Forum Discussion

EPdata's avatar
EPdata
Copper Contributor
Dec 16, 2025

Looking for a way to set up mail moderation using Entra dynamic group

Our organization is working on shifting from a hybrid AD-Entra environment to Entra only. We currently use mail-moderated dynamic distribution lists using Extension Attributes to set the rules for ma...
microsoft 365
microsoft entra
devjelly's avatar
devjelly
MCT
Dec 22, 2025

Hi EPdata​, Before suggesting a direction, can I check a few details so the answer fits your setup?

  1. Are you still running Exchange on‑prem in hybrid, or are all mailboxes and distribution lists already in Exchange Online?
  2. ​In the target “Entra only” state, will Exchange Online remain your mail platform, or is mail also moving elsewhere?
  3. Which HR / identity system and connector are you using, and is it truly unable to write any Exchange‑visible attributes (department, company, customAttribute1–15, directory extensions), or is that just not configured today?
  4. ​Do you specifically need “moderated dynamic DLs”, or would moderated mail‑enabled security groups or Microsoft 365 Groups also satisfy the governance requirement?

Assuming you’re moving to Exchange Online as the sole mail platform, and decommissioning on‑prem Exchange, the usual pattern looks like this:

  • Rebuild the dynamic logic in Exchange Online: Create dynamic distribution groups in Exchange Online (EAC or PowerShell) using attributes your new connector can populate: department, location, company or chosen customAttributes. ​These become your new “broadcast targets”, replacing the old on‑prem DDLs.
  • Align provisioning with those rules: Configure the HR / Entra provisioning so it stamps the right attributes on users that Exchange can filter on. This might be standard attributes or directory extensions that sync through.
  • Turn on moderation in Exchange Online: On those dynamic groups (or on mail‑enabled security / M365 groups), enable message approval using the Moderated recipients in Exchange Online feature in EAC or via Set-DistributionGroup / Set-DynamicDistributionGroup.

That way, Entra and your HR system drive who is in scope, and Exchange Online continues to handle moderation in a fully supported way.

Here are some references,
https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/moderated-recipients-exo/moderated-recipients-exo
https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/moderated-recipients-exo/configure-moderated-recipients-exo

Resources