Adding Exclusions to a Dynamic Distribution Group in Office 365 and Exchange

It does not currently seem possible to add exclusions via the Office 365 portal however straight forward to do via powershell. The Office 365 already has a filter in place and this would need modifying.  Examples for Office 365 shown below. To exclude a specific user Steven from a custom Everyone distribution group (

You will need to connect to O365 via PowerShell first (

set-dynamicdistributiongroup -identity Everyone -RecipientFilter {((RecipientType -eq ‘UserMailbox’) -and (-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’)) -and (-not(RecipientTypeDetailsValue -eq ‘MailboxPlan’)) -and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) -and (-not(name -like ‘steven’)))}

To make it easer for administrators to manage via Office 365 portal filter on an attribute that can be easily updated.  Example below filters on the customattribute1 field if set to ‘exclude’

set-dynamicdistributiongroup -identity Everyone -RecipientFilter {((RecipientType -eq ‘UserMailbox’) -and (-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’)) -and (-not(RecipientTypeDetailsValue -eq ‘MailboxPlan’)) -and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) -and (-not(CustomAttribute1 -like ‘exclude’)))}

11/5/16 UPDATE

It now appears that the behaviour has changed of the set-dynamicdistributiongroup has changed therefore only the following is required as the other filters are automatically appended to this

set-DynamicDistributionGroup -Identity everyone -RecipientFilter {(-not(CustomAttribute1 -like ‘exclude’))}

Any further exclusions can then be added using the 365 portal by setting the customattribute1 field to the value exclude.



4 thoughts on “Adding Exclusions to a Dynamic Distribution Group in Office 365 and Exchange

  1. As of a recent update, Microsoft has completely screwed this up by adding External Users to your “users” in Office 365. Unless you further restrict your dymamic distribution groups, they will now receive a copy of messages that you intent to go to employees only. That “usermailbox” parm no longer means “My Exchange Online User Mailboxes In My Tenancy” like anyone would expect…

  2. Unfortunately setting custom attributes is not possible if you are using Azure Sync and never had a local Exchange server installed to extend the AD schema.

    Im having to find other methods, or begrudgingly installing the Exchange schema

    1. I am in this camp, but I did extend the AD schema with Exchange attributes… just download an eval copy of Exchange Server and run Setup /PrepareSchema. I use Exchange custom attributes flawlessly. NOTE: you DO have to update the Azure AD Connect schema afterwards by running the configuration again and choosing the update schema option or it won’t work. I also use 365 Command AD extensions to add O365 specific tabs in Active Directory Users and Computers (

  3. When I am excluding a user from the everyone DDG, do I type the exclusion as their displayed name or actual account name? For example, “-and (-not(name -like ‘steven’” is ‘steve’ the display name of the user to be excluded or would it need to be the actual full account, for example,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s