Distribution groups are meant to be distributing messages to their members. But for whatever reason, if you don’t want anyone but only certain people to be able to send emails to those groups, here is something to try.
For regular Microsoft 365 groups, you can go to the Exchange dashboard, open the group, switch to the Settings tab and click the Edit delivery management link under the Delivery Management section.
Then select any senders who are granted to send emails to the group.
Pretty straightforward, until you want to change a group that is managed by your on-premise Active Directory.
Now what to do? You do that from Active Directory users & groups, obviously.
First, make sure you have Advanced Features checked under the View menu. Then, open up the distribution group’s properties, and go to the Attribute Editor tab.
And here is the list of attributes you can update to meet your needs.
- authOrig – only these users can send to the distribution group
- unauthOrig – anyone but these users can send to the distribution group
- dLMemRejctPerms – anyone but members of these distribution groups can send to this distribution group
- dLmemSubmitPerms – no one but members of these distribution groups can send to this distribution group
Sounds awesome, but the trick is, these are Exchange-specific attributes, meaning that if you don’t or never had an Exchange server installed in the same Active Directory domain, you most likely will get an error message like this when you try to update one of these attributes.
The solution is, according to this Microsoft post, to install the Exchange schema extension on the on-premise AD server. And you will need to obtain a copy of the Exchange Server 2010 DVD to do so.
Well, that’s a bit too much. At this point, I’d take a different route, changing these distribution groups from AD-synced to Microsoft 365 native. Easier to handle without worrying about the other side effects.