Whether it be a large group or one that has restricted users, you may need to limit who can send to these mail enabled security groups. In addition, you may even want to enable moderation to allow specific users to approve/deny messages from reaching the members.
The good news is that all this can be done by using AD and Exchange to enable group moderation.
Configuring moderation in an Exchange Online / Active Directory environment
These steps are geared towards environments which have their Active Directory schema extended with Exchange attributes and that sync to AAD with Azure AD Connect. In this scenario, Exchange is not in hybrid mode.
Getting to know your attributes
| Name | AD Attribute | Description | Values |
| Allow send from (user) | authOrig | List of senders (users) that are allowed to send to the group | List of user distinguished names (dn) |
| Block send from (user) | unAuthOrig | List of senders (users) that are blocked from sending to the group | List of user distinguished names (dn) |
| Allow send from (group) | dlMemSubmitPerms | List of senders (groups) that are allowed to send to the group. This is used in place of authOrig if you need to specify groups* | List of group distinguished names (dn) |
| Block send from (group) | dlMemRejectPerms | List of senders (groups) that are blocked from sending to the group. This is used in place of unAuthOrig if you need to specify groups* | List of group distinguished names (dn) |
| Require senders to be authenticated | msExchRequireAuthToSendTo | Used to limit senders to only Authenticated users (inside organization) | Require sending from authenticated source = True, Allow sending from any source = False |
| Enable group moderation | msExchEnableModeration | Is moderation configured for this group? | Moderation enabled = True, Moderation disabled = False |
| List of moderators | msExchModeratedByLink | List of users who will receive and manage the approve/deny emails. The maximum number of moderators is 10 (more information). If you specify more than 10 then Exchange will throw an exception and moderation will not work as intended. | List of user distinguished names |
| Skip email approval | msExchBypassModerationLink | List of users who can send emails without requiring approval/moderation | List of user distinguished names |
| Sender notification | msExchModerationFlags | What notification (if any) will the sender receive when their email is not approved | Notify all senders when their messages aren’t approved. = 6 . Notify senders in your organization when their messages aren’t approved. = 2. Don’t notify anyone when a message isn’t approved. = 0 |
| Hide from address book lists | msExchHideFromAddressLists | Is this group hidden from address books in Exchange? | Hidden from address books = True, Visible in address books = False |
| Managed by | managedBy | Users who can manage the membership of the group | List of users |
| Members | member | List of users who are members of the group, they will receive any approved emails sent to the group | List of users |
Notes about restricting send from
authOrig/unauthOrig are used to store a list of DNs of specific users who have/do not have permission to send to the object.
dlMemSubmitPerms/dlMemRejectPerms are used to store a list of DNs of groups whose members are considered to have/not have permission to send to the object.
dlMemSubmitPerms/dlMemRejectPerms cannot be used to store DNs of specific users you want to allow/deny access to. The values in these attributes are always interpreted as groups. User objects aren't groups, and listing a user DN in one of these attributes would have the same effect as listing an empty group instead.
authOrig and dlMemSubmitPerms are used to grant access to specified users/groups. If either of these attributes is present, anyone not listed under authOrig or who is not a member of a group listed under dlMemSubmitPerms will be denied access.
unauthOrig and dlMemRejectPerms are used to deny access to specified users/groups. If either of these attributes is present, anyone not listed under unauthOrig or who is not a member of a group listed under dlMemRejectPerms with automatically be granted access.
Taken from https://groups.google.com/forum/#!topic/microsoft.public.exchange.development/clYIH052JXw
Further reading
- How to limit senders to a distribution list in exchange online - https://messageops.com/how-to-limit-senders-to-a-distribution-list-in-exchange-online/
- Office 365 groups ad attributes - https://gist.github.com/gruberjl/1fb33997c8f60bd2d5d8e4ebcdffbd71
- msExchModerationFlags values - https://itgeekspeak.wordpress.com/2012/11/15/msexchmoderationflags-values/
Examples
Turn on moderation for a group
Enable moderation of group, require authenticated senders and specify a moderator
Set-ADObject -Identity [GROUP_IDENTIFIER] -Replace @{msExchEnableModeration = $true; msExchRequireAuthToSendTo = $true; msExchModeratedByLink = @("[DN_OF_A_USER]")}
Enable restricted sending for a group
Allow only users in a specific group to send to the group
Set-ADObject -Identity [GROUP_IDENTIFIER] -Replace @{dlMemSubmitPerms= @("[DN_OF_ALLOWED_GROUP]")}
Enable specific users to bypass moderation
Allow specific users to bypass moderation and send directly to members of the group
Set-ADObject -Identity [GROUP_IDENTIFIER] -Replace @{msExchBypassModerationLink = @("[DN_OF_ALLOWED_USER]")}