O365: Dynamic Distribution Group Allow Senders Outside Organisation

We needed to setup an email Distribution Group for a client that was able to accept emails from outside of the organisation rather than just limited to internal sources.

So, how do you do this? We have done this on numerous occasions for clients over the years with on-premise Exchange and is was simple enough to do, but now with online Exchange, it is vastly different and I thought I'd document this so you don't have to have the heartache we did.

I'll go through what we initially tried unsuccessfully so you're aware. The standard method of setting up a Dynamic Distribution Group is done via the Exchange Admin Center, by clicking through Recipients > Groups.

Once you're in the Group admin section, we did the following to set up our Dynamic Distribution Group:

Now you've created your list, we can now edit it and apply settings to it. Follow the screenshot below:

Now if we wanted to to enable the option for external sources to be able to email out newly created group we would select the options in the screenshot below:

Like I said at the start of this tutorial, this would normally work out of the box with an on-premises Exchange setup. What we found is that with an Online Exchange O365 setup, this doesn't work.

We tried various settings and even tried to limit the senders allowed to send to the group, but neither worked. Exasperated, we decided to contact Microsoft and lodged a ticket with them to get them to explain the correct method to setup this type of distribution group.

It took 2 weeks of closely working with the "back-end" Microsoft support team to come up with a solution. Apparently, what we were trying to achieve can't be done with the standard setup. To get this to work, you need to contact Microsoft and submit a support ticket to disable the following:


DBEB stands for Directory Based Edge Blocking, and apparently it's part of some anti-spam solution that they apply to all tenants. This setting is not something you can change yourself. You have to make a specific request to Microsoft to disable this feature for Dynamic Distribution Groups. The explanation from Microsoft regarding DBED and Dynamic Distribution groups is:

"Dynamic distribution groups do not sync to AAD and are therefore blocked by DBEB."

Before we got them to apply this setting I checked with them, that disabling this feature would not affect the following:

  • The on-premise AD Connect replication
  • All other anti-spam settings
  • Any other "gotchas"

They assured me that this affects no other features. We have had this successfully implemented for the past 3 weeks, and all seems to be working as expected. I hope this saves you some time and frustration...

If you've found this useful, you may want to sign up to our newsletter where you'll receive notices on when we post new articles and helpful "how tos". Just fill out your details below and we'll do the rest...

No Comments Yet.

Leave a comment

Sign up to our newsletter where you’ll receive notices on when we post new articles and helpful “how tos” to make your IT life easier.