Block BCC Messages to Distribution Groups in Exchange Online
Published Mar 25 2021 07:20 AM 16.2K Views

We all know that email distribution groups (DGs) are great for easily sharing information or engaging in discussions with a large group of people. Whether it is a DG for business-related discussions or a DG about upcoming yard sales this weekend, DGs have been a helpful part of email life since the beginning of... well... email. Yet, the amount of traffic for some DGs can overload your inbox and become a distraction from all the other important tasks of your job. How do you handle this torrent of enticingly distracting DG messages?

One way is to create an Inbox rule to move messages sent to the DG to a specific folder, so instead of a flood of messages in your inbox, you can automatically store them in a folder for later review. However, sender behavior can break this process. To reduce the noise generated by Reply All’s to a DG message, some senders add the DG to the BCC line. This stops Reply All’s to the DG but is also considered bad email etiquette. And for privacy reasons, Inbox rules don't evaluate anything on the BCC line, so the message ends up as noise in your inbox instead of going to special folder you created.

Twice a year at Microsoft we let our developers go wild and come up with innovative features or new tech outside of their normal work. A few Exchange Transport engineers who were dedicated members of an internal "for sale / want to buy" DG had this exact problem: people would BCC the DG so these emails would bypass Inbox rules and land in inboxes as unwanted noise during the business day. So, these devs-gone-wild came up with a solution to block messages when the DG is on the BCC line.

Admins can now thwart people from adding a DG to the BCC line with a new "-BccBlocked" switch on the Set-DistributionGroup cmdlet:

Set-DistributionGroup -Identity BuySellDG -BccBlocked $true

When -BccBlocked is set to true and senders add the DG to the BCC line and click send, they'll receive an NDR telling them they can't do that:

BlockBCCDG.jpg

To send the message to the DG they'll have to put it on the To or CC lines.

Blocking DG BCC is optional and set to False by default on all DGs. Getting the current state of BccBlocked for a DG is as simple as:

Get-DistributionGroup -identity BuySellDG | fl BccBlocked
BccBlocked : True

The feature has been deployed worldwide. Note that this feature only applies to members within the same organization - external senders will not be blocked. It for nested DGs it will only block members of the top-level DG.

While we intend to expose the management of this setting in the Exchange admin center later this year, for now it's only available via Remote PowerShell. "What about Microsoft 365 Groups?" you might ask. While there are a lot of large DGs out there that can likely benefit most from this, we're also looking to expand this to Microsoft 365 Groups at some time in the future. We'd love to hear your feedback in the comments below about how useful you think this might be for Microsoft 365 Groups, or about anything else about this feature!

Transport Team

8 Comments
Brass Contributor

How can I get this attribute in my on-premise system?

 

The action 'Set-DistributionGroup', 'BccBlocked', can't be performed on the object 'XXXXX' because the object is being
synchronized from your on-premises organization. This action should be performed on the object in your on-premises
organization.

Copper Contributor

I don't think On-Premises will work as the title of this blog post is "Exchange Online."

Also, premise is an idea -- the correct word is premises.  :)

Copper Contributor

Command is also NOT available in Hybrid exchange 2016 onprem:

Get-DistributionGroup -Identity xxxxxxx | Set-DistributionGroup -BccBlocked $true
A parameter cannot be found that matches parameter name 'BccBlocked'.
+ CategoryInfo : InvalidArgument: (:) [Set-DistributionGroup], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-DistributionGroup

Maybe only Hybrid exchange 2019 ?

Most all our investments are in Exchange Online and we have no plans to make this available in Exchange on-prem, sorry. 

 

Kevin Shaughnessy

Sr. Program Manager

Exchange Online Transport

Brass Contributor

@KevinShaughnessy: I think this is only half an answer in this case. I suppose many customers, including @fx1333X (and our org as well) mainly use Exchange Online, but in connection with an OnPrem AD, and therefore the synchronization of users and groups via AADC, because as you certainly are aware of, we need an OnPrem Exchange server to manage certain Exchange Online attributes in a supported way. Like certain properties of distribution groups.

I guess we might use synchronized users, but Cloud-only groups, but that does not really make sense.

 

I don't know how far the product group is in making the OnPrem Exchange server obsolete for managing Exchange Online, but until that is done, I think you cannot just ignore Exchange OnPrem.

Copper Contributor

What about for the inverse of this? Is there a rule that can be created to force users to only use DGs in the BCC line? 

Copper Contributor

If you are going to facilitate blocking BCC usage (which, while it is considered "bad etiquette" is still very necessary to block email storms in many user bases), then please provide similar switches for the TO and CC lines.  Those two switches would be much more useful to many domains than blocking the use of BCC.

Copper Contributor

When is this functionality going to be enabled for receiving external messages.  Scammers bypass any "TO/CC" email filters that you have setup by using BCC - Totally pointless making this an internal message thing only :sad:

Co-Authors
Version history
Last update:
‎Jun 17 2021 08:40 AM
Updated by: