Managing distribution lists (DLs) in Microsoft 365 is a key responsibility for admins, especially when external users are involved. Distribution Groups with external users simplify collaboration by enabling organizations to easily send emails and updates with clients and other external stakeholders. However, this transparency comes with the responsibility of ensuring sensitive information isn’t shared with unauthorized individuals. Therefore, it is essential to keep a close eye on distribution lists with external members to avoid potential security breaches.
How to Find Distribution Lists with External Users in Microsoft 365?
In Microsoft 365, identifying distribution lists with external users/contacts can be challenging, as there are no direct methods.
Identify Distribution Lists with External Users in the Microsoft 365 Admin Center
To find the distribution group members along with external contacts in the Microsoft 365 admin center, follow the below-mentioned steps.
- Sign in to the Microsoft 365 admin center.
- Navigate to Teams & groups –> Active teams & groups –> Distribution list.
- For each DL, go to Members tab and check the members list for external users/contacts.
Repeat the process for every distribution list in the organization. This process is inefficient and tedious, especially when dealing with numerous distribution lists.
View the Members of Distribution Groups Using PowerShell
In PowerShell, the Get-DistributionGroupMember cmdlet allows you to find the member list of distribution groups. However, you need to run the cmdlet for each group individually, which is time-consuming and impractical for large-scale environments.
To address this gap, we’ve created a PowerShell script that retrieves all distribution lists that contain people outside your organization, saving you time and effort.
Download Script: DLsWithExternalUsers.ps1
Script Highlights
- Generates a list of distribution groups with external users in Microsoft 365.
- Excludes external mail contacts by default, with an option to include them if required.
- The script automatically verifies and installs the Exchange PowerShell module (if not installed already) upon your confirmation.
- Exports report results to CSV.
- The script supports Certificate-based authentication (CBA).
- The script is schedular friendly.
Export Distribution Lists with External Users Report – Sample Output
The script analyzes and exports all distribution lists that have external users along with the following attributes:
- DL Name
- DL Email Address
- No of External Users in DL
- External Users’ Name
- External Users’ Display Name
- External Users’ Email Address
The exported ‘Distribution Lists with external users’ report looks like the screenshot below:
Distribution Lists with External Users – Script Execution Steps
- Download the script.
- Start the Windows PowerShell
- Select any of the methods provided to execute the script.
Export Distribution Lists with External Users into CSV
You can run the script with MFA and non-MFA accounts.
|
1 |
./DLsWithExteralUsers.ps1 |
Running this script will export a list of DLs with external users in Microsoft 365.
Pro Tip: With the external users’ details, you can use PowerShell to find all the distribution lists an external user is a member of.
Retrieve Distribution Groups with External Users by Explicitly Mentioning Credentials
You can execute the script by explicitly mentioning credentials like below:
|
1 |
./DLsWithExteralUsers.ps1 -Username admin@contoso.com -Password XXX |
The above method supports only non-MFA accounts. If the admin account has MFA, you need to disable MFA using CA policy to make this work.
Get Distribution Lists with External Users Using Certificate
To use certificate-based authentication, you must register the app in Entra ID which helps you to connect Exchange Online using certificate. This method is schedular friendly.
|
1 |
./DLsWithExteralUsers.ps1 -Organization <Domain> -ClientId <AppId> -CertificateThumbprint <CertThumbPrint> |
Note: Depending on the requirements, you can create a self-signed certificate.
Find Distribution Groups with External Contacts
By default, the script exports DLs with external users while excluding external contacts. To include external mail contacts in the report, run the script with –IncludeContacts switch as shown below.
|
1 |
./DLsWithExteralUsers.ps1 -IncludeContacts |
This generates a detailed report of distribution lists with external contacts as well as external users.
Note: If you find the external user/contact is a member of many inactive distribution groups, consider removing them from those groups.
I hope this blog is useful for identifying DLs with external users in your organization. If you have any queries, you can reach us through the comment section.
