Manage mail-enabled security groups in Exchange Online (2023)

A mail-enabled security group can be used to distribute messages and grant access permissions to resources in Active Directory. For more information, seeRecipients in Exchange Online.

What do you need to know before starting?

• Estimated processing time: 2 to 5 minutes.

• You need permissions before performing this procedure or procedures. To see what permissions you need, see the "Recipients" entry inFunctional permissions in Exchange OnlineArticle.

• For information about keyboard shortcuts that can be applied to the procedures in this article, seeExchange admin center keyboard shortcuts.

Use the Exchange admin center to manage a mail-enabled security group

Use the new EAC to create a mail-enabled security group

1. I'mnew AE, navigate tocontainer>The group>Email security enabled.

2. cliqueadd groupand follow the instructions in the details panel.

   • UnderChoose a type of groupsection, selectEmail security enabledand clickNext.

   • Underlay the groundworkEnter the data and clickNext.

3. Noassign ownersection, click+ Assign owner, select the group owner from the list, and clickNext.

4. Underadd members, clique+ Add members, select the group members from the list, and clickNext.

5. Noedit settingsIn the section, enter the group email address, configure the following, and clickNext:

   • privacy: Set to public or private.

   • Add Microsoft Teams to your group: Select to create a team for your group.

6. NoReview and finish adding the groupsection, check all the details, clickcreate a groupand then clickFence.

Use the new EAC to change the properties of mail-enabled security groups

1. In the new EAC, go tocontainer>The group>Email security enabled.

2. In the list of groups, click the mail-enabled security group you want to view or change.

3. On the group properties page, click one of the following sections to view or change the properties.

   When you're done, clicksave not computer.

   Generally

   Use this section to view or change basic information about the group.

   • Name: This name appears in the address book in whichforLine when email is sent to this group and in the group list. The display name is required and should be easy to use so people know what you are about. It must also be unique within your domain.

   • Description: Use this field to describe the group so that people know what the purpose of the group is. This description will appear in the address book and in the details panel of the new EAC.

   email options

   Use this section to view or change the email addresses associated with the group. This includes the primary SMTP addresses in the group and any associated proxy addresses. UnderEdit email addressespage, change/edit thePrimary email address, add/removealiasand then clicksave edits.

   You can also select the group and clickEdit email addressin the toolbar to change/editPrimary email address, add/removealiasand then clicksave edits.

   members

   Use this section to change/edit:

   • UnderOwnersection, clickSee all and manage ownersto add/remove group owners from the dropdown list and clicksave edits. The mail-enabled security group must have at least one owner.

   • Undermemberssection, clickSee all and manage membersto add/remove group members from the dropdown list and clicksave edits. The mail-enabled security group must have at least one member.

     See Also

     Organize your resources with management groups - Azure Governance - Azure GovernanceManage action groups in the Azure portal - Azure MonitorSet expiration for Microsoft 365 Groups - Azure Active Directory - MicrosoftVariable groups for Azure Pipelines - Azure Pipelines

   Definitions

   UnderGeneral configurationsection, check the boxAllow external senders to send emails to this groupif you want to allow external users to send email to this group.

   delivery management

   Use this section to manage who can send email to this group.

   • sender options

     By default, only people in your organization can post to this group. You can also allow people outside your organization to post messages to this group.

     • Only allow messages from people within my organization: Select this option to allow only senders in your organization to send messages to the group. This means that if someone outside of your organization sends an email to this group, it will be rejected. This is the default value.

     • Allow messages from people inside and outside my organization: Select this option to allow anyone to send messages to the group.

   • specified senders

     You can further restrict who can send messages to the group by only allowing specific senders to send messages to that group. Select/remove one or more recipients/groups from the dropdown list. When you add senders to this list, they are the only ones who can send email to the group. Emails sent by people who are not on the list will be rejected.

     Important

     If you've configured the group so that only senders within your organization can send messages to the group, emails sent from an email contact will be rejected even if they're added to this list.

   manage delegates

   Use this section to assign permissions to a user (known as a delegate) to send messages as a group or on behalf of the group. You can assign the following permissions:

   • send as: This permission allows the delegate to send group messages. Once this permission is assigned, the delegate can add the group to theVonLine to indicate that the message was sent by the group.

   • send on behalf of: This permission also allows a delegate to send messages on behalf of the group. Once this permission is assigned, the delegate can add the group to theVonLine. The message appears to have been sent by the group and indicates that it was sent by the delegate on behalf of the group.

