Create and manage dynamic distribution groups in Exchange Online

Dynamic distribution groups (DDGs) are mail-enabled Active Directory group objects that are created to expedite the mass sending of email messages and other information within your Microsoft Exchange organization.

The DDGs in Exchange Online behave differently when compared to DDGs in the on-premises version of Exchange Server. Unlike regular distribution groups that contain a defined set of members, the membership list for DDGs is based on filters and conditions that you define. This membership list is initially calculated and stored for each DDG upon creation or when its membership rules are modified, and then refreshed once every 24 hours. When an email message is sent to a DDG, it's delivered to all the recipients present in the membership list at that time.

Since 24 hours is the time interval for every refresh of the membership list of DDGs, here are some challenges you might face in between every refresh:

  1. The list of DDG members might become stale: In between every refresh, the list of DDG members might become stale. For example, if a user has left a department that was used as a filter for the DDG, they might continue to receive emails that are sent to the DDG for the next 24 hours until the membership list is refreshed.
  2. Impact on Mail flow rules (also known as transport rules): Mail flow rules are also affected by this behavior because the membership list that the mail flow rules use is also refreshed once every 24 hours.

A DDG includes any recipient in Active Directory with attribute values that match its filter. If a recipient's properties are modified to match the filter, the recipient could inadvertently become a group member and start receiving messages that are sent to the group. Well-defined, consistent account-provisioning processes reduce the chances of this issue occurring.

DDGs aren't synced from Exchange Online to Microsoft Entra ID or to your on-premises Active Directory. Therefore, features such as Azure Conditional Access don't support being scoped to an Exchange Online DDG.

Types of filters

DDGs are built either with a pre-canned filter or with a custom recipient filter.

Pre-canned filters in dynamic distribution groups

Pre-canned filters are convenient if you want to construct a DDG with simple rules based on the supported attributes that are described in the following table:

Attribute Send message to a recipient if...
State or province The specified value matches the recipient's State or Province property.
Company The specified value matches the recipient's Company property.
Department The specified value matches the recipient's Department property.
Custom attribute N (where N is a number from 1 to 15) The specified value matches the recipient's CustomAttributeN property.

You can combine multiple rules to define membership with pre-canned filters, but only the logical operator AND is supported. You can create DDGs with pre-canned filters using either the Exchange Admin Center (EAC) or the Exchange Online PowerShell.

Custom recipient filters

If you want to specify rules for attributes other than the ones mentioned in the preceding table (in Pre-canned filters in Dynamic Distribution Groups), or you want to combine multiple rules using logical operators other than AND, you must use a custom recipient filter. You can create DDGs with custom recipient filters by using only Exchange Online PowerShell, and by using the RecipientFilter parameter.

For more information about the filterable properties that you can use with the RecipientFilter parameter, see Filterable properties for the RecipientFilter parameter.

For more information about the supported operators that you can use in a custom recipient filter, see Filters in the Exchange Online PowerShell module.

Important

Using a wildcard as a prefix (for example, "Property -like '*abc'") isn't supported in custom recipient filters for DDGs in Exchange Online due to low performance and degraded experience.

Before you begin

Create a dynamic distribution group

Note

It can take up to 2 hours for the initial membership list to be calculated and to be made available for use after you create a DDG.

In the EAC, you can create DDGs with only pre-canned filters.

To create a DDG in EAC, perform the following steps:

  1. In the EAC, select Recipients > Groups.

  2. Select Add a group and follow the instructions in the Details pane.

    • Under Choose a group type section, select Dynamic distribution and select Next.

    • Under Set up the basics section, enter the details and select Next.

  3. Under Assign Users section, select the group owner from the Owner drop-down list.

  4. Use the Members section to specify the types of recipients for the group and to set up rules that determine membership. Select one of the following boxes:

    • All recipient types: Select this checkbox to send messages that meet the criteria defined for this group to all recipient types.

    • Only the following recipient types: Select this checkbox to send messages that meet the criteria defined for this group to one or more of the following recipient types:

      • Users with Exchange mailboxes: Select this checkbox if you want to include users that have Exchange mailboxes. Users that have Exchange mailboxes are those users that have a user domain account and a mailbox in the Exchange organization. Resource mailboxes are also included.

