Manage Microsoft Dynamic Distribution Groups Using PowerShell
A dynamic distribution list is a type of mail-enabled Exchange group that automatically selects members based on a set of predefined criteria rather than manually adding individual users. While the specified criteria define the group users, it is crucial to manage Microsoft dynamic distribution groups to reduce the risk of emails landing in the wrong hands. Any misconfiguration in the dynamic rules can result in adding unauthorized users to the dynamic distribution groups.
In this blog, we’re going to discuss effective PowerShell operations that help M365 admins to manage Microsoft dynamic distribution groups.
While the Exchange admin center provides flexibility in creating and managing dynamic distribution groups (DDG), you may wonder why PowerShell is necessary. Well, here’s the answer: Although PowerShell is preferred for automation and scripting, it is chosen here to address the limitations of the Exchange admin center.
For instance, using PowerShell, you can filter group members based on attributes like job title or manager, or even create DDGs based on email domain, which is not possible through the Exchange admin center. The Exchange admin center only allows you to specify criteria for dynamic membership using attributes such as ‘state or province,’ ‘company,’ ‘department,’ and ‘custom attributes’.
Here are the major PowerShell operations to create and manage dynamic distribution lists using the Exchange management shell. Before proceeding with the operations listed below, make sure to connect to Exchange Online PowerShell with an Exchange or global administrator account.
- Create dynamic distribution groups
- List dynamic distribution groups
- Get dynamic distribution group members
- Add or change the dynamic distribution group owner
- Configure moderated recipients for dynamic distribution lists
- Change dynamic distribution group filter
- Add delegates to a dynamic distribution group
- Dynamic distribution groups’ delivery management
- Hide dynamic distribution group from global address list
- Delete dynamic distribution lists
To create dynamic distribution groups using PowerShell, you can utilize the cmdlet “New-DynamicDistributionGroup”. Construct the cmdlet as demonstrated below according to your requirements.
New-DynamicDistributionGroup -IncludedRecipients “MailboxUsers” -Name "All Mailbox Users"
The above cmdlet creates a dynamic distribution list named ‘All Mailbox Users’ with all users who have a mailbox.
If you want to filter group members based on their properties, you can use the following cmdlet.
New-DynamicDistributionGroup -Name "Retail Management Team" -RecipientFilter "(Title -eq 'Retail Manager') -and (Department -eq 'Retail') -and (Manager -eq '[email protected]')"
The above example cmdlet creates a dynamic distribution list named ‘Retail Management Team’ with users having their job title as ‘Retail Manager’, department as ‘Retail’, and the manager as ‘Jabez’. Modify the cmdlet above to filter users according to your needs.
To retrieve and view all the dynamic distribution groups present in your Microsoft 365 tenant, simply execute the “Get-DynamicDistributionGroup” cmdlet.
Get-DynamicDistributionGroup -ResultSize Unlimited | Select Name, PrimarySMTPAddress, ManagedBy
For more detailed statistics, you can use the built-in dynamic distribution group report from the Exchange admin center. This report provides information such as the group name, group email, last used date, and the count of times the dynamic distribution group has been used.
The “Get-DynamicDistributionGroupMember” cmdlet can help the admins to obtain all the members of a dynamic distribution group.
Get-DynamicDistributionGroupMember -Identity <DynamicDistributionGroupName> -ResultSize Unlimited | Select DisplayName, Id, RecipientType
You can export the dynamic distribution group members with a detailed report using a prebuilt PowerShell script. To broaden the scope of group management, admins can also use PowerShell to obtain membership and ownership details of M365 groups.
If your dynamic distribution group doesn’t have an owner, you can add one. You can also change the owner if there is already one assigned. To add a new owner or update the existing one, utilize the “Set-DynamicDistributionGroup” cmdlet as shown below.
Set-DynamicDistributionGroup -Identity <DynamicDistributionGroupName> -ManagedBy <Owner’sUPN>
Execute the cmdlet with the appropriate group name and the owner’s UPN to update the owner of the dynamic distribution list.
Note: It is impossible to add more than one owner to dynamic distribution groups.
If you want to add a moderator to your dynamic distribution list to approve incoming messages, you can use the cmdlet below:
Set-DynamicDistributionGroup -Identity <DynamicDistributionGroupName> -ModerationEnabled $true -ModeratedBy <ModeratedUPNs>
Replace <DynamicDistributionGroupName> with the appropriate group name and <ModeratedUPNs> with the UPN (User Principal Name) of the moderators.
