Distribution Group Restrictions

%3CLINGO-SUB%20id%3D%22lingo-sub-1306412%22%20slang%3D%22en-US%22%3EDistribution%20Group%20Restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306412%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20all%20staff%20account%20DDG%20that%20was%20created%20for%20sending%20to%20all%20users%20in%20my%20organization.%20It%20was%20restricted%20to%20certain%20users%20and%20has%20worked%20flawless%20for%20years.%20Recently%20I%20noticed%20that%20the%20DDG%20is%20no%20longer%20restricted.%20Anyone%20can%20send%20to%20the%20group%20despite%20being%20locked%20down.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20else%20experiencing%20this%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1306412%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306516%22%20slang%3D%22en-US%22%3ERe%3A%20Distribution%20Group%20Restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306516%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F621270%22%20target%3D%22_blank%22%3E%40Shivam_balroop%3C%2FA%3E%26nbsp%3BIt%20would%20seem%20unlikely%20that%20this%20could%20occur%20without%20an%20admin%20specifically%20changing%20the%20setting.%26nbsp%3B%20Do%20you%20have%20access%20to%20Audit%20logs%20in%20the%20Security%20and%20Compliance%20Center%3F%26nbsp%3B%20Try%20running%20an%20audit%20log%20search%20to%20see%20if%20anyone%20has%20updated%20the%20group.%26nbsp%3B%20If%20you%20have%20Azure%20AD%20Premium%20P2%2C%20you%20can%20also%20check%20audit%20activity%20under%20Identity%20Governance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps.%3C%2FP%3E%3CP%3EPeter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306529%22%20slang%3D%22en-US%22%3ERe%3A%20Distribution%20Group%20Restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306529%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20input.%20However%2C%20no%20changes%20were%20made%20on%20the%20settings.%20I%20checked%20the%20logs%20myself.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306535%22%20slang%3D%22en-US%22%3ERe%3A%20Distribution%20Group%20Restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306535%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F621270%22%20target%3D%22_blank%22%3E%40Shivam_balroop%3C%2FA%3E%26nbsp%3BHmm%2C%20interesting.%26nbsp%3B%20Hard%20to%20see%20how%20that%20could%20happen.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306610%22%20slang%3D%22en-US%22%3ERe%3A%20Distribution%20Group%20Restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306610%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F621270%22%20target%3D%22_blank%22%3E%40Shivam_balroop%3C%2FA%3E%26nbsp%3BSo%20just%20to%20be%20clear%2C%20does%20the%20group%20still%20show%20as%20restricted%20when%20you%20check%20the%20settings%2C%20but%20is%20acting%20as%20not%20restricted%20when%20in%20use%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306617%22%20slang%3D%22en-US%22%3ERe%3A%20Distribution%20Group%20Restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306617%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%20correct%20in%20the%20ECP%20the%20DDG%20is%20locked%20to%20specific%20user%20who%20are%20authorized%20to%20send%20to%20it.%20However%2C%20when%20tested%20outside%20of%20those%20authorized%20users%2C%20apparently%20anyone%20can%20send.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1306642%22%20slang%3D%22en-US%22%3ERe%3A%20Distribution%20Group%20Restrictions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306642%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F621270%22%20target%3D%22_blank%22%3E%40Shivam_balroop%3C%2FA%3E%26nbsp%3BGuessing%20that%20you%20have%20Azure%20AD%20Premium%20P1%20licensing%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20have%20you%20checked%20the%20settings%20via%20PowerShell%20by%20using%26nbsp%3B%3CSTRONG%3EGet-UnifiedGroup%20-Identity%20%22Groupname%22%20%7C%20Format-List%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20show%20who%20messages%20are%20accepted%20from%20in%20the%20output%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I have an all staff account DDG that was created for sending to all users in my organization. It was restricted to certain users and has worked flawless for years. Recently I noticed that the DDG is no longer restricted. Anyone can send to the group despite being locked down.

 

Anyone else experiencing this issue?

6 Replies
Highlighted

@Shivam_balroop It would seem unlikely that this could occur without an admin specifically changing the setting.  Do you have access to Audit logs in the Security and Compliance Center?  Try running an audit log search to see if anyone has updated the group.  If you have Azure AD Premium P2, you can also check audit activity under Identity Governance.

 

Hope this helps.

Peter

Highlighted

@PeterRising 

 

Thanks for your input. However, no changes were made on the settings. I checked the logs myself.

Highlighted

@Shivam_balroop Hmm, interesting.  Hard to see how that could happen.

Highlighted

@Shivam_balroop So just to be clear, does the group still show as restricted when you check the settings, but is acting as not restricted when in use?

Highlighted

@PeterRising 

 

That is correct in the ECP the DDG is locked to specific user who are authorized to send to it. However, when tested outside of those authorized users, apparently anyone can send. 

Highlighted

@Shivam_balroop Guessing that you have Azure AD Premium P1 licensing?  

 

Also, have you checked the settings via PowerShell by using Get-UnifiedGroup -Identity "Groupname" | Format-List

 

Should show who messages are accepted from in the output