Manage groups in EOP

You can use Exchange Online Protection (EOP) to create mail-enabled groups for an Exchange organization. You can also use EOP to define or update group properties that specify membership, email addresses, and other aspects of groups. You can create distribution groups and security groups, depending on your needs. These groups can be created by using the Exchange admin center (EAC) or via remote Windows PowerShell.

Types of mail-enabled groups

You can create two types of groups for your Exchange organization:

  • Create a group in the EAC (also known as distribution groups) are collections of email users, such as a team or other ad hoc group, who need to receive or send email regarding a common area of interest. Distribution groups are exclusively for distributing email messages. In EOP, a distribution group refers to any mail-enabled group, whether or not it has a security context.

  • Edit or remove a group in the EAC (also known as security groups) are collections of email users who need access permissions for Admin roles. For example, you might want to give specific group of users admin role permissions so they can configure anti-spam and anti-malware settings.


    By default, all new mail-enabled security groups require that all senders be authenticated. This prevents external senders from sending messages to mail-enabled security groups.

Before you begin

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Distribution Groups and Security Groups" entry in the Feature permissions in EOP topic.

  • Be aware that when creating and managing groups by using remote PowerShell cmdlets, you may encounter throttling.

  • This cmdlet uses a batch processing method that results in a propagation delay of a few minutes before the results of the cmdlet are visible.

  • To learn how to use Windows PowerShell to connect to Exchange Online Protection, see Connect to Exchange Online Protection Using Remote PowerShell.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.


Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server,Exchange Online, or Exchange Online Protection.

Create a group in the EAC

  1. In the Exchange admin center (EAC), go to Recipients > Groups.

  2. Click NewAdd Icon, and then click Distribution group or Security group, depending on your needs. See Types of mail-enabled groups for the distinction.

  3. On the New distribution group or New security group page, complete the following fields:

  • Display name Type a display name that's unique to your organization and meaningful to EOP users. The display name is required.

  • Alias Type a group alias of up to 64 characters that's unique to your organization. EOP users type the alias in the To: line of email messages and the alias resolves to the group's display name. If you change the alias, the primary SMTP address for the group also changes and will contain the new alias. The alias is required.

  • Description Type a description of the group so that people will know the purpose of the group.

  • Owners By default, the person who creates the group is the owner. You can add an owner by choosing AddAdd Icon. All groups must have at least one owner.


    Owners don't have to be members of the group.

  • Members Use this section to add group members and to specify whether approval is required for people to join or leave the group. To add members to the group, click AddAdd Icon.

  1. Click OK to return to the original page.

  2. When you've finished, click Save to create the group. The new group should appear in the list of groups.

Edit or remove a group in the EAC

  1. In the EAC, navigate to Recipients > Groups.

  2. Do one of the following:

  • To edit a group: In the list of groups, click the distribution or security group that you want to view or change, and then click Edit Edit icon. You can update general settings, add or remove group owners, and add or remove group members, as needed.

  • To remove a group: Select the group and click RemoveRemove icon.

  1. When you're finished making your changes, click Save.

Create, edit, or remove a group using remote Windows PowerShell

This section provides information about creating groups and changing their properties by using remote Windows PowerShell. It also shows how to remove an existing group.

To create a group using remote Windows PowerShell

This example uses the New-EOPDistributionGroup cmdlet to create a distribution group with an alias of itadmin and the name IT Administrators. It also adds users as members of the group.

New-EOPDistributionGroup -Type "Distribution" -Name "IT Administrators" -Alias itadmin -Members @("Member1","Member2","Member3") -ManagedBy "Member1"

To create a security group instead of a distribution group, specify -Type "Security" instead.

To verify that you've successfully created the IT Administrators group, run the Get-Recipient cmdlet to display information about the new group:

Get-Recipient "IT Administrators" | Format-List

To get a list of members in the group, run the Get-DistributionGroupMember cmdlet as follows:

Get-DistributionGroupMember "IT Administrators"

To get a full list of all your groups, run the Get-Recipient cmdlet as follows:

Get-Recipient -RecipientType "MailUniversalDistributionGroup" | FT | more

To change the properties of a group using remote Windows PowerShell

Use the Get-Recipient and Set-EOPDistributionGroup cmdlets to view and change properties for groups. An advantage of using remote PowerShell instead of the EAC is the ability to change properties for multiple groups.

Here are some examples of using remote Windows PowerShell to change group properties.

This example uses the Set-EOPDistributionGroup cmdlet to change the primary SMTP address (also called the reply address) for the Seattle Employees group to

Set-EOPDistributionGroup "Seattle Employees" -PrimarysmptAddress ""

To verify that you've successfully changed the properties for a group, use the Get-Recipient cmdlet to verify the changes. One advantage of using remote PowerShell is that you can view multiple properties for multiple groups. In the previous example where the primary SMTP address group was changed, run the following command to verify the new value:

Get-Recipient "Seattle Employees" | FL "PrimarySmtpAddress"

This example uses the Update-EOPDistributionGroupMember cmdlet to update all the members of the Seattle Employees group. Use a comma to separate all members.

Update-EOPDistributionGroupMember -Identity "Seattle Employees" -Members @("Member1","Member2","Member3","Member4","Member5")

To get the list of all the members in the group Seattle Employees, use the Get-DistributionGroupMember cmdlet as follows:

Get-DistributionGroupMember "Seattle Employees"

To remove a group using remote Windows PowerShell

This example uses the Remove-EOPDistributionGroup cmdlet to remove a distribution group named IT Administrators.

Remove-EOPDistributionGroup -Identity "IT Administrators" 

To verify that the group was removed, run the Get-Recipient cmdlet as follows, and confirm that the group (in this case "It Administrators") was deleted.

Get-Recipient -RecipientType "MailUniversalDistributionGroup"