An Original Cmdlet
New-DistributionGroup is one of the original cmdlets introduced with Exchange Server 2007, the first major Microsoft product to embrace PowerShell. The cmdlet is still very useful, but it gets less respect inside Exchange Online because of the focus on Microsoft 365 Groups. Microsoft has tried to convince customers of the wonders of Microsoft 365 Groups since the introduction of Office 365 Groups in 2014. These became Outlook Groups (or even Groups in Outlook) and positioned as a replacement for distribution lists.
Of course, distribution lists (DLs) are the old name for these objects. Microsoft calls them distribution groups and sometimes distribution lists. I use the old name to make it clear that we’re not discussing one of the other types of groups found within Microsoft 365.
No Migration Tools
Almost seven years after the debut of Microsoft 365 Groups, Microsoft has not delivered good migration tools to:
- Move distribution lists created on-premises to Exchange Online.
- Convert cloud-based distribution lists to Microsoft 365 Groups. The conversion tool to migrate distribution lists to Microsoft 365 groups in the old EAC is quite limited.
The complexities of migration involve include enumerating nested list members and dealing with the situation where some list members are hosted on-premises and some are online. The result is that organizations need to hand-craft migration tools to move them online, often based on utilities like Tim McMichael’s DL migration script.
Although Microsoft 365 Groups have received some useful upgrades over the period, like support for the Send As and Send on Behalf of permissions, there’s no doubt that the focus on Microsoft 365 Groups is firmly on membership and identity services for apps like Teams.
Creating New DLs Despite Warnings
Today, the new and improved Exchange admin center (EAC) gently chides those who go to create a new distribution list (Figure 1).
The same is done in the old EAC. And if you have the temerity to run the New-DistributionGroup cmdlet (after connecting to the Exchange Online management PowerShell module), you’re told:
New! Microsoft 365 Groups are the next generation of distribution lists. Groups give teams shared tools for collaborating using email, files, a calendar, and more. You can start right away using the New-UnifiedGroup cmdlet.
Despite the nagging, people still create distribution lists. They’re great for sending email to large audiences (up to 100,000 addressees), and the membership of the lists can include many types of mail-enabled objects, including:
- User mailboxes.
- Shared mailboxes.
- Mail-enabled Public folders.
- Other distribution lists, including dynamic distribution lists.
- Mail contacts.
- Mail users.
- Teams channels (using the special email address created for a channel).
You can even add a Microsoft 365 group to the membership of a distribution group (but only with PowerShell). By comparison, Microsoft 365 Groups support only user mailboxes and guest accounts as members.
The continued usefulness of distribution lists is seen in features like Teams group policy assignments and to select users for compliance policies, like DLP. In short, distribution lists aren’t going away anytime soon.
Running New-DistributionGroup
All of which brings me to the New-DistributionGroup cmdlet. Although it’s natural to create new distribution lists through an admin center (even with the nagging), this cmdlet is easy and straightforward to use, so it’s my preferred way of creating new DLs. In fact, the old EAC calls the cmdlet when it creates new DLs while the new EAC uses the Microsoft Graph APIs. Here’s how to create a simple distribution list:
New-DistributionGroup -Name "Practical 365 Authors" -Alias P365.Authors -PrimarySmtpAddress Practical.365.Authors@office365itpros.com -DisplayName "Practical 365 Authors (DL)" -RequireSenderAuthenticationEnabled:$False -IgnoreNamingPolicy
This code creates a new distribution list and:
- Sets an alias, primary SMTP address, and display name.
- Allows external users to send messages to the list (RequireSenderAuthenticationEnabled is False).
- Bypasses the naming policy for distribution lists so that the new list gets the assigned display name.
You can add members when you set up a new distribution group by passing a comma-separated list of email addresses in the Members parameter and the manager of the list in the ManagedBy parameter. Failing this, the Set-DistributionGroup cmdlet adds an owner:
Set-DistributionGroup -Identity P365.Authors -ManagedBy Tony.Redmond
Several other settings control how the DL is used. For example, you can set a group to be moderated, meaning that any message sent to the DL is checked first by a moderator before it is delivered. For sensitive DLs, you can set it so that only certain individuals can send messages to the DL. For example, this command turns on moderation and sets Tony Redmond as the moderator. It also sets a restriction on the DL so that Exchange only accepts messages from DL members.
Set-DistributionGroup -Identity P365.Authors -ModerationEnabled:$true -ModeratedBy Tony.Redmond -AcceptMessagesOnlyFromDLMembers:$True
A recent change allows organizations to block people sending to DLs as a BCC addressee. This is especially useful with large DLs used for company-wide discussions and people use Inbox rules to filter messages sent to the DL. The rules won’t work if the DL is a BCC addressee because rules can’t filter on BCCs.
