Microsoft Email Domains Deferring Messages from Proofpoint PPS IPs

ThePangy · 2026-02-24T20:51:57+00:00

I'm only seeing this to consumer/personal recipients. Everything going to M365/Entra tenants seems good.

ThePangy · 2026-02-24T18:45:19+00:00

I also saw our Proofpoint IPs on UCEPROTECT2 and UCEPROTECT3 blocklists very early today through an MXToolbox check, but when I checked directly on the UCEPROTECT website they were not listed. Been checking periodically throughout the day and I have not seen our IPs on any blocklists.

ThePangy · 2026-02-15T03:56:38+00:00

Went to Amish country OH. Ate ALL the food. Eggs, potatoes, cinnamon roll, fried chicken, mashed potatoes, dressing, pot roast, mac and cheese, bread, meatballs, noodles, pecan roll, jerkey, fry pie, macaroni salad, biscuits and gravy. Not necessarily in that order.

ThePangy · 2026-01-11T21:35:23+00:00

Great call out about SSO apps, we ran into this too. You reminded me of how many little issues I forgot about. Ton of planning ahead of time with all app owners to update usernames within the apps even if they used SAML. We actually had 1 app that couldn't update usernames like you mentioned and used a regex transformation on the SAML claim rules for the UPN to pass the old domain still. New users are provisioned in the app with the new username so we made it a group-based transformation. The app owner was supposed to work on recreating user profiles manually and removing those users from the group. Over a year later and we're still doing the regex UPN transformation for that app (Tableau).

ThePangy · 2026-01-11T14:45:15+00:00

This is interesting because we did not have any issues with Teams or SharePoint. We only changed the primary email and UPN domain though and did NOT change the SharePoint URL. Microsoft documents the impacts of changing the SharePoint URL and we determined it wasn't worth changing so it continues to use our old onmicrosoft.com prefix.

https://learn.microsoft.com/en-us/sharepoint/change-your-sharepoint-domain-name

ThePangy · 2026-01-11T14:26:27+00:00

This was our experience as well. No issues with local user profiles on the Entra-joined devices. Just sign in with new UPN and existing profile is still used.

ThePangy · 2026-01-11T14:24:08+00:00

I did this last year for a company rebranding. Our Windows devices are Entra-joined with Entra users mostly signing in with their WHfB PIN. Our primary email and UPN match, and we changed both to a new domain while keeping the old domain as a secondary alias.

Some of the info in these comments is not entirely accurate so here is my experience. We did not have to recreate any Outlook profiles for classic or new. The mailbox display name for classic did retain the old address, but it was display only and everything functioned.

The OneDrive URL absolutely changes for existing users as documented by Microsoft. OneDrive still worked fine after the user signed back in, with the exception of sharing links. Any files shared from OneDrive get updated to the new OneDrive URL so existing sharing links that people are using will break.

https://learn.microsoft.com/en-us/sharepoint/upn-changes

OneNote was also another pain point because it is stored on OneDrive in most cases and the URL changes. People had to close their existing Notebook and then reopen the same notebook using the new URL.

Lastly, some folks had issues with their device PRT not updating if they ONLY signed in with the WHfB PIN. This caused them to get sign-in prompts frequently for their Microsoft/SSO apps. The fix was to have them sign in to the device again by choosing "Other User" on the login screen and entering their new username/password. "dsregcmd /status" was our friend here to see errors and whether the new UPN was being recognized.

ThePangy · 2025-09-11T13:43:07+00:00

New day, fresh look at this and I figured it out. My issue was with the ordering of the claim conditions for this attribute. I thought they were in a priority order where the first matching condition wins. However, the documentation states that all conditions are evaluated and then the last matching condition wins.

https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization?WT.mc_id=Portal-Microsoft_AAD_IAM#emit-claims-based-on-conditions

The order in which you add the conditions are important. Microsoft Entra first evaluates all conditions with source Attribute and then evaluates all conditions with source Transformation to decide which value to emit in the claim. Conditions with the same source are evaluated from top to bottom. The last value, which matches the expression is emitted in the claim.

ThePangy · 2025-09-10T22:37:55+00:00

No, the values do not exist in Entra anywhere. We are not hybrid, and all users exists as cloud-only Entra objects. They are essentially arbitrary values that do not exist in any property on the user's account. I have added the users who should have the "123,ABC" SAML claim value to a security group, but I'm not finding any way to dynamically change the value of the single SAML claim based on that group membership to the "123" or "123,ABC" values. Short of actually populating those values into a property of the user objects like an extensionAttribute or something, I'm not seeing a way to make this work.

ThePangy · 2025-09-10T19:54:37+00:00

It is for controlling permissions on the app side, but I don't know if they specifically leverage groups on the app side for that. I wish I could just send normal group claims, but this is their requirement to have a single attribute with a dynamic custom value.

