Skip to main content
HashnodeVarious IT How-Tos

Command Palette

Search for a command to run...

Restricting Distribution List Creation in Exchange Online

Updated
2 min read
R
Robert Short

I got an email from a user today, "Hey Rob, I made this distribution list and I can't seem to allow external emails to it."

So my immediate thought was, How did they do that? User's are not supposed to be able to do that...

Well, in Microsoft's infinite wisdom they appear to have given user the ability to create distribution lists by default. But oh it's worse than that. If you want to turn it off you also disable the ability for users who own a distribution list to manage the members of that list by disabling the management role 'MyDistributionGroups'.

And that is stupid.

Luckily, it is actually possible to fix this, but not through the gui interface. In my instance I wanted to edit the Default Role Assignment Policy, but you could just as easily create a new policy if you want to keep things a bit more locked down, however the role assignments would need to be built into the user creation scripts as I wasn't able to find a way to set them from the front end if you did.

In essence, the powershell script to do this will:

  • Connect to Exchange Online

  • Create a new Management Role

  • Remove the ability to add and remove(!) distribution lists

  • Put the new management role into a policy.

There are a couple more steps if you want to make a new policy, making the new policy, and then assigning the policy.

This script will add the new role to the default role assignment policy: 

Connect-ExchangeOnline
New-ManagementRole -Name "ManageExistingGroupsOnly" -Parent MyDistributionGroups

Remove-ManagementRoleEntry ManageExistingGroupsOnly\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry ManageExistingGroupsOnly\Remove-DistributionGroup -Confirm:$false
New-ManagementRoleAssignment -Policy "Default Role Assignment Policy" -Role "ManageExistingGroupsOnly"

And this will make a new policy called Manage-Only-DistributionGroups

Connect-ExchangeOnline
New-RoleAssignmentPolicy -Name "Manage-Only-DistributionGroups"
New-ManagementRole -Name "ManageExistingGroupsOnly" -Parent MyDistributionGroups

Remove-ManagementRoleEntry ManageExistingGroupsOnly\New-DistributionGroup -Confirm:$false
Remove-ManagementRoleEntry ManageExistingGroupsOnly\Remove-DistributionGroup -Confirm:$false
New-ManagementRoleAssignment -Policy "Manage-Only-DistributionGroups" -Role "ManageExistingGroupsOnly"
Set-Mailbox -Identity "<UserAlias>" -RoleAssignmentPolicy "Manage-Only-DistributionGroups"

After it is run, you should see this entry in the gui:

Users will no longer be able to create new groups, but will still be able to manage the groups they are the owner of.

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Various IT How-Tos

11 posts

Sometimes I run into novel problems that I can't find an easy answer to using my Google-fu, so once I figure out the answer, I compile it here to help the next person that comes along.