What to do when emails sent to a Dynamic Distribution Group are received by unwanted external recipients.

A DDG (Dynamic Distribution Group) is a mail-enabled Active Directory group, object that is created to expedite the mass sending of email messages within an organization.
Unlike regular distribution groups that contain a defined set of members, the membership list for DDG is calculated each time a message is sent to the group, based on the filters and conditions defined by you. When an email message is sent to a dynamic distribution group, it’s delivered to all recipients in the organization that match the criteria defined for that group.

The members of a DDG can be defined in the following in the following way: Selecting one / more / all of the following recipient types:
- all recipient types OR:
- users with Exchange mailboxes
- users with external email addresses
- resource mailboxes
- mail contacts with external email addresses
- mail-enabled groups
You can also click Add a rule (one or more) to define the criteria for membership in this group. The selectable attributes for creating one or more rules are: State or province, Company, Department, Custom attributeN (where N is a number from 1 to 15).

In some rare cases, it is possible that, even if you didn't select users with external email addresses OR mail contacts with external email addresses,  emails sent to the DDG to be received by an external recipient.

Look in Office 365 Admin Center. If you have SharePoint Online you will notice users like: user1_fabrikam.com#EXT#@contoso.com. These users are external users of your organization. When internal users share internal contents with external users, such as documents from the SharePoint libraries, Office 365 will automatically create accounts for these external users. These external users can be managed via Office 365 admin center and SharePoint admin center.

For example: vanity and default domain: @contoso.com, Office 365 initial domain: @contoso.onmicrosoft.com. You shared a document with external user: bill@fabrikam.com. The following user will appear in Office 365 Admin Center: bill_fabricam.com#EXT#@contoso.com.

If you will run in PowerShell:
get-msoluser -UserPrincipalName bill_fabricam.com#EXT#@contoso.com |fl
AlternateEmailAddresses : {bill@fabrikam.com}
CloudExchangeRecipientDisplayType : 6
ImmutableId :
IsLicensed : False
OverallProvisioningStatus : None
ProxyAddresses : {SMTP:bill@fabrikam.com} ### OR {SMTP:bill@fabrikam.com, smtp:bill_fabricam.com#EXT#@contoso.com} OR {}
UserPrincipalName : bill_fabricam.com#EXT#@contoso.com
UserType : Guest
ValidationStatus : Healthy

If you will create a DDG (DDG_All) selecting All users with Exchange mailboxes, you can run the following PowerShell command to see how the recipients were filtered:

Get-DynamicDistributionGroup DDG_All |fl RecipientFilter, LdapRecipientFilter
RecipientFilter: ((RecipientType -eq 'UserMailbox') -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')))
LdapRecipientFilter: (&(!(!(objectClass=user)))(objectCategory=person)(mailNickname=*)(msExchHomeServerName=*)(!(name=SystemMailbox{*))(!(name=CAS_{*))(!(msExchRecipientTypeDetails=16777216))(!(msExchRecipientTypeDetails=536870912))(!(msExchRecipientTypeDetails=68719476736))(!(msExchRecipientTypeDetails=8388608))(!(msExchRecipientTypeDetails=4398046511104))(!(msExchRecipientTypeDetails=70368744177664))(!(msExchRecipientTypeDetails=140737488355328)))

In PowerShell we can edit the RecipientFilter. LdapRecipientFilter is automatically generated from the Recipient filter.
The *#EXT#* users created by SharePoint have RecipientTypeDetails.value: 35184372088832. If these type of users are included in the DDG filter (and they receive emails sent to the group), they have to be excluded.
If trying to edit LdapRecipientFilter: adding !(msExchRecipientTypeDetails=35184372088832) I discovered that LdapRecipientFilter cannot be modified as needed. The solution is to modify the RecipientFilter.

In order to do that, please follow the steps:

Extract the RecipientFilter from your group:
Get-DynamicDistributionGroup -Identity "Your_DDG” | FL RecipientFilter

You will have something like:
RecipientFilter: ((RecipientType -eq 'UserMailbox') -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')))

Add to the recipient filter (obtained with above command): -and (-not(RecipientTypeDetailsValue -eq 'GuestMailUser')) , and write it back with following command:
Set-DynamicDistributionGroup -Identity "Your_DDG" -RecipientFilter {((RecipientType -eq 'UserMailbox') -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'GuestMailUser')) )}

Check if the command modified the LdapRecipientFilter and !(msExchRecipientTypeDetails=35184372088832) was added:
Get-DynamicDistributionGroup -Identity "Your_DDG” | FL RecipientFilter, LdapRecipientFilter

Now the issue is SOLVED. Thank you for reading my article.


You can find more detailed information about the Office 365 DDG, if you follow the links:
Manage dynamic distribution groups - https://technet.microsoft.com/en-us/library/bb123722%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396
Get-DynamicDistributionGroup - https://technet.microsoft.com/en-us/library/bb124762(v=exchg.160).aspx
Set-DynamicDistributionGroup - https://technet.microsoft.com/en-us/library/bb123796(v=exchg.160).aspx