com/2014/08/office-365-exchange-online-hybrid.html