If you want to change the rule or criteria for the membership of your dynamic distribution group, you can run the cmdlet “Set-DynamicDistributionGroup”, as demonstrated here:
Set-DynamicDistributionGroup -Identity "Retail Management Team"-RecipientFilter "(Title -eq 'Retail Manager') -and (Department -eq 'Retail') -and (Manager -eq '[email protected]')"
The above example cmdlet updates the DDG named ‘Retail Management Team’ with criteria like the user’s job title as ‘Retail Manager’, department as ‘Retail’, and the manager as ‘Daniel’.
To specify ‘Send As’ permissions for a dynamic distribution list using Exchange Online PowerShell, use the “Add-RecipientPermission” cmdlet.
Add-RecipientPermission -Identity <DynamicDistributionGroupName> -Trustee <DelegatesUPNs> -AccessRights SendAs
To assign ‘Send on Behalf’ permissions for a distribution group to a Microsoft 365 user, use the “Set-DynamicDistributionGroup” as follows:
Set-DynamicDistributionGroup -Identity <DynamicDistributionGroupName> -GrantSendOnBehalfTo <DelegatesUPNs>
Replace <DynamicDistributionGroupName> with the appropriate group name and <DelegatesUPNs> with the UPN of the delegates.
To allow only the specified senders or groups to email the DDG you can use the “Set-DynamicDistributionGroup” with the “AcceptMessagesOnlyFromSendersOrMembers” parameter.
Set-DynamicDistributionGroup -Identity <DynamicDistributionGroupName> -AcceptMessagesOnlyFromSendersOrMembers <AllowedSenderUPNs>
To hide dynamic distribution list details from the global address book, use the following cmdlet.
Set-DynamicDistributionGroup -Identity <DynamicDistributionGroupName> -HiddenFromAddressListsEnabled $true
To remove the dynamic distribution group using PowerShell, just execute the “Remove-DynamicDistributionGroup” cmdlet with the appropriate DDG name.
Remove-DynamicDistributionGroup -Identity <DynamicDistributionGroupName>
Points to Remember
Here are some important points concerning the dynamic distribution list in Exchange Online:
- The Exchange admin center cannot be used to change the membership filter if the dynamic distribution list group is created using the Exchange Management Shell (PowerShell).
- If a user deviates from the filter for the DDG, they might continue to receive mail that’s sent to the DDG for the next 24 hours until the membership list is refreshed.
- The initial availability of the membership list after the creation of DDG may require 2 hours.
- Any changes to membership criteria or rules may also take up to 2 hours to redefine the members of the group.
If you’re in search of a comprehensive report on dynamic distribution groups, look no further than AdminDroid. As the ideal choice, AdminDroid’s Exchange Groups reports offer comprehensive insights into dynamic distribution lists. This lets you manage these groups by verifying details such as group name, alias, group owner, recipient filter, creation time, modification time, and more.
Furthermore, AdminDroid’s Exchange Online reports contain detailed information about all mailboxes, including usage, permissions, security, and Exchange settings. These reports facilitate enhanced analysis through its advanced filtering and customization capabilities, allowing users to focus on specific details.
Furthermore, AdminDroid’s Exchange Online auditing enables you to monitor mailbox activities and access permissions, providing a means to track configuration modifications in your M365 tenant. This proactive approach helps you mitigate threats and prevent data loss by staying updated on mailbox settings changes.
AdminDroid goes beyond Exchange Online management, offering distinct reports across all M365 services, including Teams, SharePoint, Power BI, Viva Engage, and more. As an added advantage, AdminDroid offers 120+ free Microsoft 365 reports, providing metrics on user details, group activities, manager info, license changes, and more.
Experience the full potential of AdminDroid with a 15-day free premium feature and access to all the 1800+ reports and 30+ dashboards with abilities like exporting, scheduling, and alerting.
Download AdminDroid – the Microsoft 365 reporting tool and explore it to redefine the landscape of your administrative control!
We hope that the above cmdlets empower you to efficiently manage Microsoft dynamic distribution groups, facilitating email collaboration among users with some defined rules. If you want to go beyond email collaboration and enable user collaboration across all Microsoft 365 services, you can create dynamic group membership using rules. Feel free to ask your doubts or queries in the comments section for any further assistance.