Microsoft has expanded Directory-Based Edge Blocking (DBEB) to now support mail-enabled public folders and dynamic distribution groups in Exchange Online. This enhancement allows organizations to reject external emails to non-existent recipients at the Exchange Online Protection level, improving email security and management. Unique :
Directory-Based Edge Blocking Now Supports Public Folders & Dynamic Distribution Groups
Microsoft just rolled out a big update for Exchange Online Protection (EOP). The Directory-Based Edge Blocking (DBEB) feature now works with mail-enabled public folders (MEPF) and dynamic distribution groups (DDG). This means better email filtering and security for these recipient types, which were previously excluded.
What’s New with DBEB?
DBEB is an EOP feature that blocks emails sent to recipients not listed in your organization’s directory. Until now, it didn’t apply to MEPFs or DDGs. This caused issues for customers who wanted to receive external emails on those groups but had to disable DBEB to make it work.
Now, DBEB can be enabled for these recipient types, improving security without sacrificing email delivery. Microsoft says,
“You can now reject external emails for MEPF and DDGs not present in the organization, at the Exchange Online Protection (EOP) level.”
Major Updates for Different Deployment Scenarios
Pure Exchange Online Deployment
If you run Exchange Online only, you can finally enable DBEB for MEPFs and DDGs without blocking legitimate external emails. Previously, disabling DBEB was the only option to allow external senders. Now, you can turn DBEB back on by setting your accepted domain to “Authoritative.”
Exchange On-Premises Deployment
For hybrid setups, customers syncing MEPFs to Entra (Azure AD) can stop syncing them there and instead sync to Exchange Online using the new Sync-ModernMailPublicFolder script. This change lets you keep DBEB enabled while ensuring email delivery to public folders.
Microsoft advises,
“Exchange on-premises customers who are synchronizing MEPFs to Entra can change their Entra Connect configuration to stop synchronizing MEPFs to Entra.”
Important Tips and Workarounds
One tricky spot remains: on-premises dynamic distribution groups don’t sync to Exchange Online and can get blocked by DBEB. Microsoft suggests two workarounds:
- Create a mail contact in Exchange Online matching the DDG’s external email address.
- Or disable DBEB for the domain by switching the accepted domain type to “Internal Relay.”
These options help maintain mail flow without compromising security.
Why This Matters for Tech Pros
Enabling DBEB for public folders and DDGs means fewer spoofing and phishing risks. It also simplifies mail flow management by enforcing directory-based filtering consistently. If you manage Exchange environments, this update is a welcome relief.
To check your current DBEB status or configure these settings, Microsoft provides PowerShell commands and GUI instructions in the Exchange Admin Center.
Final Thoughts
This update closes a long-standing gap in Exchange Online Protection. It’s a smart move by Microsoft to tighten email security without disrupting common collaboration tools like public folders and distribution groups.
Stay ahead by reviewing your DBEB settings and syncing configurations. This change could save your organization from unwanted external emails and improve overall mail hygiene.
From the New blog articles in Microsoft Community Hub
Windows Server Devices Now Recognized as a New OS in Intune Microsoft has announced that Windows Server devices are Read more
Microsoft Power Platform is leading the way in AI-generated low-code app development. With the help of AI, users can quickly Read more
Microsoft Intune is an enterprise mobility management platform that helps organizations manage mobile devices, applications, and data. The October edition Read more
Microsoft Intune has released its November edition, featuring new updates to help IT admins better manage their organization’s mobile devices. Read more