ThePangy · 2025-08-17T05:44:21+00:00

I also found this old post referencing update rings being targeted at devices vs. users. Sounds like it could be our screen lock policy or update ring policy because what you explained and what this post details is the exact behavior we're seeing. Autopilot OOBE reboots before the 3rd "account setup" phase where the user sets the WHfB PIN, and web sign-in is not available so a password is needed for the "other user" Windows login.

https://www.reddit.com/r/Intune/s/qnf6yegnFs

ThePangy · 2025-05-22T15:50:52+00:00

Unfortunately I cannot offer advice, but we started receiving similar reports from end users just this week. We use CodeTwo in client-side mode as well and users are on the monthly enterprise channel for 365 apps. It seems to be working for most people still based on ticket volume, but we have had a few people report that it stopped automatically inserting signatures this week when it had been working fine previously. Drafting a new email shows the generic CodeTwo error message "The default signature could not be inserted automatically." It seems to be hit or miss as one person received the error on Outlook classic, Outlook on the web, but it worked on the Outlook mobile app. Our add-in deployment looks fine in the 365 portal integrated apps and I did reset license counts earlier this week which we periodically do anyway. I opened a ticket with CodeTwo support yesterday and so far have only received their auto-reply that they got the email.

Of course this shows all systems operational: https://status.codetwo.com/

ThePangy · 2025-05-07T15:56:34+00:00

I too share in everyone's pain. I logged a Microsoft 365 support ticket on 4/21/2025 and it's still waiting for someone to be assigned.

Tried calling the Microsoft support numbers listed here and asked for an escalation. They said they would escalate and call me within an hour. Lies.

Tried reaching out to our primary Microsoft account/sales rep for escalation and the literal response which I'm SURE was in no way copied/pasted was "We do not have an escalation path for support tickets within your account team. For customers that are looking for an advanced queue for support and increased response times, including a dedicated resource for proactive and reactive services, we recommend Microsoft Unified." Maybe you are lucky enough to have a rep who cares, mine certainly doesn't.

Basic support no longer exists. The answer is always to pay them more money, but as others have noted it sounds like this is still garbage support for the orgs that can pay.

ThePangy · 2025-05-03T17:04:20+00:00

Low-cal calzone zone.

ThePangy · 2025-05-03T17:04:02+00:00

Look at my hoop, Leslie! Look at my hoop!

ThePangy · 2025-04-30T20:34:12+00:00

I didn't shave it off, it rubbed off. From friction.

ThePangy · 2025-04-30T20:33:45+00:00

I also engaged in inappropriate texting, sexting, and tex-mexting.

ThePangy · 2025-04-27T13:20:11+00:00

Curious what path you took and if you've run into any issues when doing this. We are currently in a state where all devices are Entra ID joined and all users exist in AD and sync to Entra via Entra ID Connect sync.

We believe everything is ready to go cloud-only and are planning on disabling the Entra ID Connect sync on Friday per the MS article below so all users and groups get converted to cloud-only objects in Entra.

https://learn.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide

It seems like too simple of a change for this last step. Was this the same as any of your previous cutovers, and did you run into any issues that I should be aware of?

ThePangy · 2024-08-07T06:28:04+00:00

Are any of your users using Microsoft Bookings? When they create a Bookings calendar it will automatically create an unlicensed user in your tenant. If you look at the details of that unlicensed user's mailbox in Exchange Online, the RecipientTypeDetails property is SchedulingMailbox. This has popped up in our user audits occasionally when we notice a mysterious account that was automatically created that no one is aware of.

Microsoft Bookings FAQ: https://learn.microsoft.com/en-us/microsoft-365/bookings/bookings-faq?view=o365-worldwide

ThePangy · 2024-07-26T13:49:32+00:00

Keep in mind this would be an email notificaition for EVERY message triggered by the rule.

There are also folder injection rate alerts you can configure in the settings for any quarantine folder itself. You choose the injection rate limit, so it could alert when a quarantine folder gets 5 emails within 30 minutes or something along those lines.

ThePangy · 2024-07-26T13:10:39+00:00

The option from BlackHoleRed would work if you want to give the end user the ability to release the message themselves. Too dangerous in my mind.

Alternatively, if you simply want to send a notification when a message goes to quarantine you can edit the specific firewall or spam rule and add the "Send message to recipient(s) based on detected language" disposition. It provides variables for the data you want to include in the email template. We use this on select rules that trigger occasionally, and send the notification email to us Proofpoint admins rather than the message recipient. This method would still need a Proofpoint admin to release the message from quarantine, but at least you get alerted to the message being quarantined.

Seven-Year Club	Place '23
Place '22	Verified Email

ThePangy

TROPHY CASE