Manage groups in EOP

Applies to

• Exchange Online Protection standalone

In standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you can create, modify, and remove the following types of groups:

• Microsoft 365 Groups: A collection of shared resources.

• Distribution groups: A collection of mail users or other distribution groups. For example, teams or other ad hoc groups who need to receive or send email in a common area of interest. Distribution groups are exclusively for distributing email messages, and are not security principals (they can't have permissions assigned to them).

• Mail-enabled security groups: A collection of mail users and other security groups who need access permissions for admin roles. For example, you might want to give specific group of users admin permissions so they can configure anti-spam and anti-malware settings.

  Note

  • By default, new mail-enabled security groups reject messages from external (unauthenticated) senders.
  • Don't add distribution groups to mail-enabled security groups.

• Dynamic distribution groups: Uses recipient filters and conditions to periodically calculate the membership of the group.

You can manage groups in the Exchange admin center (EAC) and in standalone EOP PowerShell.

What do you need to know before you begin?

• To open the Exchange admin center, see Exchange admin center in standalone EOP.

• To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

• When you manage groups in standalone EOP PowerShell, you might encounter throttling. The PowerShell procedures in this article use a batch processing method that results in a propagation delay of a few minutes before the results of the commands are visible.

• You need to be assigned permissions in Exchange Online Protection before you can do the procedures in this article. Specifically, you need the Distribution Groups role, which is assigned to the Organization Management and Recipient Management role groups by default. For more information, see Permissions in standalone EOP and Use the EAC modify the list of members in role groups.

• For information about keyboard shortcuts that may apply to the procedures in this article, see Keyboard shortcuts for the Exchange admin center in Exchange Online.

Tip

Having problems? Ask for help in the Exchange Online Protection forum.

Use the Exchange admin center to manage distribution groups

Use the EAC to create groups

1. In the EAC at https://admin.exchange.microsoft.com, go to Recipients > Groups. Or to go directly to the Groups page, use https://admin.exchange.microsoft.com/#/groups.

2. On any tab on the Groups page, click Add a group. The new group wizard opens.

3. On the Group type page, select one of the following values:

   • Microsoft 365
   • Distribution
   • Mail-enabled security
   • Dynamic distribution

   When you're finished, click Next.

4. On the Set up the basics page, configure the following settings:

   • Name
   • Description: Enter an optional description.

   When you're finished, click Next.

5. The Assign users page is available only if you selected Dynamic distribution as the group type. All other group types go to the Assign owners page.

   On the Assign users page, configure the following settings for the dynamic distribution group:

   • Owner: Select one or more group owners.

   • Members section: Specify the types of recipients for the group and set up rules that will determine membership. Select one of the following boxes:

     • All recipient types
     • Only the following recipient types: Messages that meet the criteria defined for this group will be sent to one or more of the following recipient types:
       • Users with Exchange mailboxes
       • Mail users with external email addresses
       • Resource mailboxes
       • Mail contacts with external email addresses
       • Mail-enabled groups

   • Conditions: Select one of the following attributes from the drop-down list and provide a value to define the criteria for membership in this group:

     • State or province
     • Company
     • Department
     • Custom attribute 1 to Custom attribute 15

     Note

     The values that you enter for the selected attribute must exactly match those that appear in the recipient's properties. For example, if you enter Washington for State or province, but the value for the recipient's property is WA, the condition will not be met. Also, text-based values that you specify aren't case-sensitive. For example, if you specify Contoso for the Company attribute, messages will be sent to a recipient if this value is contoso.

     To add another rule to define the criteria for membership, select Add another rule. Each rule is connected with the Boolean operator AND.

     When you're finished, click Next to go to the Edit settings page (skip the Assign owners and Add members pages).

6. On the Assign owners page, click Assign owners. In the Assign owners flyout that opens, find and select one or more owners, and then click Add.

   When you're finished, click Next.

7. On the Add members page, click Add members. In the Add members flyout that opens, find and select one or more members, and then click Add.

   When you're finished, click Next.

   If you selected Dynamic distribution as the group type, this page is not available.