   To assign permissions to delegates in the new EAC, add the delegates under theedit delegatesside, choose thepermission typein the dropdown list and clicksave edits.

   message approval

   Use this section to set options for moderating the group. Moderators approve or reject messages sent to the group before they reach group members.

   • Require moderator approval for messages sent to this group: This check box is not selected by default. If you select this check box, group moderators will review incoming messages before delivery. Group moderators can approve or reject incoming messages.

   • group moderators: To add/remove group moderators, find/add users from the dropdown list. if you chooseRequire moderator approval for messages sent to this groupand you don't select a moderator, messages to the group are sent to group owners for approval.

   • Add senders who do not require message approval: To add/remove users who can bypass moderation for this group, find/add users from the dropdown list.

   • Notify a sender when their message is not approved– Use this section to specify how users are notified when messages are approved.

     • sender only: This is the default setting. Notify all senders inside and outside your organization when their messages are not approved.

     • Only senders in your organization– If you select this option, only users or groups in your organization will receive a notification if a moderator doesn't approve a message they send to the group.

     • without notice: If you select this option, notifications will not be sent to senders whose messages have not been approved by group moderators.

   membership permissions

   Use this section to indicate whether group owner approval is required for users to join this group.

Use the classic EAC to create a mail-enabled security group

1. Browse the classic EACcontainer>The group.

2. cliquenuevo >security group.

3. Nonew security grouppage, complete the following fields:

   • * Display name: Use this field to enter the display name. This name appears in the shared address book, on the To: line when email is sent to this group, and in the Groups list in the classic EAC. The display name is required and should be easy to use so people know what you are about. It must also be unique to the forest.

     Use

     If a group naming policy applies, you must follow the naming restrictions imposed for your organization. For more information, seeCreate a naming policy for distribution groups. If you want to override your organization's group naming policy, seeOverride naming policy for distribution groups.

   • * Alias: Use this field to enter the alias of the security group. The alias cannot exceed 64 characters and must be unique within the forest. When a user enters the alias in the To: line of an email message, it resolves to the display name of the group.

   • Description: Use this field to describe the security group so that people know what the purpose of the group is.

   • organization unit: You can choose an organizational unit (OU) other than the default (which is the scope of the recipient). If the recipient scope is set to forest, the default value is set to the Users container in the Active Directory domain that contains the computer running the classic EAC. When the recipient scope is set to a specific domain, the user container in that domain is selected by default. If the recipient scope is set to a specific OU, that OU will be selected by default.

     To select a different organizational unit, clickSeek. The dialog box displays all OUs in the forest that are within the specified scope. Select the desired organizational unit and clickOK.

   • * Owner: By default, the person who creates a group is the owner. All groups must have at least one owner. You can add owners by clickingAdd.

   • members– Use this section to add members and specify whether approval is required for people to join or leave the group.

     Group owners do not have to be members of the group. UseAdd group owners as membersto add or remove owners as members.

     To add members to the group, clickAdd . When you are finished adding members, clickOKback tonew security groupPage.

     ChooseOwner approval requiredCheck the box if you want group owners to receive requests from users to join the group. If you select this option, only group owners can remove members.

4. When you're done, clicksave not computerto create the security group.

   See Also

   Groups in Microsoft 365 and Azure and which one is right for youDynamically populated group membership rules - Azure AD - Microsoft EnterLabel resources, resource groups, and subscriptions for logical organization - Azure Resource ManagerConfigure group claims for apps with Azure Active Directory - Microsoft

   Use

   By default, all new mail-enabled security groups require all senders to be authenticated. This prevents external senders from sending messages to mail-enabled security groups. To configure a mail-enabled security group to accept messages from all senders, you must change the message delivery restriction settings for that group.

Use the classic EAC to change the properties of mail-enabled security groups

1. Browse the classic EACcontainer>The group.

2. In the list of groups, click the security group you want to view or change and clickto edit .

3. On the group properties page, click one of the following sections to view or change the properties.

   When you're done, clicksave not computer.

   Generally

   Use this section to view or change basic information about the group.

   • * Display name: This name appears in the address book, on the To: line when an email is sent to this group, and in the group list. The display name is required and should be easy to use so people know what you are about. It must also be unique within your domain.

   • * Alias: This is the part of the email address that appears to the left of the @ symbol. If you change the alias, the group's primary SMTP address will also change to include the new alias. Also, the email address with the old alias is kept as the proxy address for the group.

   • Description: Use this field to describe the group so that people know what the purpose of the group is. This description is displayed in the address book and in the details panel of the EAC.

