A feature a tenant may require is tenant or semi-tenant isolation. This is where the tenant cannot contact any other tenants in the Hosted Org. A customer may require total lockdown or require just a subset of users have this restriction in place.
Luckily with Transport Rules and some Powershell magic we can implement this feature. In a perfect world you will have a front end or control panel that can configure this magic for you, but if your control panel is one step behind, this is the backend steps you need to take to implement it.
Firstly you will need a Transport Rule to disallow the tenant or certain users within the tenant, to send outside of the Organization.
If you are using HMC, or have a framework that works along the lines of HMC, for example, an AllUsers and AllAdminUsers groups, then we can lock a tenant down with these security groups. If however only part of a tenant is to be isolated, then we will need to create another group, adding the required users to that group and then potentially hiding that group from the GAL so as not to mess up a nice clean address book view. So back on track..
..This is simply achieved with a transport rule like the following:
New-TransportRule -Name 'Tenant Isolation - Outside Org Test' -Comments 'Another Transport rule to block my tenant from sending outside of the org. Entirely a test.' -Conditions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromMemberOfPredicate','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SentToScopePredicate' -Actions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.DeleteMessageAction' -Enabled $true -Priority 'number'
This looks like so in the UI:
We can then look to modify the rules further, maybe for example by modifying 'silently drop the message' to actually inform the user the message was indeed refused with a custom error.
So the above controls outbound messages, but we still need to be able to control who can send messages to the isolated tenant or the isolated users. We can again use Transport Rules, but again we would need to create two, one for inside the organization and another for outside. In this instance I prefer to perform the lock down on the user object itself, this creates less transport overhead on your messaging subsystem.
#Allow users to only recieve messages from a specified DL
#Modify $NIS and $AllUsers as appropriate
#Test in Test Lab prior to running in Live
#Confirm $NIS and $AllUsers are valid targets with Get-DistributionGroup
#Replace $NIS with a 'No Internet Sending Security Group' created in Control Panel for the Tenant
#Replace $AllUsers with the HMC4.5/hosting framework AllUsers Group for the Tenant
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010Get-DistributionGroupMember $NIS set-mailbox -AcceptMessagesOnlyFromDLMembers $AllUsers
The end result is as follows:
Isolated tenant/user sending out to the internet:
Isolated tenant/user sending to another tenant in the Hosted Exchange platform:
Another tenant or external user trying to send to the isolated tenant/user:
Oliver Moazzezi MVP - Exchange Server