Mail-Enabled Security Groups explained: how to create and use them in Microsoft 365
When we work with Azure products such as Power BI or Fabric, we occasionally come into contact with different types of access within Azure. Usually access is managed with Entra Security Groups or M365 Groups.
But did you know, that there are also other types of groups within Entra?
There are multiple other type of groups, but one type of group that I often stumble across and that are not so commonly used are Mail-Enabled Security Groups. In this article you will learn what they are, how they are used and how you can create them!
What are Mail-Enabled Security Groups in Office 365?
Like common Entra Security Groups (formerly known as Active Directory Security Groups), you can use Mail-Enabled Security Groups for access control. This means, that you can add different users or additional Entra Security Groups to this group. You can then give permission on a specific item to the group and all members will autoamtically gain access to the item you granted access.
So far there is no difference to common Entra Security Groups. The change comes now, as the Mail-Enabled Security Group have in addition an e-mail adress. E-mails sent to this address will be forwarded to each member of the group.
However, it is not possible to use this common e-mail address to send e-mails. If you also want to send from the common mail address, you have to use a classic M365 Group.
How can I create a Mail-Enabled Security Group?
In order to create it, go to the Exchange admin center and click on Recipients and then Groups:
Then you navigate to the Mail-enabled security tab and click on Add a group:
In the upcoming dialogue select Mail-enabled security:
Then give a name and if you want add a description to the security group:
Assign an owner of the group:
Then the important step of the whole process starts. You can add now the members of the security group. Members can be natural persons, but for example also M365 Groups and other mail-enabled security groups:
In the next step, we can define the email address that we are going to use for that Mail-Enabled Security Group:
And after a last summary I can finish the group:
The new Mail-Enabled Security Group is now created:
How to use the new group to send and receive e-mails
After creating the group, you most likely ask youself, how to use the newly created security group.
Receiving e-mails
Receiving is pretty straight forward. You can just send e-mails to the group e-mail address. The e-mail will then be distributed to everyones mail account.
As you can see here, I sent an e-mail to the recently created security group. The e-mail just appeared in my inbox:
In the Edit Settings step described above, you can decide if it’s possible to send mails to the security group from external e-mail providers or if you’re only able to receive mails from within your tenant.
Sending e-mails
As already mentioned earlier, it’s not possible to send e-mails from the common group address. If you also want a commonly used e-mail account, then you need to use a classic M365 Group.
Prerequisites for the creation
In general there are a prerequisite for the Mail-Enabled Security Groups.
In the Exchange Online permissions, you need at least the Recipients role to use the feature.
You can also create the groups via PowerShell. For further instructions see the official training page.
Summary
Mail-enables security groups are a great feature as you combine access control and email communication in a single group. Unlike regular security groups, these groups have an email address, making them useful for both collaboration and security management. And as you’ve seen they are very easy to set up!
