Forum Discussion

EPdata's avatar
EPdata
Copper Contributor
Dec 16, 2025

Looking for a way to set up mail moderation using Entra dynamic group

Our organization is working on shifting from a hybrid AD-Entra environment to Entra only. We currently use mail-moderated dynamic distribution lists using Extension Attributes to set the rules for ma...
microsoft 365
microsoft entra
Lucaraheller's avatar
Lucaraheller
MCT
Feb 06, 2026

In Entra-only environments, you need to separate two things: group membership logic and mail flow moderation.

FirSt, dynamic membership.

Entra dynamic groups do not rely on traditional on-prem Extension Attributes unless those attributes are synchronized and available in Entra. However, you are not limited to extensionAttribute fields. You can build dynamic membership rules using any supported Entra user property, such as department, jobTitle, companyName, userType, accountEnabled, or custom security attributes.

 

If your API integration cannot populate extension attributes, consider these alternatives:

Use native Entra attributes that your API can populate, such as department or jobTitle.

Use Custom Security Attributes in Entra, which are cloud-native and designed for structured classification scenarios.

Redesign the logic so that dynamic membership is based on standardized fields instead of extension attributes.

 

Second, mail moderation.

Dynamic Microsoft 365 Groups do not support mail moderation the same way dynamic distribution groups in Exchange do. If you need true mail moderation, you may need to:

Use a dynamic distribution group in Exchange Online (cloud-based)

Configure message moderation at the Exchange layer

In Exchange Online you can configure moderation using transport settings. For example, you can enable moderation on a group and define moderators without relying on extension attributes.

 

The key question is whether you need:

A) Dynamic membership with moderated mail flow

or

B) Controlled mail flow with rule-based transport restrictions

 

If the primary goal is to control mass internal emails, you may also consider using Exchange Online mail flow rules instead of group-based moderation. For example, you can create a transport rule that:

Detects large recipient counts

Detects specific sender attributes

Requires approval before delivery

Tis approach removes the dependency on extension attributes entirely.

Architecturally, in Entra-only environments, the recommended direction is:

Use Entra dynamic groups for identity-based grouping

Use Exchange Online transport rules or group moderation for mail governance

Avoid legacy extensionAttribute dependency when possible

One additional option, if your API is flexible, is to map your business classification into a standard Entra attribute instead of relying on extensionAttribute fields.

 

Before redesigning everything, I would clarify:

Are you using the dynamic distribution list primarily for recipient targeting, or primarily for mail control and approval?

The solution may differ depending on that answer.

Resources