8. On the Edit settings page, what you see depends on the group type you selected on the Group type page:

   • Microsoft 365 Groups:

     • Group email address
     • Privacy: Select Public or Private

   • Distribution groups:

     • Group email address
     • Communication: Allow people outside of my organization to send email to this distribution group.
     • Joining the group section: Select one of the following values:
       • Open
       • Closed
       • Owner approval
     • Leaving the group section: Select one of the following values:
       • Open
       • Closed

   • Mail-enabled security groups:

     • Group email address
     • Communication: Allow people outside of my organization to send email to this distribution group.
     • Approval: Require owner approval to join the group

   • Dynamic distribution groups:

     • Group email address

   When you're finished, click Next.

9. On the Review and finish adding group page, review the settings. You can click Edit in each section or click Back to make changes.

   When you're finished, click Create group.

   After the group creation is complete, click Close.

Use the EAC to modify distribution groups

1. In the EAC at https://admin.exchange.microsoft.com, go to Recipients > Groups. Or to go directly to the Groups page, use https://admin.exchange.microsoft.com/#/groups.

2. On the Groups page, select the tab that corresponds to the group type:

   • Microsoft 365
   • Distribution
   • Dynamic distribution
   • Mail-enabled security

3. Find and select the group that you want to modify, and then select it. The modifiable settings are available in the details flyout that opens.

Use the EAC to remove groups

1. In the EAC at https://admin.exchange.microsoft.com, go to Recipients > Groups. Or to go directly to the Groups page, use https://admin.exchange.microsoft.com/#/groups.

2. On the Groups page, select the tab that corresponds to the group type:

   • Microsoft 365
   • Distribution
   • Dynamic distribution
   • Mail-enabled security

3. Find and select the group that you want to remove, and then select it. In the details flyout that opens, click Delete.

Use PowerShell to manage groups

Use standalone EOP PowerShell to view groups

View distribution groups and mail-enabled security groups in EOP PowerShell

To return a summary list of all distribution groups and mail-enabled security groups in standalone EOP PowerShell, run the following command:

Get-Recipient -RecipientType MailUniversalDistributionGroup,MailUniversalSecurityGroup -ResultSize unlimited

To return the list of group members, replace <GroupIdentity> with the name, alias, or email address of the group, and run the following command:

Get-DistributionGroupMember -Identity <GroupIdentity>

For detailed syntax and parameter information, see Get-Recipient and Get-DistributionGroupMember.

View Microsoft 365 Groups in EOP PowerShell

To return a summary list of all Microsoft 365 Groups, run the following command:

Get-UnifiedGroup

To return information about the members, owners, or subscribers of a Microsoft 365 Group, use the following syntax:

Get-UnifiedGroupLinks -Identity <Group name, alias or email address> -LinkType <Members | Owners | Subscribers>

For detailed syntax and parameter information, see Get-UnifiedGroup and Get-UnifiedGroupLinks.

View dynamic distribution groups in EOP PowerShell

To return a summary list of all dynamic distribution groups, run the following command:

Get-DynamicDistributionGroup

To return the membership of a dynamic distribution group, replace <Identity> with the name, alias, or email address of the group, and then run the following command:

Get-DynamicDistributionGroupMember -Identity <Identity>

For detailed syntax and parameter information, see Get-DynamicDistributionGroup and Get-DynamicDistributionGroupMember.

Use standalone EOP PowerShell to create groups

Create distribution groups and mail-enabled security groups in EOP PowerShell

To create distribution groups or mail-enabled security groups, use the following syntax:

New-DistributionGroup -Name "<Unique Name>" -ManagedBy @("UserOrGroup1","UserOrGroup2",..."UserOrGroupN">) [-Alias <text>] [-DisplayName "<Descriptive Name>"] [-Members @("UserOrGroup1","UserOrGroup2",..."UserOrGroupN">)] [-Notes "<Optional Text>"] [-PrimarySmtpAddress <SmtpAddress>] [-Type <Distribution | Security>]

Notes:

• The Name parameter is required, has a maximum length of 64 characters, and must be unique. If you don't use the DisplayName parameter, the value of the Name parameter is used for the display name.
• If you don't use the Alias parameter, the Name parameter is used for the alias value. Spaces are removed and unsupported characters are converted to question marks (?).
• If you don't use the PrimarySmtpAddress parameter, the alias value is used in the PrimarySmtpAddress parameter.
• If you don't use the Type parameter, the default value is Distribution.

