Distribution Groups cannot be disabled in Office 365
Unlike an on-premise installation of Exchange, there is no mechanism to disable a distribution group (DG) in Office 365. In the cloud, the DG exists, therefore it is mail-enabled.
Many administrators would like to retain membership in DGs for a period of time before they are deleted. Whatever the reason, you can accomplish the same with a fairly straightforward workaround -- set the DG to only accept email from a single recipient, and hide the DG from the GAL. You can use a hidden user for this purpose, or simply set it to an admin, etc.
Configuring a Group
Hide the DG and configure the allowed sender. Here I set a custom attribute so we can find this DG with a simply query later.
Set-DistributionGroup ContosoDistributionGroupToDisable@contoso.com -HiddenFromAddressListsEnabled $True -AcceptMessagesOnlyFrom groupAdminEmail@contoso.onmicrosoft.com -RequireSenderAuthenticationEnabled $True -ExtensionCustomAttribute1 DeleteMeLater
Finding the Group Later
To easily find the DG later, we filter on that attribute:
Get-DistributionGroup -ResultSize Unlimited | Where-Object {$_.ExtensionCustomAttribute1 -eq "DeleteMeLater"}
Results:
Name: ContosoDistributionGroupToDisable
DisplayName: ContosoDistributionGroupToDisable
GroupType: Universal
PrimarySmtpAddress: ContosoDistributionGroupToDisable@contoso.com
Reactivating the Group
If you later decide to reactivate the group, simply null out the settings we set earlier:
Set-DistributionGroup ContosoDistributionGroupToDisable@contoso.com -HiddenFromAddressListsEnabled $False -AcceptMessagesOnlyFrom $null -RequireSenderAuthenticationEnabled $False -ExtensionCustomAttribute1 $null
Users who try to send email to the DG will get an NDR indicating they'll need to email the admin to get access. In this scenario, that's exactly what you want. In general we're keeping these around to see how much they're being used before deleting them, so this is perfect!
Exchange in the cloud is flexible, but sometimes there are some concessions to be made due to the difference in architecture. This workaround isn't quite as straightforward as Disable-DistributionGroup, but it comes pretty close.
Comments
- Anonymous
October 22, 2015
thanks