How to block send / receive emails using dynamic distribution group and ETR?

 Office 365, Exchange Online, Perumal
Oct 31 2015

There are requirements across industry to block the external message flow(both send and receive) to particular set of users alone.

Some of the scenarios are
  1. Members of the Research and Development department are restricted to send and receive mails from external domain.
  2. In educational institutions students above 13 years of age alone can send and receive external mails. If the students age is less than 13, then they can send and receive mails within the domain alone.

In this blog we shall discuss the solution for this requirement.

Solution:
The solution involves dynamic distribution group and Exchange Transport Rule(ETR).

  1. Create a dynamic distribution group based on an attribute or a custom attribute. Ex:- Department is Research, or CustomAttribute1 holding the student's age.
  2. And in the Exchange Transport Rule(ETR), add the rules if the sender or recipients is member of the new dynamic distribution, then block the message.

For the purpose of simplicity consider that the research departments members can't send and receive messages from external users. In this case we shall use the 'department' attribute which contains 'Research'.


In the below powershell we are creating a new dynamic distribution group based on the department attribute whose value is 'Research'.

                            New-DynamicDistributionGroup -Name "ResearchGrp" -RecipientFilter {(RecipientType -eq 'UserMailbox') -and (Department -like 'Research') }
                        

We need to create two Exchange Transport Rules, one is to delete the message if the sender is member of the ResearchGrp dynamic distribution group and another one is for the recipient.

                            New-TransportRule "BlockExternalMessagesFromResearchTeam" -FromMemberOf "ResearchGrp" -DeleteMessage 
                            New-TransportRule "BlockExternalMessagesToResearchTeam" -SentToMemberOf "ResearchGrp" -DeleteMessage 
                        

Now all the messages send from and to the research group is deleted. Instead of deleting the message you can reject the message with reason, to do that you need to use 'RejectReason' action.