Forum Discussion
Enable Guests to be able to send email to Group
Hi, Ted.
If you're talking about Exchange Online, then the first thing you need to do is enable the guest user as a "mail user" within Exchange Online.
Once they are enabled as an object within Exchange Online, you are then free to use them in a whitelist on the group you wish to secure.
I'm not a GUI person, so I'm not sure where you would look in the Exchange Online portal, but purely to give you some context, here's the PowerShell commandlet that achieves the mail enabling of guest users:
With respect to whitelisting on distribution lists, there's two settings you can work with. Using PowerShell again for illustrative purposes only, you have:
- AcceptMessagesOnlyFrom: Which takes only "people" objects, not groups;
- AcceptMessagesOnlyFromDLMembers: Which takes only "group" objects, not people.
The two settings work together - i.e. one does not take priority over the other. So, if you specify a group and a person, then both the group and the person can send to the distribution group.
Combined, it's actually a very powerful whitelisting mechanic (I use the group approach wherever I can, but for external addressing, you might find the person approach more suitable).
Depending on how many external users you're talking about, I'd be inclined to set up a new Exchange group into which the newly-enabled mail users can be added, and then use that as the control group for the AcceptMessagesOnlyFromDLMembers parameter, as that makes ongoing administration very easy (as you're simply adding and removing people from the control group).
Cheers,
Lain
Thank you so much for your detailed reply. What you are describing makes sense and I liked your idea of bucketing all users to be whitelisted into their own purpose-built Group and then using the AcceptMessagesOnlyFromDLMembers parameter to enable the members of that Group to message other Groups. I tried to find the appropriate settings in the EAC but had no luck. But that's OK: I'm game to try to do it in PowerShell (I have successfully executed other commands in PS, I'm just verrrryyyyy slow!)
So, riddle me this. Assume that I want all enabled accounts, both Member and Guest, to be able to send messages to a specific Group. I think I could achieve this by doing the following:
- Create a https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/AllGroups/menuId/AllGroups titled All Active Users. It would have a Dynamic Membership Rule of:
(user.accountEnabled -eq TRUE)
- Execute the following PowerShell command:
Set-DistributionGroup -Identity "GroupNameToModify" -AcceptMessagesOnlyFromDLMembers "All Active Users"
- Lather, rinse, and repeat the second step for each Group I wish to do this for by modifying the -Identity value.
Does this smell right to you? If so, give me two hours and I'm sure I can pull it off! 😉
Thanks,
Ted (the world's least efficient PowerShell user)
With respect to the cell in your tables where "External users not registered on the tenant = No" for sending to groups, if you have a need for such external senders to be able to do so, you can.
If you create a new contact based on that external sender's e-mail address in Exchange Online, then you can use that contact object in the whitelist to allow the external sender to leverage your distribution list.
I use this approach when vendors needs to be able to send directly to well-defined groups of users.
Contacts can also be included as members of Exchange distribution lists, meaning you can still leverage the control group, if you choose to do so.
Cheers,
Lain
Hey, Ted.
I'd suggest tackling the control group at the Exchange Online layer, not the Azure AD layer, for a few reasons:
- Exchange Online can contain additional objects not found in Azure AD;
- Exchange Online can contain more dynamic distribution lists than Azure AD can contain dynamic groups (the limit in Azure AD is 5,000);
- You'll likely find that when using PowerShell, the Exchange Online dynamic rules are easier to read and more flexible than the Azure AD dynamic group rules.
Getting to the meat of your question, you could create an Exchange Online dynamic distribution list for use as the control group like this:
New-DynamicDistributionGroup -Name "All Mailboxes and Mailusers" -RecipientFilter "((RecipientTypeDetails -eq 'UserMailbox') -and (IsMailboxEnabled -eq $true)) -or ((RecipientType -eq 'MailUser') -and (AccountDisabled -eq $false))"Then using this control group on a distribution list you wish to secure:
Set-DistributionGroup -Identity "My sensitive group" -AcceptMessagesOnlyFromDLMembers @{ add="All Mailboxes and Mailusers" }References
- New-DynamicDistributionGroup (ExchangePowerShell) | Microsoft Learn
- Set-DistributionGroup (ExchangePowerShell) | Microsoft Learn
Cheers,
Lain