Forum Discussion
Looking for a way to set up mail moderation using Entra dynamic group
Our organization is working on shifting from a hybrid AD-Entra environment to Entra only. We currently use mail-moderated dynamic distribution lists using Extension Attributes to set the rules for mass internal company emails. In conjunction with us migrating to Entra only, we are also planning to use an API integration to manage our Entra account creation and updates. This integration does not have the ability to populate the Extension Attribute fields. Because of these changes we will no longer be able to use the existing dynamic distribution lists we have, and we have not had luck finding a solution for it yet. Has anyone else gone through this or have any experience solving for this same problem?
3 Replies
In Entra-only environments, you need to separate two things: group membership logic and mail flow moderation.
FirSt, dynamic membership.
Entra dynamic groups do not rely on traditional on-prem Extension Attributes unless those attributes are synchronized and available in Entra. However, you are not limited to extensionAttribute fields. You can build dynamic membership rules using any supported Entra user property, such as department, jobTitle, companyName, userType, accountEnabled, or custom security attributes.
If your API integration cannot populate extension attributes, consider these alternatives:
Use native Entra attributes that your API can populate, such as department or jobTitle.
Use Custom Security Attributes in Entra, which are cloud-native and designed for structured classification scenarios.
Redesign the logic so that dynamic membership is based on standardized fields instead of extension attributes.
Second, mail moderation.
Dynamic Microsoft 365 Groups do not support mail moderation the same way dynamic distribution groups in Exchange do. If you need true mail moderation, you may need to:
Use a dynamic distribution group in Exchange Online (cloud-based)
Configure message moderation at the Exchange layer
In Exchange Online you can configure moderation using transport settings. For example, you can enable moderation on a group and define moderators without relying on extension attributes.
The key question is whether you need:
A) Dynamic membership with moderated mail flow
or
B) Controlled mail flow with rule-based transport restrictions
If the primary goal is to control mass internal emails, you may also consider using Exchange Online mail flow rules instead of group-based moderation. For example, you can create a transport rule that:
Detects large recipient counts
Detects specific sender attributes
Requires approval before delivery
Tis approach removes the dependency on extension attributes entirely.
Architecturally, in Entra-only environments, the recommended direction is:
Use Entra dynamic groups for identity-based grouping
Use Exchange Online transport rules or group moderation for mail governance
Avoid legacy extensionAttribute dependency when possible
One additional option, if your API is flexible, is to map your business classification into a standard Entra attribute instead of relying on extensionAttribute fields.
Before redesigning everything, I would clarify:
Are you using the dynamic distribution list primarily for recipient targeting, or primarily for mail control and approval?
The solution may differ depending on that answer.
Hi EPdata, Before suggesting a direction, can I check a few details so the answer fits your setup?
- Are you still running Exchange on‑prem in hybrid, or are all mailboxes and distribution lists already in Exchange Online?
- In the target “Entra only” state, will Exchange Online remain your mail platform, or is mail also moving elsewhere?
- Which HR / identity system and connector are you using, and is it truly unable to write any Exchange‑visible attributes (department, company, customAttribute1–15, directory extensions), or is that just not configured today?
- Do you specifically need “moderated dynamic DLs”, or would moderated mail‑enabled security groups or Microsoft 365 Groups also satisfy the governance requirement?
Assuming you’re moving to Exchange Online as the sole mail platform, and decommissioning on‑prem Exchange, the usual pattern looks like this:
- Rebuild the dynamic logic in Exchange Online: Create dynamic distribution groups in Exchange Online (EAC or PowerShell) using attributes your new connector can populate: department, location, company or chosen customAttributes. These become your new “broadcast targets”, replacing the old on‑prem DDLs.
- Align provisioning with those rules: Configure the HR / Entra provisioning so it stamps the right attributes on users that Exchange can filter on. This might be standard attributes or directory extensions that sync through.
- Turn on moderation in Exchange Online: On those dynamic groups (or on mail‑enabled security / M365 groups), enable message approval using the Moderated recipients in Exchange Online feature in EAC or via Set-DistributionGroup / Set-DynamicDistributionGroup.
That way, Entra and your HR system drive who is in scope, and Exchange Online continues to handle moderation in a fully supported way.
Here are some references,
https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/moderated-recipients-exo/moderated-recipients-exo
https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/moderated-recipients-exo/configure-moderated-recipients-exoThanks for the response! Regarding your questions:
1. We are currently still hybrid I believe, but I assume will be moving to online only. Another team is handling this portion of the change.
2. Exchange will remain our mail platform
3. Unfortunately our HR system is unable to specifically handle the custom attributes, we are able to use items like job title, department, location etc and will be using those as much as possible with our dynamic groups.4. The issue is that we need to have per message moderation, so Microsoft 365 groups will not work as it doesn't have that option that I have seen. We are currently testing using Powershell to add a dynamic Entra group as a member to a distribution list with mail moderation enabled, but we were hoping to find an alternative to Powershell if possible for this process as our team is not largely familiar with it.