This example creates a distribution group named IT Administrators with the specified properties.

New-DistributionGroup -Name "IT Administrators" -Alias itadmin -Members @("michelle@contoso.com","laura@contoso.com","julia@contoso.com") -ManagedBy "chris@contoso.com"

For detailed syntax and parameter information, see New-DistributionGroup.

Create Microsoft 365 Groups in EOP PowerShell

To create Microsoft 365 groups, use the following syntax:

New-UnifiedGroup -DisplayName "<Unique Name>" -Alias <Alias>

This example creates a new Microsoft 365 Group named Engineering Department.

New-UnifiedGroup -DisplayName "Engineering Department" -Alias "engineering"

For detailed syntax and parameter information, see New-UnifiedGroup.

Create dynamic distribution groups in EOP PowerShell

To create dynamic distribution groups, use the following syntax:

New-DynamicDistributionGroup -Name "<Unique Name>" [-Alias <text>] [-DisplayName "<Descriptive Name>"] <PrecannedFilters | CustomFilters>

This example creates a dynamic distribution group named Marketing Group using precanned filters: mail users who have a Department field that equals the strings "Marketing" or "Sales".

New-DynamicDistributionGroup -Name "Marketing Group" -IncludedRecipients "MailUsers" -ConditionalDepartment "Marketing","Sales"

This example creates a dynamic distribution group named Washington Management Team using custom filters: all users from Washington State whose titles start with "Director" or "Manager".

New-DynamicDistributionGroup -Name "Washington Management Team" -RecipientFilter "(Title -like 'Director*' -or Title -like 'Manager*') -and (StateOrProvince -eq 'WA')"

For detailed syntax and parameter information, see New-DynamicDistributionGroup.

Use standalone EOP PowerShell to modify groups

Modify distribution groups and mail-enabled security groups in EOP PowerShell

To modify distribution groups and mail-enabled security groups, use the following syntax:

Set-DistributionGroup -Identity <GroupIdentity> [-Alias <Text>] [-DisplayName <Text>] [-ManagedBy @("User1","User2",..."UserN")] [-PrimarySmtpAddress <SmtpAddress>]

Update-DistributionGroupMember -Identity <GroupIdentity> -Members @("User1","User2",..."UserN")

This example uses changes the primary SMTP address (also called the reply address) for the Seattle Employees group to sea.employees@contoso.com.

Set-DistributionGroup "Seattle Employees" -PrimarySmtpAddress "sea.employees@contoso.com"

This example replaces the current members of the Security Team group with Kitty Petersen and Tyson Fawcett.

Update-DistributionGroupMember -Identity "Security Team" -Members @("Kitty Petersen","Tyson Fawcett")

This example adds a new user named Tyson Fawcett to the group named Security Team while preserving the current members of the group.

$CurrentMemberObjects = Get-DistributionGroupMember "Security Team"
$CurrentMemberNames = $CurrentMemberObjects | % {$_.name}
$CurrentMemberNames += "Tyson Fawcett"
Update-DistributionGroupMember -Identity "Security Team" -Members $CurrentMemberNames

For detailed syntax and parameter information, see Set-DistributionGroup and Update-DistributionGroupMember.

Modify Microsoft 365 Groups in EOP PowerShell

To modify Microsoft 365 Groups, use the following syntax:

Set-UnifiedGroup -Identity <GroupIdentity> [-AccessType <Public | Private>] [-AlwaysSubscribeMembersToCalendarEvents] [-AutoSubscribeNewMembers] [-CalendarMemberReadOnly] [-Alias <Text>] [-DisplayName <Text>] [-ManagedBy @("User1","User2",..."UserN")] [-PrimarySmtpAddress <SmtpAddress>]

<Add-UnifiedGroupLinks | Remove-UnifiedGroupLinks> -Identity <GroupIdentity> [-LinkType <Members | Owners | Subscribers>] [-Links User1,User2,...UserN]

This example changes the Microsoft 365 Group named Legal Department from a public group to a private group.

Set-UnifiedGroup -Identity "Legal Department" -AccessType Private

This example adds members chris@contoso.com and michelle@contoso.com to the Microsoft 365 Group named Legal Department.

