Journaling in Microsoft 365 with Centralized Mail Transport (CMT)

This explains how Centralized Mail Transport (CMT) in an Exchange hybrid configuration can coexist with journaling. The typical scenario is that Exchange Online mailboxes route outbound mail through On-Prem infrastructure. You can also route journal reports (copies of messages for compliance/archive) to a 3rd-party archiving product by creating a custom connector.

Centralized Mail Transport (recap)

CMT causes outbound mail from Exchange Online mailboxes to be routed through On-Prem servers before delivery to the Internet. This is useful when you need all mail to pass through On-Prem or 3rd-party systems (for policy, DLP, scanning, or archiving).

Transport options

With centralized mail transport, you can route all mail from mailboxes in the Exchange Online organization through the On-Prem organization before they're delivered to the Internet.

CMT vs CBR

If you turn on CMT, conditional mail routing (CBR) rules and connectors will be limited

General Activation of CMT (hybrid)

Enable 'Centralized Mail Transport' to Route all E-Mails via a 3rd Party or On-Prem Mailflow in a Exchange Hybrid scenario (this will normally be configured during the initial Hybrid Setup ~ Hybrid Configuration Wizard).

# -- View outbound connectors
Get-OutboundConnector | fl Name, ConnectorType, RecipientDomains, SmartHosts, IsTransportRuleScoped, RouteAllMessagesViaOnPremises, CloudServicesMailEnabled, Enabled, TlsSettings
# CloudServicesMailEnabled = True (if created with Hybrid Setup)

# -- Enable routing all messages via On-Prem
#Set-OutboundConnector -Identity "<Hybrid Outbound Connector name>" -RecipientDomains * -RouteAllMessagesViaOnPremises:$True
# -- Disable routing all messages via On-Prem
#Set-OutboundConnector -Identity "<Hybrid Outbound Connector name>" -RecipientDomains "<All your accepted domains separated by comma>" -RouteAllMessagesViaOnPremises:$False

Enable Journaling while CMT is Active (double CMT)

If you want to send journal messages to a 3rd Party service instead of Exchange On-Prem, you can customize the mail flow for these messages:

Use a separate Domain (for example: journaling.contoso.com)
Create a New Journal Rule (do not yet remove any existing) - NDR, RULE
Create a New On-Prem Connector (routes messages for the journaling) - CON
Verify the Connector (testing over Exchange Admin Center (EAC))
Enable the New Journal Rule (after verification)

# -- Show existing journal rules
#Get-JournalRule
Get-JournalRule | fl Name, JournalEmailAddress, Scope, Enabled

# -- Create a New Journal Rule over PowerShell (or GUI)
New-JournalRule -Name "[name of journal rule]" -JournalEmailAddress "[name]@journaling.contoso.com" -Scope Global -Enabled $false
#New-JournalRule -Name "Discovery Journal Recipients" -JournalEmailAddress "[name]@journaling.contoso.com" -Scope Global -Enabled $false
    # [name]@journaling.contoso.com
    # > [name] = Receiving Journal Mailbox

# -- Create a New On-Prem Connector
New-OutboundConnector -Name "<Journal Outbound Connector name>" -ConnectorType OnPremises -RecipientDomains "journaling.contoso.com" -SmartHosts "[server or mx of journal mailbox]" -TlsSettings CertificateValidation  -RouteAllMessagesViaOnPremises:$True
#New-OutboundConnector -Name "Journal Outbound Connector" -ConnectorType OnPremises -RecipientDomains "journaling.contoso.com" -SmartHosts "archive.contoso.com" -UseMxRecord $false -TlsSettings CertificateValidation -RouteAllMessagesViaOnPremises:$True

    # CloudServicesMailEnabled = False
    # ConnectorType = OnPremises
    # IsTransportRuleScoped = False
    # TlsSettings = DomainValidation if possible (Optional)
#     SmartHosts = True (or UseMXRecord = True)

# -- Customize the New On-Prem Connector (if created in EAC)
Set-OutboundConnector -Identity "<Journal Outbound Connector name>" -RouteAllMessagesViaOnPremises:$True
# RouteAllMessagesViaOnPremises = True

# -- View outbound connectors (verification)
Get-OutboundConnector | fl Name, ConnectorType, RecipientDomains, SmartHosts, IsTransportRuleScoped, RouteAllMessagesViaOnPremises, CloudServicesMailEnabled, Enabled, TlsSettings

# --- Enable the journal rule (when ready)
Enable-JournalRule -Identity "Discovery Journal Recipients"
#  Set-JournalRule -Identity "Discovery Journal Recipients" -Enabled $true

MX vs SmartHosts

Some archiving providers accept mail via MX, others prefer a fixed smart host. Check the requirements.

Testing and Quota of Receiving Mailbox

Send a test message (from Exchange Online)
Use message trace to confirm the connector was used (delay in the rollout)
Confirm delivery to the archive (verify incoming data)
Ensure the receiving mailbox can handle the expected amount (storage quota)

Get-MessageTraceV2 -RecipientAddress "[name]@journaling.contoso.com" -StartDate (Get-Date).AddHours(-6) -EndDate (Get-Date)
Get-MessageTraceV2 -StartDate (Get-Date).AddHours(-6) -EndDate (Get-Date)
#Get-MessageTraceV2 -StartDate (Get-Date).AddHours(-24) -EndDate (Get-Date)
##Get-MessageTraceDetailV2

Disable Legacy Journal Rules

If you have legacy journal rules, disable them after verification.

# -- Disable On-Prem journal rule
Disable-JournalRule -Identity "Contoso Journal Rule"
# Set-JournalRule -Identity "Contoso Journal Rule" -Enabled $false

# -- Verify rules
Get-JournalRule | fl Name, Enabled
# Get-JournalRule | fl Name, Enabled

Summary

Routing journal messages to an external archiving provider while CMT is enabled is a supported option when configured carefully: create a dedicated domain/connector for journal traffic, validate TLS and delivery, and only then enable or cut over the journal rule. Pay attention to quotas and monitoring. Wish you all a good day!

PS: Forwarding with CMT is not covered in this article, another topic at another time

Reference: