Manage dynamic distribution groups in Exchange Online

Note

A new version of this feature is currently being rolled out to customers. Modern Dynamic Distribution Groups will be fully released by April 2022, replacing the earlier method.

Dynamic distribution groups (DDGs) are mail-enabled Active Directory group objects that are created to expedite the mass sending of email messages and other information within a Microsoft Exchange organization.

DDGs in Exchange Online have been modernized to bring a more reliable, predictable, and better performing experience. This change will reduce mail delivery latency, improve service reliability, and allow you to see the members of a DDG before sending a message.

The membership list is now stored for each DDG and is updated once every 24 hours. You'll know exactly to whom the message is being sent, and it also addresses potential compliance issues. By storing the calculated list of members on the DDG object, messages can be delivered more quickly and our service will have greater reliability.

Important

Government cloud: If your tenant resides in a government cloud, including GCC, GCC High, or DoD, Dynamic Distribution Groups function differently.

To learn more, see Using Dynamic Distribution groups in a government cloud

Important changes in DDGs

As of April 2022, DDGs now perform differently than before. Review the changes in the table below:

Area Old behavior New behavior
Mail delivery latency Unpredictable. The time it takes to deliver mail to a DDG depends on how complex the filters are on that DDG. Faster and more predictable overall. You should see delivery times more in line with those for regular distribution groups.
Creation DDGs could be used immediately after being created. It takes 2 hours for the initial membership list to be calculated and be available for use.
Modification DDGs could be used immediately after any changes were made Users have to wait up to 2 hours for the membership list to be recalculated and links updated.
Membership list "freshness" The list of members was up to date in real time. The list of members for each DDG is refreshed every 24 hours.

Important

The list of DDG members might become stale. For example, if a user has left a department that was used as a filter for the DDG, they might continue to receive mail that's sent to the DDG for the next 24 hours util the membership list is refreshed.

Mail flow rules (also known as transport rules) are also affected by this behavior, because the membership list that the mail flow rules use is also refreshed once every 24 hours.

Important

  • A dynamic distribution group includes any recipient in Active Directory with attribute values that match its filter. If a recipient's properties are modified to match the filter, the recipient could inadvertently become a group member and start receiving messages that are sent to the group. Well-defined, consistent account provisioning processes will reduce the chances of this issue occurring.
  • Dynamic distribution groups are not synced from Exchange Online to Azure Active Directory or to your on-premises Active Directory. Therefore, features such as Azure Conditional Access do not support being scoped to an Exchange Online dynamic distribution group.

Before you begin

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Online or Exchange Online Protection.

Create a dynamic distribution group

Use the new EAC to create a dynamic distribution group.

Important

It can take up to 2 hours for the initial membership list to be calculated and be available for use.

  1. In the new EAC, navigate to Recipients > Groups.

  2. Select Add a group and follow the instructions in the details pane.

    • Under Choose a group type section, select Dynamic distribution group and select Next.

    • Under Set up the basics section, enter the details and select Next.

  3. In Assign Users section, select the group owner from the drop-down list.

  4. Use the Members section to specify the types of recipients for the group and set up rules that will determine membership. Select one of the following boxes:

    • All recipient types: Choose this option to send messages that meet the criteria defined for this group to all recipient types.

    • Only the following recipient types: Messages that meet the criteria defined for this group will be sent to one or more of the following recipient types:

      • Users with Exchange mailboxes: Select this check box if you want to include users that have Exchange mailboxes. Users that have Exchange mailboxes are those that have a user domain account and a mailbox in the Exchange organization. Resource mailboxes are also included.

      • Mail users with external email addresses: Select this check box if you want to include users that have external email addresses. Users that have external email accounts have user domain accounts in Active Directory, but use email accounts that are external to the organization. This enables them to be included in the global address list (GAL) and added to distribution lists.

      • Resource mailboxes: Select this check box if you want to include Exchange resource mailboxes. Resource mailboxes allow you to administer company resources through a mailbox, such as a conference room or a company vehicle.

      • Mail contacts with external email addresses: Select this check box if you want to include contacts that have external email addresses. Contacts that have external email addresses don't have user domain accounts in Active Directory, but the external email address is available in the GAL.

      • Mail-enabled groups: Select this check box if you want to include security groups or distribution groups that have been mail-enabled. Mail-enabled groups are similar to distribution groups. Email messages that are sent to a mail-enabled group account will be delivered to several recipients.

  5. Select one of the following attributes from the drop-down list and provide a value to define the criteria for membership in this group.

    Attribute Send message to a recipient if...
    State or province The specified value matches the recipient's State or province property.
    Company The specified value matches the recipient's Company property.
    Department The specified value matches the recipient's Department property.
    Custom attribute N (where N is a number from 1 to 15) The specified value matches the recipient's CustomAttributeN property.

    Important

    The values that you enter for the selected attribute must exactly match those that appear in the recipient's properties. For example, if you enter Washington for State or province, but the value for the recipient's property is WA, the condition will not be met. Also, text-based values that you specify aren't case-sensitive. For example, if you specify Contoso for the Company attribute, messages will be sent to a recipient if this value is contoso.

  6. To add another rule to define the criteria for membership, select Add another rule, when you've finished, select Next.

    Important

    If you add multiple rules to define membership, a recipient must meet the criteria of each rule to receive a message sent to the group. In other words, each rule is connected with the Boolean operator AND.

  7. In Edit settings section, enter the group email address and select Next.

  8. In Review and finish adding group section, verify all the details, select Create group and then select Close.

Note

If you want to specify rules for attributes other than the ones available in the new EAC, you must use Exchange Online PowerShell to create a dynamic distribution group. Keep in mind that the filter and condition settings for dynamic distribution groups that have custom recipient filters can be managed only by using Exchange Online PowerShell. For an example of how to create a dynamic distribution group with a custom query, see the next section on using Exchange Online PowerShell to create a dynamic distribution group.