      • Mail users with external email addresses: Select this checkbox if you want to include users that have external email addresses. Users that have external email accounts have user domain accounts in Active Directory, but use email accounts that are external to the organization. This enables them to be included in the global address list (GAL) and to be added to distribution lists.

      • Resource mailboxes: Select this checkbox if you want to include Exchange resource mailboxes. Resource mailboxes allow you to administer company resources through a mailbox, such as a conference room or a company vehicle.

      • Mail contacts with external email addresses: Select this checkbox if you want to include contacts that have external email addresses. Contacts that have external email addresses don't have user domain accounts in Active Directory, but the external email address is available in the GAL.

      • Mail-enabled groups: Select this checkbox if you want to include security groups or distribution groups that have been mail-enabled. Mail-enabled groups are similar to distribution groups. Email messages that are sent to a mail-enabled group account will be delivered to several recipients.

  5. Select one of the attributes specified in the table under Pre-canned filters in dynamic distribution groups from the Select condition drop-down list and provide a value to define the criteria for membership in this group.

    Screenshot that shows the Select condition drop-down list.

    Important

    The values that you enter for the selected attribute must exactly match those that appear in the recipient's properties. For example, if you enter Washington for State or province, but the value for the recipient's property is WA, the condition won't be met. Also, text-based values that you specify aren't case-sensitive. For example, if you specify Contoso for the Company attribute, messages will be sent to a recipient if this value is contoso.

  6. To add another rule to define the criteria for membership, select Add another rule. When you've finished, select Next.

    Important

    If you add multiple rules to define membership, a recipient must meet the criteria of each rule to be added as a member to the DDG. In other words, each rule is connected with the Boolean operator AND.

  7. Under Edit settings section, enter the group email address and select Next.

  8. Under Review and finish adding group section, verify all the details, select Create group and then select Close.

How do you know this worked?

To verify that you've successfully created a DDG, perform one of the following steps:

  • In the EAC, select Recipients > Groups > Dynamic distribution list. The new DDG is displayed in the group list.

  • In Exchange Online PowerShell, run the following command to display information about the new DDG, replacing DDGIdentity with the name, alias, or email address of the DDG.

    Get-DynamicDistributionGroup -Identity <DDGIdentity>
    

After successful creation of DDG, you need to wait up to 2 hours for the initial membership list to be calculated, before you can use the DDG. To verify that the desired membership list was calculated correctly, after 2 hours, see View members of a DDG.

Change dynamic distribution group properties

You can change the group properties, including the filters and criteria used to calculate the group's membership list, by performing the following steps:

  1. In the EAC, select Recipients > Groups > Dynamic distribution list.

  2. In the list of groups, select the DDG that you want to view or change.

  3. On the group's properties page, select one of the following sections to view or change properties:

General

Use this section to view or change:

  • The following properties of the group under Basic information section:

    • Name: This name appears in the address book, on the To: line when an email is sent to this group, and in the Groups list. The display name is required and should be user-friendly so that people recognize what it is. It also has to be unique in your domain.

    • Description: Use this option to describe the group so that people know what the purpose of the group is. This description appears in the address book and in the Details pane in the EAC.

  • Under Email addresses section, you can view or change the email addresses associated with the group. These addresses include the group's primary SMTP addresses and any associated proxy addresses. Select Edit to change/edit the Primary email address and to add/delete Aliases, and then select Save changes.

    • You can also select the group and then select Edit email addresses from the toolbar to change/edit the Primary email address and to add/delete Aliases, and then select Save changes.

Members

Use this section to change/edit the following:

  • Under Owners section, select View all and manage owners to add/remove group owners from the drop-down list and then select Save changes.

Note

The DDG must have at least one owner.

  • Use Members section to change the criteria used to determine membership of the group. You can delete or change existing membership rules and add new rules. For procedures that tell you how to manage membership rules, see Create a dynamic distribution group.

Important

Once the new membership rules are applied, the old membership list is cleared out. It can take up to 2 hours for the membership list to be recalculated with the new membership rules. During this time, the DDG may not be available for use.

Settings

Under General settings section, select the checkbox Hide from my organization's global address list if you want to hide the group from the list.

