Time to Check Recipient Filters for Dynamic Distribution Groups
Update (December 13, 2024): Microsoft has pushed the change out to early January 2025.
On October 16, Microsoft published message center notification MC912176 to explain a change to the way that Exchange Online processes the recipient filters for dynamic distribution groups (DDGs). Essentially, Microsoft says that recipient filters that use wildcard prefixes with the equal operator should never have worked because this functionality was not designed into how the server evaluates recipient filters. Microsoft will roll out an Exchange Online update on November 30 “to ensure the -eq operator in recipient filters is correctly honored.”
Microsoft also noted that they’ve already deployed a fix to prevent new DDGs from being created with invalid wildcard filters. In addition, if an administrator updates a DDG, the fix changes its recipient filter and stops it working. Microsoft didn’t say anything before they introduced the fix into production. Based on the comments for this article, the problem seems to have surfaced in August 2024.
Poor Communications Marred DDG Fix
It’s obviously a bad situation when a service provider rolls out a fix into production that stops customer functionality from working. The issue is compounded when the service provider leaves it to customers to discover the effect of their code change. In this case, the problem usually surfaced with recipient filters designed to find mail-enabled objects based on their email address, such as all mailboxes for an SMTP domain. Over the years, people have figured out that it’s possible to create a recipient filter against the WindowsLiveID mailbox property and use it with a wildcard prefix. For instance, here’s how it was possible to create a DDG with a recipient filter to find everyone with an office365itpros.com address:
$Filter = 'WindowsLiveID -eq "*office365itpros.com"' New-DynamicDistributionGroup -Name "Office365ITPros users" -DisplayName "People with Office365itpros.com email address" -Alias O365.WindowsLiveID -PrimarySmtpAddress O365.WindowsLiveID@Office365itpros.com -RecipientFilter $Filter
Exchange Online no longer accepts this syntax and rejects it with:
New-DynamicDistributionGroup: Cannot process argument transformation on parameter 'RecipientFilter'. Cannot convert value "WindowsLiveID -eq "*office365itpros.com"" to type "System.String". Error: "The value "*office365itpros.com" could not be converted to type Microsoft.Exchange.Data.SmtpAddress. "WindowsLiveID -eq "*office365itpros.com"" at position 41."
When writing the original Practical365.com article on this topic last January, I discovered the inconsistent behavior of recipient filters with wildcard prefixes and reported the problem to Microsoft, who debugged the issue, found the root cause, and fixed it in August. Wildcard prefixes are not supported for any filterable property, but wildcard suffixes are.
Impact on DDGs after November 30
Although poor communication caused heartburn for customers affected by DDGs that suddenly stopped working after the August patch, Microsoft believed that a full-blown fix was needed to make sure that DDGs work as designed. That’s what will come on November 30.
After Microsoft deploys the update, any DDG that has a recipient filter which uses a prefix wildcard with the -eq operator like the example cited above will stop working. Tenants with DDGs that use this kind of recipient filter should have received a message center notification like MC912176 (because of all the testing I did to track down the problem, I had many instances).
Microsoft notes that the sudden non-functional nature of DDGs “may impact any processes that rely on this behavior.” They urge affected customers to explore “alternative methods” such as using a custom attribute to hold the domain name and creating a recipient filter that matches against the custom attribute. Full details about how to do this, including an example script, are described in the Practical365.com article referenced above.
Another alternative is to use a dynamic Microsoft 365 group. The membership rules for dynamic groups support a wide range of filtering options against account properties including wildcard prefix matches. However, unlike DDGs, dynamic groups require Entra ID P1 licenses for any account matched by the filter. This isn’t usually a problem in enterprise tenants that might have these licenses already. A more fundamental issue is that dynamic Microsoft 365 groups don’t support the same range of mail-enabled objects that DDGs do (like mail contacts, public folders, distribution lists, etc.).
Performance is the Likely Root Cause
You might ask the question if Entra ID can support the -eq operator against prefix wildcards, why can’t Exchange Online? I don’t know the precise details, but I suspect that the reason comes down to performance. DDGs don’t exist in Entra ID. They are Exchange objects and Exchange is responsible for evaluating recipient filters.
