Forum Discussion

EPdata's avatar
EPdata
Copper Contributor
Dec 16, 2025

Looking for a way to set up mail moderation using Entra dynamic group

Our organization is working on shifting from a hybrid AD-Entra environment to Entra only. We currently use mail-moderated dynamic distribution lists using Extension Attributes to set the rules for mass internal company emails. In conjunction with us migrating to Entra only, we are also planning to use an API integration to manage our Entra account creation and updates. This integration does not have the ability to populate the Extension Attribute fields. Because of these changes we will no longer be able to use the existing dynamic distribution lists we have, and we have not had luck finding a solution for it yet. Has anyone else gone through this or have any experience solving for this same problem? 

microsoft 365
microsoft entra

1 Reply

  • devjelly's avatar
    devjelly
    MCT
    Dec 22, 2025

    Hi EPdata​, Before suggesting a direction, can I check a few details so the answer fits your setup?

    1. Are you still running Exchange on‑prem in hybrid, or are all mailboxes and distribution lists already in Exchange Online?
    2. ​In the target “Entra only” state, will Exchange Online remain your mail platform, or is mail also moving elsewhere?
    3. Which HR / identity system and connector are you using, and is it truly unable to write any Exchange‑visible attributes (department, company, customAttribute1–15, directory extensions), or is that just not configured today?
    4. ​Do you specifically need “moderated dynamic DLs”, or would moderated mail‑enabled security groups or Microsoft 365 Groups also satisfy the governance requirement?

    Assuming you’re moving to Exchange Online as the sole mail platform, and decommissioning on‑prem Exchange, the usual pattern looks like this:

    • Rebuild the dynamic logic in Exchange Online: Create dynamic distribution groups in Exchange Online (EAC or PowerShell) using attributes your new connector can populate: department, location, company or chosen customAttributes. ​These become your new “broadcast targets”, replacing the old on‑prem DDLs.
    • Align provisioning with those rules: Configure the HR / Entra provisioning so it stamps the right attributes on users that Exchange can filter on. This might be standard attributes or directory extensions that sync through.
    • Turn on moderation in Exchange Online: On those dynamic groups (or on mail‑enabled security / M365 groups), enable message approval using the Moderated recipients in Exchange Online feature in EAC or via Set-DistributionGroup / Set-DynamicDistributionGroup.

    That way, Entra and your HR system drive who is in scope, and Exchange Online continues to handle moderation in a fully supported way.

    Here are some references,
    https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership
    https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/moderated-recipients-exo/moderated-recipients-exo
    https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/moderated-recipients-exo/configure-moderated-recipients-exo

Resources