Automatically Manage Blocked Users with Dynamic Distribution Groups and Transport Rules

Introduction

In Microsoft 365 environments, properly managing disabled user accounts is crucial for security and communication management. When employees leave an organization or accounts become compromised, you need to ensure these accounts can't receive sensitive information while maintaining professional communication with external senders.

This guide will show you how to automatically identify blocked users, add them to a dynamic distribution group, and configure transport rules to manage email delivery with auto-replies.

Prerequisites

• Microsoft 365 Administrator privileges

• Exchange Online PowerShell module

• Appropriate licensing for dynamic distribution groups and transport rules

Create a Dynamic Distribution Group for Blocked Users

Dynamic distribution groups automatically include users based on specified criteria, making them perfect for managing disabled accounts.

PowerShell Command

New-DynamicDistributionGroup -Name "Blocked Active User Group" -RecipientFilter {

    (RecipientType -eq 'UserMailbox') -and (AccountDisabled -eq $true)

}

Note. When a user is blocked, on the Entra side, the user will show as Account Disabled.

Create Transport Rule for Auto-Reply

Once the dynamic group is created, configure a transport rule to handle incoming emails.

1. Navigate to  Exchange Admin Center  >  Mail flow  >  Rules

2. Click  + Add a rule  and select  Create a new rule

3. Configure the rule with:

   • Apply this rule if: The recipient is a member of "the Blocked Active User Group"

   • Do the following: Reject the message with an explanation.

After the configuration, the sender will get an NDR like this.

Best Practices

1. Regular Auditing: Periodically review the dynamic group membership.

2. Message Customization: Tailor auto-reply messages to your organization's needs.

3. Security Considerations: Ensure the rule doesn't interfere with other critical mail flow rules.