Set-DistributionGroup -Identity "Message Board Posting" -BccBlocked $True
Finally, you can grant Send As permission for a DL to allow a user to send messages from the DL:
Add-RecipientPermission -Identity P365.Authors -Trustee Tony.Redmond -AccessRights SendAs
Adding Members to the New-DistributionGroup
A distribution list is no good without members. You can add individual DL members with Add-DistributionGroupMember or update the complete membership in one operation using Update-DistributionGroupMember. Note that the members referenced must be mail-enabled recipients in the Exchange directory. In other words, if you plan to add an external user to a DL, create a mail contact or Azure AD guest account for them first.
Add-DistributionGroupMember -Identity P365.Authors -Member Jeff.Guillet $Members = "Jeff.Guillet", "Tony.Redmond", "Paul.Robichaux" Update-DistributionGroupMember -Identity P365.Authors -Members $Members -Confirm:$False
Equipped with its membership, our new DL is fully operational and can be used immediately by addressing email to its SMTP address. Within a day, Exchange will add the new DL to the Offline Address Book (OAB) and it will appear in the Outlook GAL.
Dynamic Distribution Lists
A dynamic DL is one whose membership is calculated by resolving a query against the directory. The big advantage of dynamic DLs is that they can be used with any Exchange Online license. Dynamic Microsoft 365 Groups require an Azure AD Premium P1 license.
Dynamic DLs rely on a recipient filter to locate members in the directory. Custom recipient filters can be quite complex (but do great things), so to make it easier to build dynamic DLs, Microsoft uses precanned filters. These are prebuilt filters based on common criteria, like everyone who works in a certain country or city, or everyone with a mailbox. If you create a dynamic distribution list through the EAC, it uses a precanned filter. Only dynamic distribution lists created with PowerShell can use custom filters.
Here’s an example. This code creates a dynamic distribution list using a filter which checks the directory for mailboxes with the value of CustomAttribute9 set to Editor.
New-DynamicDistributionGroup -Name P365Editors -DisplayName "Practical 365 Editors DL" -ConditionalCustomAttribute9 Editor -IncludedRecipients MailboxUsers -PrimarySmtpAddress P365.Editors@office365itpros.com -Alias P365.Editors
I’m not saying that creating complex filters for dynamic distribution lists is easy, but it’s no harder than creating the equivalent filters used with dynamic Microsoft 365 Groups. And because DDLs are free, they are a great tool to have available.
Maybe Time to Consider DLs Again
Microsoft 365 Groups are an important part of the Microsoft 365 ecosystem. However, distribution lists have been part of email since the earliest days of email. They are more useful now than ever before. By all means, go ahead and create Microsoft 365 Groups when you need a basis for collaboration across SharePoint, Teams, email, and Planner, but if your needs are email-focused, distribution lists do the job.
Hi Tony,
Note that you can indeed specify the owners and members in the New-DistributionGroup cmdlet – see the -Members and -ManagedBy parameters
Yep. You absolutely can. I am not sure when this changed, but maybe that’s age playing tricks on me (again).
Hi ,
I am using powershell to send automatic mails to users group DL along with individual users .
Individual users are getting the mail but DLs are not getting the sent mail .
how to enable it in powershell for windows 10 . Please suggest me some solution.
Thanks
Ishwarya S
Did you check the message trace for messages to see why the members of the DL are not receiving email? Is it just one DL or every DL?
Can we automate the mailbox migration from onprem to O365 using ps script?
You mean migrate distribution lists? If so, this is possible using PowerShell. It takes some planning and coding to cover all the bases, but it’s feasible and has been done before.
Olá!
Agradeço a ajuda, mas o que procuro é:
– uma conta compartilhada ter como membro uma lista de distribuição DL;
É possível?
Obrigado
I don’t believe you can add a distribution list as a member of a shared mailbox.
Good article Tony and having just had to perform the arduous task of “migrating” 9,000 DL’s from on-prem AD to become Cloud managed groups in AAD, I can honestly say Microsoft *really* need to invest in this area.
Not to mention that AAD Groups of Type Distribution cannot be changed to become Mail Enabled Security Groups, they have to be removed and recreated!
And of course Update-DistributionGroupMember is great to bulk add members *As long as they all exist*! Even if one of the members you are adding is missing the whole CMDLET fails leading to complex pre-validation routines to build the members lists which, in itself, slows the process.
Lastly, if you do want to perform this process en-mass and some of the groups in AD on-prem are mail enabled security groups, without major investigation into where they are permitting access, you need to use Disable-DistributionGroup and leave them there, leading to disconnect between the DL in the AAD and the Security Group in AD!
Definitely Time to Consider DLs Again!