Change dynamic distribution group properties

You can change the group properties, here's how.

  1. In the new EAC, navigate to Recipients > Groups > Dynamic distribution list.

  2. In the list of groups, select the dynamic distribution group that you want to view or change.

  3. On the group's properties page, select one of the following sections to view or change properties.

General

Use this section to view or change basic information about the group.

  • Name: This name appears in the address book, on the To: line when email is sent to this group, and in the Groups list. The display name is required and should be user-friendly so people recognize what it is. It also has to be unique in your domain.

  • Description: Use this box to describe the group so people know what the purpose of the group is. This description appears in the address book and in the Details pane in the new EAC.

Email options in new EAC

Use this section to view or change the email addresses associated with the group. This includes the group's primary SMTP addresses and any associated proxy addresses. Under Edit email addresses page, change/edit the Primary email address, add/delete Aliases and then select Save changes.

You can also select the group and then select Edit email addresses from the toolbar to change/edit the Primary email address, add/delete Aliases and then select Save changes.

Members

Use this section to change/edit the following:

  • Under Owners section, select View all and manage owners to add/remove group owners from the drop-down list and then select Save changes. The dynamic distribution group must have at least one owner.

  • Use Members section to change the criteria used to determine membership of the group. You can delete or change existing membership rules and add new rules. For procedures that tell you how to do this, see Create a dynamic distribution group

Important

It can take up to 2 hours for the membership list to be recalculated and links updated.

Settings

Under General settings section, select the checkbox Hide from my organization's global address list if you want to hide the group from the list.

Delivery management

Use this section to manage who can send email to this group.

  • Sender options

    By default, only people inside your organization can send message to this group. You can also allow people outside the organization to send to this group.

    • Only allow messages from people inside my organization: Select this option to allow only senders in your organization to send messages to the group. This means that if someone outside your organization sends an email message to this group, it is rejected. This is the default setting.

    • Allow messages from people inside and outside my organization: Select this option to allow anyone to send messages to the group.

  • Specified senders

    You can further limit who can send messages to the group by allowing only specific senders to send messages to this group. Select/remove one or more recipients/group from the drop-down list. If you add senders to this list, they're the only ones who can send mail to the group. Mail sent by anyone not in the list will be rejected.

    Important

    If you've configured the group to allow only senders inside your organization to send messages to the group, email sent from a mail contact is rejected, even if they're added to this list.

Manage delegates

Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group or send messages on behalf of the group. You can assign the following permissions:

  • Send As: This permission allows the delegate to send messages as the group. After this permission is assigned, the delegate has the option to add the group to the From line to indicate that the message was sent by the group.

  • Send on Behalf: This permission also allows a delegate to send messages on behalf of the group. After this permission is assigned, the delegate has the option to add the group on the From line. The message will appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.

To assign permissions to delegates in new EAC, add the delegates under the Edit delegates page, select the Permission type from the drop-down list and select Save changes.

Message approval

Use this section to set options for moderating the group. Moderators approve or reject messages sent to the group before they reach the group members.

  • Require moderator approval for messages sent to this group: This check box isn't selected by default. If you select this check box, incoming messages are reviewed by the group moderators before delivery. Group moderators can approve or reject incoming messages.

  • Group moderators: To add/remove group moderators, search/add users from the drop-down list. If you've selected Require moderator approval for messages sent to this group and you don't select a moderator, messages to the group are sent to the group owners for approval.

  • Add senders who don't require message approval: To add/remove users that can bypass moderation for this group, search/add users from the drop-down list.

  • Notify a sender if their message isn't approved:: Use this section to set how users are notified about message approval.

    • Only sender: This is the default setting. Notify all senders, inside and outside your organization, when their message isn't approved.

    • Only senders in your organization: When you select this option, only users or groups in your organization are notified when a message that they sent to the group isn't approved by a moderator.

    • No notifications: When you select this option, notifications aren't sent to senders whose messages aren't approved by the group moderators.

How do you know this worked?

To verify that you've successfully changed properties for a dynamic distribution group:

  • Select the group to view the property or feature that you changed. Depending on the property that you changed, it might be displayed in the details pane for the selected group.

Using DDGs in a government cloud

If your tenant resides in a government cloud, including GCC, GCC High, or DoD, the Dynamic Distribution Groups, DDGs function differently.

For government clouds, the membership list for dynamic distribution groups is calculated each time a message is sent to the group, based on the filters and conditions that you define. When an email message is sent to a dynamic distribution group, it's delivered to all recipients in the organization that match the criteria defined for that group.

View group members (Government cloud only)

Use Exchange Online PowerShell to preview the list of members of a dynamic distribution group

This example returns the list of members for the dynamic distribution group named Full Time Employees.

$FTE = Get-DynamicDistributionGroup "Full Time Employees"
Get-Recipient -RecipientPreviewFilter $FTE.RecipientFilter -OrganizationalUnit $FTE.RecipientContainer
This example displays the list of users and email addresses for the same group if it has more than 1,000 members.
$FTE = Get-DynamicDistributionGroup "Full Time Employees"
Get-Recipient -ResultSize Unlimited -RecipientPreviewFilter $FTE.RecipientFilter -OrganizationalUnit $FTE.RecipientContainer | Format-Table Name,Primary*

For detailed syntax and parameter information, see Get-DynamicDistributionGroupMember.

How do you know this worked? To verify that you've successfully viewed the members of a dynamic distribution group, run Get-DynamicDistributionGroupMember to view the list of group members. For example, if you created a new user mailbox with properties that match the recipient filter for the dynamic distribution group, this new mailbox should be displayed in the list of group members.