How to limit senders to a Distribution List in Exchange Online

Option 1: No Directory Sync

1. Create a DL in the Microsoft Online Administration Center (MOAC) that you want to restrict.
2. Open a Service Request to have this DL restricted to only specific senders (users)
3. Optional: You can set whether the DL accepts senders from outside BPOS in the DL properties in MOAC
4. Optional: If you want to dynamically manage this setting, you can create another DL to perform this option. This will require a request be submitted to convert the DL to a Security Group (SG)

Option 2: Directory Sync Enabled

Requirement: You must have either Exchange installed, or the Exchange schema extension installed on-premise.

1. Create the DL in the local Active Directory
2. If you have Exchange installed, assign the permissions to the DL.
3. If you do not have Exchange installed, but do have the schema extensions, you will need the following attributes configured (all visible via ADSIEdit):

• authOrig: List of senders that are allowed to send to the DL
• unAuthOrig: List of senders to BLOCK from sending to the DL
• dlMemRejectPerms: Used in place of unAuthOrig when using SG’s to indicate senders to reject
• dlMemSubmitPerms: Used in place of authOrig when using SG’s to indicates senders to approve
• msExchRequireAuthToSendTo: Used to limit senders to only Authenticated users (internal) to be able to send to this DL.

NOTE: You will need to specify the DN of the objects added to these fields

4. You should be able to use Contacts to allow senders from external to send to the DL, but will be prevented if msExchRequireAuthToSendTo is set to True.

If you have a large number of groups to modify, you can use this sample script which sets the AuthOrig attribute on a group by specifying which users you’d like to give permissions to.  To run the script, go to a command prompt and run cscript AddAuthOrig.vbs followed by the group email address and then a comma separated listed of user email addresses you’d like to give permissions to. Note the following command should be a single line.

cscript AddAuthOrig.vbs [email protected] [email protected], [email protected], [email protected]