Enable Customization for Directory Based Edge Blocking feature in EOP
Currently Directory Based Edge Blocking Feature in EOP does not support Mail Enabled Public Folders and Dynamic Distribution Groups. If customer have any of these recipient types then they have to disabled DBEB for receiving external emails routed to tenant through EOP. It will be great if we can provide an interface to manage DBEB to which customer can explicitly add recipients which are picked up by EOP. This will be very helpful for standalone EOP customer who would want to use DBEB feature to thwart Directory based harvest attacks
On the page describing DBEB (https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-directory-based-edge-blocking) it's wrongly stated: "Once the domain type has been changed to Authoritative, DBEB is designed to allow any SMTP address that has been added to the service (except for mail-enabled public folders)".
Not mentioning DDGs. But still not working, though!
Christopher King commented
+2 votes. On-prem DDG's can be easily supported while leaving domains set to Authoritative by syncing a Contact or Mail User to cloud which represents each on-prem DDG, but then you're stuck long-term coexistence. However, to support cloud-based DDG's in hybrid the hybrid routing domain domain.mail.onmicrosoft.com must be set to internal relay, which is not secure. In that case you create a non-syncing on-prem Contact or Mail User and use shell to make primarySMTPaddress match that of the cloud DDG and make externalEmailAddress match the cloud DDG domain.mail.onmicrosoft.com routing address.
Also, the public folders thing needs to be addressed quickly.
Sébastien UHL commented
As usual, it's just a mater of communication when something works otherwise than most people understand or if it is an exception to rules