This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 21%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I'm unable to create groups with aliases such as abuse@keyman or postmaster@keyman . According to this document, "Groups with the following highly privileged email aliases can only be created by an Azure AD global administrator." However, I still get an error message "Email address is not available" when I try with a global admin account. Is there a way to disable this restriction completely?
I seem to be able to repro this when using the Exchange cmdlets to create mail-enabled security group. Ignoring naming policy switch doesn't seem to help, so let me ask around.
Hello @MCob ,
Thanks for reaching out.
Unfortunately, no we can't disable default Reserved aliases however these highly privileged email aliases can only be created by an Azure AD global administrator.
Are you facing issue with Azure as well on Office 365 admin portal ? also wondering are you getting unauthorize error when you try form Azure AD module New-UnifiedGroup and O365 module New-UnifiedGroup ? try sharing ReguestID and TimeStamp as shown below which would help me getting more insight on this issue. Thanks.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
So, when running the command above exactly as you typed (to create a security group with name/alias "abuse"), as a global AD admin, I don't get an error. It works fine.
But if I try to create an O365 group, or try to create a distribution group by running an Exchange PowerShell command, then it fails:
The value specified for property Alias is incorrect.
Reason: ContainsBlockedWord DualWrite (Graph)
RequestId: f1ece4b6-551f-46d8-9db7-1c0dc0af45da
I get this same error from the Office 365 Admin Portal and from the Exchange Admin Center.
Thanks for the update.
I verified with our product team and understand that Distribution Group (NOT M365 group) creation having block policy inplace even for Global administrator role which block to create alias with reserved names and team working to fix the issue unfortunately no ETA for now.
However, I would request you to contact Microsoft support for M365 group creation issue since this would require further investigation and live troubleshooting. If you don't have support plan then I can help you with one-time free support.
Hope this helps. Thanks
Thanks for the reply, @sikumars-msft. I had already contacted Office 365 support, and they escalated the ticket internally a few times over almost 3 weeks now. In the end, the answer was (paraphrasing) "Sorry, that's how it is now." I asked why the change was made, or even when, and why there's no documentation anywhere (atypical for a system-wide modification like this) -- they said there is internal documentation on the change, but not released to the public.
They also informed me of a workaround: create the group with a different name/alias/email. Then use PowerShell to add the email with the blocked word as an additional SMTP handler to the group. It's more work, but it completely bypasses the restriction. Then why have this obscure restriction at all?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Sorry but this kind of indifference in the product doesn't make any sense.
We can create the alias on one object class but not another?
We don't need to create M365 Groups for everything.
We don't need to create Security Groups just to have an email address that isn't going to be used anywhere.
It's a rather ridiculous enforcement policy to be honest - and as stated above , the errors and lack of documentation aren't just frustrating, it's unnecessary.
Is the only complete list I can find and for Microsoft to introduce what is effective a breaking change without communicating with the community - at least, nothing I've seen - is also short sighted.
https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/configure-external-postmaster-address
This is the only documentation that I can find on configuring a postmaster address and to be frank, it's only use is for sending NDRs.
The default behavior of adding an EMAIL DOMAIN should be to configure this option and allow it to be overwritten by other methods.
By putting in this breaking change, I now cannot modify distribution lists that were created with postmaster/abuse@keyman .
It should also be noted that executing:
Get-AzureADDirectorySetting | Select -ExpandProperty Values
Returns the following:
PS C:\Windows\system32> Get-AzureADDirectorySetting | Select -ExpandProperty Values
Name Value
---- -----
EnableMIPLabels false
CustomBlockedWordsList
EnableMSStandardBlockedWords false
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner false
AllowGuestsToAccessGroups true
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests true
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation false
Notice that EnableMSStandardBlockedWords is set to False and you still can't use abuse/postmaster etc?
Notice that EnableMSStandardBlockedWords is set to False and you still can't use abuse/postmaster etc?
I pointed this out to multiple layers of tech support too. They didn't seem to think this was a problem.
It's a rather ridiculous enforcement policy to be honest
Agreed, it is a ridiculous rule, enforced only during object creation but then allowing ways to edit the object and bypass the policy. Imagine NTFS security enforced the same way: you can't create files on this folder, but if you created them in another folder then we'll allow you to copy them here. Stupid.