Add-UnifiedGroupLinks -Identity "Legal Department" -LinkType Members -Links chris@contoso.com,michelle@contoso.com

For detailed syntax and parameter information, see Set-UnifiedGroup, Add-UnifiedGroupLinks and Remove-UnifiedGroupLinks.

Modify dynamic distribution groups in EOP PowerShell

To modify dynamic distribution groups, use the following syntax:

Set-DynamicDistributionGroup -Identity <GroupIdentity> <Settings to change>

This example applies the following changes to the existing dynamic distribution group named Developers:

• Change the ConditionalCompany query filter to Contoso.
• Add the value Internal to the ConditionalCustomAttribute1 attribute.

Set-DynamicDistributionGroup -Identity Developers -ConditionalCompany "Contoso" -ConditionalCustomAttribute1 "Internal"

For detailed syntax and parameter information, see Set-DynamicDistributionGroup.

Use standalone EOP PowerShell to remove groups

Remove distribution groups and mail-enabled security groups in EOP PowerShell

To remove distribution groups or mail-enabled security groups, use the following syntax:

Remove-DistributionGroup -Identity <GroupIdentity>

This example uses removes the distribution group named IT Administrators.

Remove-DistributionGroup -Identity "IT Administrators"

For detailed syntax and parameter information, see Remove-DistributionGroup.

Remove Microsoft 365 Groups in EOP PowerShell

To remove Microsoft 365 Groups, use the following syntax:

Remove-UnifiedGroup -Identity <GroupIdentity>

This example removes the Microsoft 365 Group named Research Department.

Remove-UnifiedGroup -Identity "Research Department"

For detailed syntax and parameter information, see Remove-UnifiedGroup.

Remove dynamic distribution groups in EOP PowerShell

To remove dynamic distribution groups, use the following syntax:

Remove-DynamicDistributionGroup -Identity <GroupIdentity>

This example deletes the dynamic distribution group named Test Users.

Remove-DynamicDistributionGroup -Identity "Test Users"

For detailed syntax and parameter information, see Remove-DynamicDistributionGroup.

How do you know these procedures worked?

To verify that you've successfully created, modified, or removed a group, do any of the following steps:

• EAC: In the EAC at https://admin.exchange.microsoft.com, go to Recipients > Groups. Or to go directly to the Groups page, use https://admin.exchange.microsoft.com/#/groups.

  On the Groups page, select the tab that corresponds to the group type:

  • Microsoft 365
  • Distribution
  • Dynamic distribution
  • Mail-enabled security

  Find the group, click on its name, and view the details in the flyout that opens.

• Standalone EOP PowerShell:

  • Distribution groups or mail-enabled security groups:

    • Run the following command to verify the group is listed (or isn't listed):

      Get-Recipient -RecipientType MailUniversalDistributionGroup,MailUniversalSecurityGroup -ResultSize unlimited
      

    • Replace <GroupIdentity> with the name, alias, or email address of the group and run the following command to verify the settings:

      Get-Recipient -Identity <GroupIdentity> | Format-List
      

    • To view the group members, replace <GroupIdentity> with the name, alias, or email address of the group and run the following command:

      Get-DistributionGroupMember -Identity "<GroupIdentity>"
      

  • Microsoft 365 Groups:

    • Run the following command to verify the group is listed (or isn't listed):

      Get-UnifiedGroup -ResultSize unlimited
      

    • Replace <GroupIdentity> with the name, alias, or email address of the group and run the following command to verify the settings:

      Get-UnifiedGroup -Identity <GroupIdentity> | Format-List
      

    • To view the group members, owners, or subscribers, replace <GroupIdentity> with the name, alias, or email address of the group, choose the LinkType value, and then run the following command:

      Get-UnifiedGroupLinks -Identity "<GroupIdentity>" -LinkType <Members | Owners | Subscribers>
      

  • Dynamic distribution groups

    • Run the following command to verify the group is listed (or isn't listed):

      Get-DynamicDistributionGroup -ResultSize unlimited
      

    • Replace <GroupIdentity> with the name, alias, or email address of the group and run the following command to verify the settings:

      Get-DynamicDistributionGroup -Identity <GroupIdentity> | Format-List
      

    • To view the group members, replace <GroupIdentity> with the name, alias, or email address of the group and run the following command:

      Get-DynamicDistributionGroupMember -Identity "<GroupIdentity>"