Delivery management

Use this section to manage who can send emails to this group.

  • Sender options

    By default, only people inside your organization can send messages to this group. You can also allow people outside the organization to send messages to this group.

    • Only allow messages from people inside my organization: Select this option to allow only senders in your organization to send messages to the group. This option's activation means that if someone outside your organization sends an email message to this group, it's rejected. This setting is the default setting.

    • Allow messages from people inside and outside my organization: Select this option to allow anyone to send messages to the group.

  • Specified senders

    You can further limit who can send messages to the group by allowing only specific senders to send messages to this group. Select/remove one or more recipients/groups from the drop-down list. If you add senders to this list, they're the only ones who can send emails to the group. Emails sent by anyone not in the list are rejected.

    Important

    If you've configured the group to allow only senders inside your organization to send messages to the group, emails sent from a mail contact are rejected, even if they're added to this list.

Manage delegates

Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group or send messages on behalf of the group. You can assign the following permissions:

  • Send as: This permission allows the delegate to send messages as the group. After this permission is assigned, the delegate has the option to add the group to the From line to indicate that the message was sent by the group.

  • Send on behalf: This permission also allows a delegate to send messages on behalf of the group. After this permission is assigned, the delegate has the option to add the group on the From line. The message will appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.

To assign permissions to delegates in EAC, select Edit manage delegates, add the delegates, select the Permission type from the drop-down list, and select Save changes.

Message approval

Use this section to set options for moderating the group. Moderators approve or reject messages sent to the group before the messages reach the group members.

  • Require moderator approval for messages sent to this group: This option is a checkbox and it's not selected by default. If you select this checkbox, incoming messages are reviewed by the group moderators before delivery. Group moderators can approve or reject incoming messages.

  • Group moderators: To add/remove group moderators, search/add users from the drop-down list. If you've selected Require moderator approval for messages sent to this group and you don't select a moderator, messages to the group are sent to the group owners for approval.

Note

This option is valid only if you have checked the Require moderator approval for messages sent to this group checkbox.

  • Add senders who don't require message approval: To add/remove users that can bypass moderation for this group, search/add users from the drop-down list.

  • Notify a sender if their message isn't approved:: This option contains three sub-options, each of which has a radio button for you to select. These sub-options enable you to set how users are notified about message approval.

    • Only sender: This setting is the default setting. When this setting is enabled, a notification is sent to all senders, inside and outside your organization, when their message isn't approved.

    • Only senders in your organization: When you select this option, only users or groups in your organization are notified when a message that they sent to the group isn't approved by a moderator.

    • No notifications: When you select this option, notifications aren't sent to senders whose messages aren't approved by the group moderators.

How do you know this worked?

To verify that you've successfully changed properties for a DDG:

  • In EAC, select the group to view the property or feature that you changed. Depending on the property or feature that you changed, it might be displayed in the Details pane for the selected group.
  • With Exchange Online PowerShell, use the Get-DynamicDistributionGroup cmdlet to verify the changes. One advantage of using Exchange Online PowerShell is that you can view multiple properties for multiple groups. Run the following command to verify the new values:
   Get-DynamicDistributionGroup -ResultSize unlimited | Format-List Name,HiddenFromAddressListsEnabled,MaxReceiveSize,ModerationEnabled,ModeratedBy

If you modified the membership rules, you'll need to wait up to 2 hours for the membership list to be recalculated with the new membership rules. To verify that the new membership list was calculated correctly, after 2 hours, see View members of a dynamic distribution group.

View members of a dynamic distribution group

You can view the members of a dynamic distribution group (DDG) by using EAC or Exchange Online PowerShell.

To view the members of a DDG in EAC, perform the following steps after signing in to EAC:

  1. Select Recipients > Groups > Dynamic distribution list.
  2. Select the desired group from the group list.
  3. Navigate to the Members tab.
  4. Under the Members section, select View all members. On the resultant page, you can also search for members using the Search members list field.

Screenshot that shows the page on which you can view the members of a DDG.

Troubleshoot membership issues

For information on the remedies related to troubleshooting DDG membership issues, see Troubleshoot dynamic distribution group membership issues.