How to Hide Individual Distribution List Members

Posted on by Tony Redmond

Hide Individual Distribution List Members to Keep Their Identity Secret

A question in the Office 365 Technical Discussions Facebook group asked whether it is possible to hide individual distribution list members. This necessity might arise when you want to use a single distribution list to communicate information and you don’t want people to know the full set of recipients. Perhaps some recipients are external advisors or maybe you want to hide the fact that information is being shared with certain people within the organization.

The simple answer is no. Exchange Online supports the hiding of complete membership, but not an individual member of a distribution list. The same applies to hidden membership for Microsoft 365 groups. One workaround is to hide the distribution list from Exchange address lists. This stops users browsing the Global Address List (GAL), Offline Address List (OAB), or All Distribution Lists address list to find the list. Even if some discovers the SMTP address of the distribution list and sends a message, they can’t see the membership.

To hide a distribution list, edit its properties using the Exchange admin center (Figure 1). Hiding the list from the GAL is shorthand for hiding it from all address lists, including the OAB.

Hiding a distribution list from the Exchange address lists
Figure 1: Hiding a distribution list from the Exchange address lists

Alternatively, you can hide membership for a distribution list with PowerShell:

Set-DistributionList -Identity "Accounting Department" -HiddenFromAddressListsEnabled $True

Using a Nested Distribution List to Hide Members

However, hiding a distribution list that people might want to use removes a lot of its value. A better workaround exists dating back to Exchange 2000 or thereabouts, which is when I think the hidden membership feature first arrived (or maybe Exchange 2003).

The idea is simple. A distribution list can include nested distribution lists in its membership list. What we do is create a distribution list with hidden membership and include it in the membership of the public list. Here are the steps:

  • Create a distribution list that includes all the users that you are happy for other users to know about.
  • Create a second distribution list and set it to have hidden membership.
  • Add the people you want to hide to the membership list of the second list.
  • Add the second list to the membership of the first list.

You end up with a situation like that shown in Figure 2. The Public People List includes a distribution list called Secret People List in its membership.

A distribution list with a nested list in its membership.
Figure 2: A distribution list with a nested list in its membership

If someone clicks on the Secret People List entry, they see the properties of the distribution list but not its membership (Figure 3). The members of the nested distribution list are invisible.

The nested distribution list has hidden membership.
Figure 2: The nested distribution list has hidden membership

PowerShell Commands to Create the Public and Secret Lists

Here are the steps to use PowerShell to create what’s shown above. First, create the public list:

New-DistributionGroup -Name 'Public People List' -Alias Public.People.DL -Description 'People who want to be in a DL and be seen' -DisplayName 'Public People List' -IgnoreNamingPolicy

Now add the members that should be visible to the distribution list:

Add-DistributionGroupMember -Identity Public.People.DL -Member Hans.Geering
Add-DistributionGroupMember -Identity Public.People.DL -Member Otto.Flick
Add-DistributionGroupMember -Identity Public.People.DL -Member Michelle.duBois
Add-DistributionGroupMember -Identity Public.People.DL -Member James.Ryan
Add-DistributionGroupMember -Identity Public.People.DL -Member Ken.Bowers

The next step is to create the secret list. In this case, the HiddenGroupMembershipEnabled property is set to $True.

New-DistributionGroup -Name 'Secret People List' -Alias Secret.People.DL -Description 'People who want to be in a DL but not be seen' -DisplayName 'Secret People List' -HiddenGroupMembershipEnabled:$True -IgnoreNamingPolicy

Add the members of the secret list:

Add-DistributionGroupMember -Identity Secret.People.DL -Member Ann.Conroy
Add-DistributionGroupMember -Identity Secret.People.DL -Member Lotte.Vetler

Finally, add the secret list to the membership of the public list:

Add-DistributionGroupMember -Identity Public.People.DL -Member Secret.People.DL@office365itpros.com

To validate that the membership is as expected, run the Get-DistributionGroupMember cmdlet to check the membership of the public list:

Get-DistributionGroupMember -Identity Public.People.DL | Format-Table DisplayName, RecipientType

DisplayName                       RecipientType
-----------                       -------------
James Ryan                        UserMailbox
Ken Bowers                        UserMailbox
Otto Flick                        UserMailbox
Hans Geering (Project Management) UserMailbox
Michelle Dubois                   UserMailbox
Secret People List                MailUniversalDistributionGroup

When users send a message to the public list, the Exchange Online transport service resolves the membership, including the nested secret list. Figure 4 shows the recipients for a message sent to the public list as viewed through OWA. The secret list is in the recipients, and we know that this copy was delivered to Ann Conroy, a member of the secret list, because her name is in the window title bar.

The recipients of a message include the secret distribution list. Hide individual distribution list members
Figure 4: The recipients of a message include the secret distribution list

You can run a message trace to confirm that the Exchange transport service expanded the message recipients to include members of the list:

Get-MessageTrace -MessageId DB7PR04MB441021BCEDA43033408C417C8B7B2@DB7PR04MB4410.eurprd04.prod.outlook.com | ft received, 'recipientaddress', subject

Received            RecipientAddress                     Subject
--------            ----------------                     -------
24/01/2024 22:37:16 ken.bowers@office365itpros.com       Interesting Information to Read
24/01/2024 22:37:16 public.people.dl@office365itpros.com Interesting Information to Read
24/01/2024 22:37:16 hans.flick@office365itpros.com       Interesting Information to Read
24/01/2024 22:37:16 secret.people.dl@office365itpros.com Interesting Information to Read
24/01/2024 22:37:16 michelle.dubois@office365itpros.com  Interesting Information to Read
24/01/2024 22:37:16 lotte.vetler@office365itpros.com     Interesting Information to Read
24/01/2024 22:37:16 james.ryan@office365itpros.com       Interesting Information to Read
24/01/2024 22:37:16 ann.conroy@office365itpros.com       Interesting Information to Read
24/01/2024 22:37:16 hans.geering@office365itpros.com     Interesting Information to Read

Note that the name of the secret list does not feature in the set of recipients reported by the message trace, but the public list does. This is because the event reported by the message trace for the list is the expansion of the recipient list while the other events are deliveries.

Old Secrets Can Be the Best

Sometimes the old tricks are the best. In this instance, using a nested distribution list to cloak the identities of some recipients is a nice workaround and solves the question asked in the group.

Learn about maximizing your usage of Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.