   • Hide this group from address lists: Select this check box if you do not want users to see this group in the address book. If this box is checked, the sender must enter the group's email address or nickname on the To: or Cc: lines to send an email to the group.

     Principal

     Consider hiding security groups, as they are typically used to assign permissions to group members and not to send email.

   • organization unit– This read-only field displays the organizational unit (OU) that contains the security group. You must use Active Directory Users and Computers to move the group to a different organizational unit.

   Property

   Use this section to assign group owners. The group owner can add members to the group and approve or deny join requests. By default, the person who creates a group is the owner. All groups must have at least one owner.

   You can add owners by clickingAdd . You can remove an owner by selecting it and clickingremote .

   membership

   Use this section to add or remove members. Group owners do not have to be members of the group. Undermembers, you can add members by clickingAdd . You can remove a member by selecting a user in the member list and clickingremote .

   Membership Approval

   Use this section to indicate whether owner approval is required for users to join the group. If you choose theOwner approval requiredIf enabled, group owners will receive an email requesting permission to join the group. As mentioned above, only owners can remove group members.

   Use

   This option does not work with mail-enabled security groups due to security-related limitations.

   delivery management

   Use this section to manage who can send email to this group.

   • Only senders within my organization: Select this option to allow only senders in your organization to send messages to the group. This means that if someone outside of your organization sends an email to this group, it will be rejected. This is the default value.

   • Senders inside and outside my organization: Select this option to allow anyone to send messages to the group.

     You can further restrict who can send messages to the group by only allowing specific senders to send messages to that group. clickAdd and select one or more recipients. When you add senders to this list, they are the only ones who can send email to the group. Emails sent by people who are not on the list will be rejected.

     To remove a person or group from the list, select them from the list and clickremote .

     Important

     If you've configured the group so that only senders within your organization can send messages to the group, emails sent from an email contact will be rejected even if they're added to this list.

   message approval

   Use this section to set options for moderating the group. Moderators approve or reject messages sent to the group before they reach group members.

   • Messages sent to this group must be approved by a moderator: This check box is not selected by default. If you select this check box, group moderators will review incoming messages before delivery. Group moderators can approve or reject incoming messages.

   • group moderators: To add group moderators, clickAdd . To remove a moderator, select the moderator and clickremote . If you selected "Messages sent to this group must be approved by a moderator" and you don't select a moderator, the group's messages will be sent to the group owners for approval.

   • Senders that do not require message approval: To add people or groups who can bypass moderation for this group, clickAdd . To remove a person or group, select the item and clickremote .

   • Select moderation notifications– Use this section to specify how users are notified when messages are approved.

     • Notify all senders when their messages are not approved: This is the default setting. Senders inside and outside of your organization are notified when their messages aren't approved.

     • Notify senders in your organization when their messages aren't approved– If you select this option, people or groups in your organization will only be notified if a moderator doesn't approve a message they send to the group.

     • Do not notify anyone if a message is not approved: If you select this option, notifications will not be sent to message senders whose messages have not been approved by the group moderators.

   email options

   Use this section to view or change the email addresses associated with the group. This includes the primary SMTP addresses in the group and any associated proxy addresses. The primary SMTP address (also called the reply-to address) appears in bold and uppercase in the address listSMTPvalue notuntilPilar.

   • Add: cliqueAdd to add a new email address to this mailbox. Select one of the following address types:

     See Also

     Overview of Azure Network Security GroupsPost Group Settings – Business CenterAdditional group-based licensing scenarios - Azure AD - Microsoft Enter

     • SMTP: This is the default address type. Click this button and enter the new SMTP address in the field* Email addressCash register.

       Use

       To make the new address the primary SMTP address for the group, select itMake this the reply addresscheck box This check box only appears if theAutomatically update email addresses based on the email address policy applied to this recipientThe check box is not checked.

     • custom address type: Click this button and enter one of the supported non-SMTP email address types in the* Email addressCash register.

       Use

       With the exception of X.400 addresses, Exchange doesn't validate custom addresses for the correct format. You must ensure that the custom address you provide meets the format requirements for this type of address.

   • to edit: To change an email address associated with the group, select it from the list and clickto edit .

     Use

     To make an existing address the primary SMTP address for the group, select itMake this the reply addresscheckbox As mentioned above, this checkbox only appears if theAutomatically update email addresses based on the email address policy applied to this recipientThe check box is not checked.

   • remote: To remove an email address associated with the group, select it from the list and clickremote .