As a mail server, Exchange doesn’t want to slow mail transport by having to evaluate complicated recipient filters. Speeding up evaluation is why Microsoft introduced a background mechanism to evaluate DDG membership some years ago. Exchange also supports precanned filters to further optimize lookups. It could be that allowing wildcard matches against email addresses incurs a performance penalty that Exchange doesn’t want to take. By comparison, Entra ID supports different ways to evaluate membership rules for dynamic Microsoft 365 groups, so the performance implications for matching against email addresses might not be as heavy.
Time to Evaluate Your DDG Recipient Filters
The customer perspective of what’s happened is likely very different to Microsoft’s. From the engineering viewpoint, an inconsistency was reported, they tracked down the problem and fixed it to make DDGs work as designed. All is well unless you depend on using a DDG with a now-prohibited recipient filter, in which case you have some work to do before the axe descends in early January 2025 (extended from the early November 30, 2024 date). Isn’t Information Technology a great area to work in?
Hi Tony, I’ve have tried to find this message MC912176 or anything related to this issue from M365 message center and health center, but I cannot find anything. Is that correct message center ID? Where did you find the “latest update”?
Update (December 13, 2024): Microsoft has pushed the change out to early January 2025.
MC912176
Published
16 Oct 2024
Last updated
13 Dec 2024
Updated December 13, 2024: We have updated the rollout timeline below. Thank you for your patience.
We recently fixed a bug for Dynamic Distribution Groups (DDGs) in Exchange Online that use wildcards as a prefix via the -eq operator in recipient filters. DDGs in Exchange Online do not support these expressions and never intended to. We are updating the behavior of existing DDGs to ensure the -eq operator in recipient filters is correctly honored.
The fixes we have already rolled out prevent newly created DDGs from being affected by the bug and fix any existing DDGs affected by the bug when an admin updates them.
When this will happen:
In late January 2025 (previously December 5), we’re introducing a fix that will prevent this unintended behavior altogether. This will change the behavior of any remaining DDGs that are affected by the bug but have not yet been updated by an admin.
How this will affect your organization:
You are receiving this message because our reporting indicates your tenant is using DDGs with wildcards as a prefix via the -eq operator in recipient filters.
When the update takes effect, the * character will be treated as a literal value and not a wildcard. Therefore, expressions using the -eq operator will only evaluate to true if the right-hand side value matches the property values exactly. For example, the expression (WindowsLiveID -eq ‘*@microsoft.com’) will only return true if the recipient’s WindowsLiveID property is exactly “*@microsoft.com”. The current behavior will no longer function after the fix, and this may impact any processes that rely on this behavior.
What you need to do to prepare:
To ensure that processes which rely on filtered DDGs continue to operate as expected, consider exploring alternative methods or implementing custom logic to achieve your desired behavior. For example, if you are using DDGs to filter recipients based on email domains, you can develop automations to sync email domains of each recipient to a custom attribute and create a DDG with filters based on that custom attribute.
Advanced filtering for group membership is possible by using Microsoft 365 Groups with dynamic membership rules. This feature is available in Microsoft Entra ID P1 and higher (as well as SKUs that include Entra ID P1, such as Microsoft 365 E3 and Microsoft 365 E5). Supported capabilities include the use of wildcards as a prefix, as well as the -contains and -match operators for more complex and flexible rules. More information on dynamic membership rules in Microsoft Entra ID can be found here, and more information on Microsoft 365 Groups can be found here.
Please review Custom recipient filters to learn more about the supported filters for Dynamic Distribution Groups in Exchange Online.
Really appreciate this thread and the one you wrote back in January covering DDG.
Is it even worth using DDG / a script to modify custom attributes for these types of Recipient Filters for DDGs? I’ve been debating implementing something similar, but the script used to add these custom attributes would then need to be automated to keep the list current.
At that point is it better to just use a regular distribution group and use an automated script to just add / remove users based on certain conditions?
Any advantage to still using a dynamic distribution group when you’re already having to supplement it with a script?
Been looking for a way to have a mail enabled group / distro list that contains licensed users belonging to a certain domain. Seems this is basically impossible at the moment.
Well, any form of dynamic group depends on accurate directory properties to work, so you’re going to have to do some work anyway to make sure that the directory is kept up to date. Whether you do that work manually or with a script is up to you, but I don’t think it’s a big deal.
When you say licensed users, I assume you mean that these are accounts with a specific license rather than any license.
That’s true, just would be nice if Microsoft would natively support these types of situations, hopefully they will in the future.
And yeah, specific licenses, mainly concerned with the ones that enable an exchange inbox.