Microsoft 365 Dynamic Group handling with User Sync


Microsoft 365 provides Dynamic Group options to manage users and addresses flexibly. However, Dynamic Groups do not push information to Microsoft Graph; the API used to pull email address information into Mailprotector.

A workaround is available to implement Dynamic Groups while still getting an email address to Mailprotector by using a mail-enabled Security or Distribution Group.

Applies to:

Office 365, O365, Exchange Online, User Sync, User Source


Understand the concepts and differences between Dynamic and Distribution Groups in Microsoft 365 and Exchange Online.

Successfully configured an Office 365 user source in the Mailprotector Console. Please read Configure User Sync with O365 for details.

We will use an example of creating a group that will include all company employees and ensures that email is enabled and the email address is synced to Mailprotector through the Office 365 User Source.

Configuration Steps

Use Case

All steps will be performed in the Exchange Online Admin Center. We will assume an existing Dynamic and Distribution Group does not exist. Steps will be for the configuration of two new groups to provide the desired outcome.

Example Scenario:

Widgets Inc. wants an email address that will allow a user to send a message to all company employees. A Dynamic Group will be used to ensure all employees are included without manual admin intervention to reduce administrative overhead.

Email address:

Implementation with a Distribution Group address

NOTE: These instructions do not work with the new Exchange Admin Center. If you are using the new interface, you will need to switch back to the classic interface. Dynamic distribution groups are not managed in the new interface yet.

  1. Begin by logging into the Microsoft 365 Admin Center and navigate to the Exchange Admin Center.

  2. From the Exchange Admin Center, select groups.

  3. On group management, click the dropdown arrow and select Dynamic distribution list to create a new dynamic group.

  4. In the dialog box that opens, enter a Display name, Alias, and optional Notes. It is recommended to name and alias this group to delineate the dynamic function. The example below uses "DDG" to denote it as a Dynamic Distribution Group.

  5. Scroll down the Dynamic Distribution List dialog box and set the appropriate membership criteria for your use case. In this example, only users with an Exchange mailbox will be members of the group. Click the Save button when complete.

  6. Now you need to create the distribution list that will sync to Mailprotector. Again, click the dropdown arrow, but this time select the Distribution list.

  7. In the dialog box that opens, enter a Display name, Alias, Email address, and optional Notes. This time, the Name and Email address are what we expect the users to send messages to.

  8. Scroll down the dialog box to set the Owners and Members. A single Owner is required, and the existing account you are logged in to should already be the owner. Scroll past Owners, and click the + icon under Members. The Select Members dialog box will open. Choose the Dynamic group created in earlier steps to be a Member of this group.

  9. With the dynamic group added as a member, ensure the Add group owners as members is unchecked. And, set both permission controls to Closed to ensure the members are not mistakenly altered. In this example, all employees will receive emails from this group. Additional members would be redundant. Click the Save button to complete the configuration.

  10. On the Group management screen, you should now have two group types. One a Dynamic distribution list and the other a Distribution list. The dynamic group will contain the members based on the criteria configured. The dynamic group is a member of the distribution list, which will accept and distribute emails to the dynamic group members. The "regular" distribution group will be added to the Mailprotector Console as a Mailing List type user so that email can be accepted and filtered.
Have more questions? Submit a request