   • Automatically update email addresses based on the email address policy applied to this recipient: Select this check box to have recipient email addresses automatically update based on changes to your organization's email address policies. By default, this check box is selected.

   email information

   Use this section to add a MailTip to alert users to potential problems before sending a message to this group. A MailTip is the text that appears in the information bar when this group is added to the To, Cc, or Bcc lines of a new email message. For example, you can add a large group MailTip to warn potential senders that your message is going to a lot of people.

   Use

   MailTip can contain HTML tags, but scripts are not allowed. The length of a custom MailTip cannot exceed the 175 displayed characters. HTML tags do not count toward the limit.

   group delegation

   Use this section to assign permissions to a user (known as a delegate) to send messages as a group or on behalf of the group. You can assign the following permissions:

   • send as: This permission allows the delegate to send group messages. Once this permission is assigned, the delegate can add the group to theVonLine to indicate that the message was sent by the group.

   • send on behalf of: This permission also allows a delegate to send messages on behalf of the group. Once this permission is assigned, the delegate can add the group in theVonLine. The message appears to have been sent by the group and indicates that it was sent by the delegate on behalf of the group.

   To assign permissions to delegates, clickAddunder the appropriate permission to display theselect recipientPage that displays a list of all recipients in your Exchange organization who can receive the permission. Select the desired recipients, add them to the list and clickOK. You can also search for a specific recipient by typing the recipient's name in the search box and clicking on it.Seek .

Use PowerShell to manage mail-enabled security groups

Use Exchange Online PowerShell to create a mail-enabled security group

This example creates a security group with an alias of fsadmin and the name File Server Administrators. The security group is created in the default OU and anyone can join this group with the consent of the group owners.

New-DistributionGroup -Name "File Server Administrators" -Alias ​​fsadmin -Security Type

For more information about using Exchange Online PowerShell to create mail-enabled security groups, seeNew distribution group.

How do you know it worked?

To verify that you successfully created a mail-enabled security group, do one of the following:

• In the new EAC, go tocontainer>The group>Email security enabled. The new mail-enabled security group appears in the list of groups.

• Browse the classic EACcontainer>The group. The new mail-enabled security group appears in the list of groups. Undergroup typeWho is the boysecurity group.

• In Exchange Online PowerShell, run the following command to display information about the new mail-enabled security group.

  Get-DistributionGroup <name> | Format list name, recipient type details, primary SMTP address

Use Exchange Online PowerShell to change the properties of mail-enabled security groups

use theGet distribution groupmiSet-DistributionGroupCmdlets to view and modify security group properties. The benefits of using Exchange Online PowerShell include the ability to change properties that aren't available in the EAC and changing the properties of various security groups. For information about which parameters correspond to which distribution group properties, see the following articles:

• Get distribution group

• Set-DistributionGroup

Here are some examples of how to use Exchange Online PowerShell to change security group properties.

This example displays a list of all security groups in the organization.

Get-DistributionGroup -ResultSize unbegrenzt -Filter "RecipientTypeDetails -eq 'MailUniversalSecurityGroup'"

This example changes the primary SMTP address (also known as the reply-to address) for the Seattle Administrators security group from admins@contoso.com to seattle.admins@contoso.com. The old reply-to address is retained as a proxy address.

Set-DistributionGroup "Seattle Employees" -EmailAddresses SMTP:sea.admins@contoso.com,smtp:admins@contoso.com

This example hides all security groups in the address book organization.

Get-DistributionGroup -ResultSize unbegrenzt -Filter "RecipientTypeDetails -eq 'MailUniversalSecurityGroup'" | Conjunto-DistributionGroup -HiddenFromAddressListsEnabled $true

How do you know it worked?

To verify that you have successfully modified the properties of a security group, do the following:

• In the new EAC, select the group to see the changed ownership or role. Depending on the modified property, it may appear in the details pane of the selected group.

• In the classic EAC, select the group and clickto edit to view the changed property or function. Depending on the modified property, it may appear in the details pane of the selected group.

• Sin Exchange Online PowerShell, use oGet distribution groupcmdlet to review the changes. One benefit of using Exchange Online PowerShell is that you can view multiple properties for multiple groups. In the example above, where all security groups have been hidden from the address book, run the following command to verify the new value.

  Get-DistributionGroup -ResultSize unbegrenzt -Filter "RecipientTypeDetails -eq 'MailUniversalSecurityGroup'" | Nombre de la lista de formatos, HiddenFromAddressListsEnabled