Forum Discussion

WhamboMPS's avatar
WhamboMPS
Copper Contributor
Nov 19, 2023

Enable Guests to be able to send email to Group

The goal of this post is to find a way to allow specific external users to send an email message to a Group. I wish to do this via whitelist: I do not want to allow all external users to message the group. I also do not want to require the external user to be a member of the Group they wish to message (e.g. via a Guest User account). With this framework in mind, let me lay out how I think the permissions operate natively on the system...

 

By design, both internal User Accounts and external parties can send email to other User Accounts on an MS 365 tenant. However, also by design, while internal User Accounts can send a message to a Group, external parties cannot send an email to a Group:

 

 Can send email to UserCan send email to Group that sender is not a Member of
User Accounts on the tenantYesYes
External users not registered on the tenantYesNo

 

[If I have any of the above wrong, I would welcome your corrections!]

 

The red "No" permission above can be altered by enabling the "Let people outside the organization email this team" setting for the Group. Flipping this bit to enabled, however, is a global setting which allows all external parties to send emails to the Group's email address; that creates a spam risk. I am looking for a way to create a whitelist of allowed email address(es) and/or domain(s) that are able to message a specific Group and/or all Groups.

 

I had presumed that creating a Guest User would address the issue. But to my understanding Guest Users cannot send an email to a Group unless they are Member of that Group. Effectively Guest Users are treated like external senders in this respect:

 

 Can send email to UserCan send email to Group that sender is not a Member of
User Accounts on the tenantYesYes
Guest Accounts on the tenantYesNo 
External users not registered on the tenantYesNo

 

I have crawled all over the Admin Centers for MS 365, Exchange, Entra, and Teams and I am just not finding a setting that allows me to create a whitelist of authorized external users (or domains) that can message a specific Group (or all Groups). I have also searched the Internet widely to no avail. Does anyone know how to do this? I suspect that PowerShell is the way to go, a tool I am barely competent in. But I am willing to try! If PowerShell can be used to grant the proper permissions I would appreciate it if you could recommend the specific version of PowerShell I should use on Windows (e.g. Windows PowerShell) and the specific Micrisoft Graph cmdlet(s) I should access.

 

Thank you for your time and wisdom!

 

 

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    WhamboMPS 

     

    Hi, Ted.

     

    If you're talking about Exchange Online, then the first thing you need to do is enable the guest user as a "mail user" within Exchange Online.

     

    Once they are enabled as an object within Exchange Online, you are then free to use them in a whitelist on the group you wish to secure.

     

    I'm not a GUI person, so I'm not sure where you would look in the Exchange Online portal, but purely to give you some context, here's the PowerShell commandlet that achieves the mail enabling of guest users:

     

     

    With respect to whitelisting on distribution lists, there's two settings you can work with. Using PowerShell again for illustrative purposes only, you have:

     

    1. AcceptMessagesOnlyFrom: Which takes only "people" objects, not groups;
    2. AcceptMessagesOnlyFromDLMembers: Which takes only "group" objects, not people.

     

     

    The two settings work together - i.e. one does not take priority over the other. So, if you specify a group and a person, then both the group and the person can send to the distribution group.

     

    Combined, it's actually a very powerful whitelisting mechanic (I use the group approach wherever I can, but for external addressing, you might find the person approach more suitable).

     

    Depending on how many external users you're talking about, I'd be inclined to set up a new Exchange group into which the newly-enabled mail users can be added, and then use that as the control group for the AcceptMessagesOnlyFromDLMembers parameter, as that makes ongoing administration very easy (as you're simply adding and removing people from the control group).

     

    Cheers,

    Lain

    • WhamboMPS's avatar
      WhamboMPS
      Copper Contributor

      LainRobertson,

       

      Thank you so much for your detailed reply. What you are describing makes sense and I liked your idea of bucketing all users to be whitelisted into their own purpose-built Group and then using the AcceptMessagesOnlyFromDLMembers parameter to enable the members of that Group to message other Groups. I tried to find the appropriate settings in the EAC but had no luck. But that's OK: I'm game to try to do it in PowerShell (I have successfully executed other commands in PS, I'm just verrrryyyyy slow!)

       

      So, riddle me this. Assume that I want all enabled accounts, both Member and Guest, to be able to send messages to a specific Group. I think I could achieve this by doing the following:

       

       

      (user.accountEnabled -eq TRUE)

       

      • Execute the following PowerShell command:

       

      Set-DistributionGroup -Identity "GroupNameToModify" -AcceptMessagesOnlyFromDLMembers "All Active Users"​

       

      • Lather, rinse, and repeat the second step for each Group I wish to do this for by modifying the -Identity value.

       

      Does this smell right to you? If so, give me two hours and I'm sure I can pull it off! 😉

       

      Thanks,

       

      Ted (the world's least efficient PowerShell user)

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        WhamboMPS 

         

        Hey, Ted.

         

        I'd suggest tackling the control group at the Exchange Online layer, not the Azure AD layer, for a few reasons:

         

        • Exchange Online can contain additional objects not found in Azure AD;
        • Exchange Online can contain more dynamic distribution lists than Azure AD can contain dynamic groups (the limit in Azure AD is 5,000);
        • You'll likely find that when using PowerShell, the Exchange Online dynamic rules are easier to read and more flexible than the Azure AD dynamic group rules.

         

        Getting to the meat of your question, you could create an Exchange Online dynamic distribution list for use as the control group like this:

         

        New-DynamicDistributionGroup -Name "All Mailboxes and Mailusers" -RecipientFilter "((RecipientTypeDetails -eq 'UserMailbox') -and (IsMailboxEnabled -eq $true)) -or ((RecipientType -eq 'MailUser') -and (AccountDisabled -eq $false))"

         

        Then using this control group on a distribution list you wish to secure:

         

        Set-DistributionGroup -Identity "My sensitive group" -AcceptMessagesOnlyFromDLMembers @{ add="All Mailboxes and Mailusers" }

         

        References

         

        Cheers,

        Lain

Resources