Blog Post

Exchange Team Blog
5 MIN READ

Directory Based Edge Blocking Now Available for Public Folders & Dynamic Distribution Groups

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 05, 2025

We are very happy to announce the availability of Directory-Based Edge Blocking feature for mail enabled public folders (MEPF) and dynamic distribution groups (DDG). With the Directory-Based Edge Blocking (DBEB) enabled, you can now reject external emails for MEPF and DDGs not present in the organization, at the Exchange Online Protection (EOP) level.

Background

The Directory-Based Edge Blocking (DBEB), an EOP feature, rejects emails sent to recipients that are not present in the organization's directory. Till now, the feature did not work for certain recipient types like mail enabled public folders and dynamic distribution groups. 

Here is how this impacted customers using public folders or dynamic distribution group:

  • Pure Exchange Online deployment - customers who expected to receive email delivery from external senders to MEPF or DDG had to disable the DBEB feature.
  • Exchange on-premises deployment - customers who were receiving emails through EOP, could synchronize MEPFs to Entra using Entra Connect. This way, DBEB could remain enabled, and emails sent to on-premises MEPFs from external senders would still work.

What is changing now

The Directory-Based Edge Blocking (DBEB) feature is now available for MEPFs as well. What does the changed behavior mean for customers using public folders or DDGs?

Scenario 1: Pure Exchange Online deployment
  • Customers who expect to receive email delivery from external senders to MEPF or DDG can now have the DBEB feature enabled. If you previously disabled DBEB for MEPF or DDG, you can now enable it by following the steps here or follow the steps provided in the FAQ below. Please note DBEB is an optional feature and can be enabled only if required.

Action for customers in this deployment:

Customers that have public folders or dynamic distribution groups deployed in Exchange Online and had disabled DBEB to receive emails from external recipients, you can now enable it by following the steps here or follow the steps provided in the FAQ below.

The accepted domain type must be set to “Authoritative” to enable DBEB. If you have set the domain type to anything other than “Authoritative” for specific reasons, do not change the domain type before ensuring the change will not impact your other mail flow scenarios for example like this.

Scenario 2: Exchange on-premises deployment
  • Exchange on-premises customers who are synchronizing MEPFs to Entra (using Entra Connect) and to Exchange Online (using Sync-ModernMailPublicFolder script) can change their Entra Connect configuration to stop synchronizing MEPFs to Entra. (steps provided in the following section)
  • Exchange on-premises customers who are synchronizing MEPFs only to Entra (using Entra Connect) will need to synchronize MEPFs to Exchange Online (using Sync-ModernMailPublicFolder script) first. Once that is done, you can stop the Entra Connect MEPF sync to Entra.

Action for customers in this deployment

Customers that have public folders deployed on-premises and receiving emails through Exchange Online Protection or Exchange Online:

If you have not synchronized MEPFs to Exchange Online, use Sync-ModernMailPublicFolder script to sync MEPFs to Exchange Online. After that, you can disable the MEPF sync in Entra Connect.

FAQ

How can we check if public folders or dynamic distribution groups are deployed in Exchange Online?

Connect to Exchange Online PowerShell as tenant admin and run the following command:

For public folders:

Get-OrganizationConfig | fl RootPublicFolderMailbox
Get-Mailbox -PublicFolder
Get-PublicFolder \ -Recurse

If public folders are not deployed, you will get the following message:

No active public folder mailboxes were found for organization (organization name). This happens when no public folder mailboxes are provisioned or they are provisioned in 'HoldForMigration' mode. If you're not currently performing a migration, create a public folder mailbox.

If you have public folders deployed you will see:

Next, use Get-MailPublicFolder command check if Mail enabled public folders are present:

For dynamic distribution groups:

Get-DynamicDistributionGroup

Expected value if no dynamic distribution groups are deployed:

How can we check if DBEB is enabled or disabled?

To check DBEB status using PowerShell, connect to Exchange Online PowerShell and run Get-AcceptedDomain command.

The DomainType InternalRelay indicates DBEB is disabled, whereas DomainType Authoritative indicates DBEB is enabled for the domain:

To check DBEB status from EAC, login to EAC, select Accepted domains under Mail flow:

To enable DBEB for a specific domain, change the Domain type to Authoritative.

Note: Change your Accepted Domain to Authoritative only if you previously set it to Internal relay to disable DBEB for receiving emails for a mail-enabled public folder. If you configured the Accepted Domain as Internal Relay for any other reason, do not switch it to Authoritative.

Set-AcceptedDomain contoso.com -DomainType Authoritative

Or simply change the Domain type from EAC:

How can we check the MEPF sync status in the Entra connect tool?

To check if on-premises organization syncs mail enabled public folders from Exchange on-premises to Entra (formerly Azure Active Directory):

  • Login to server that has “Microsoft Entra Connect Sync” (formerly known as AAD sync or AAD connect) installed.
  • Open “Microsoft Entra Connect Sync” and click Configure
  • Select View or export current configuration and click Next
  • Scroll down and check the “EXCHANGE MAIL PUBLIC FOLDERS” option.
  • You will see the following if it is enabled:
How can we sync on-premises MEPF objects to Exchange Online?

Download and use the Sync-ModernMailPublicFolders.ps1

How can we stop syncing MEPFs to Entra (AAD) using Entra connect?
  • Open “Microsoft Entra Connect Sync” (formerly known as AAD sync or AAD connect) and click Configure
  • Login to server that has “Microsoft Entra Connect Sync” installed.
  • Open “Microsoft Entra Connect Sync” and click Configure
  • Select Customize synchronization options and select Next
  • Fill the necessary information on next pages
  • On Optional Features, uncheck “Exchange Mail Public Folders” and click Next
  • Click Configure on the last screen.
Be aware: on-premises Dynamic Distribution Groups (DDGs) and DBEB

Problem:
Although DBEB is now supported for DDGs created in Exchange Online, DDGs created in Exchange on-premises do not sync to Exchange Online. As a result, they are blocked by Directory-Based Edge Blocking (DBEB), which prevents emails from being delivered to these groups.

Workaround options:
If DBEB is blocking emails to on-premises DDGs that are routed through Exchange Online, consider one of the following workarounds:

  1. Create a Mail Contact in Exchange Online:
    Add a mail contact in Exchange Online using the same external email address as the blocked DDGs. This allows Exchange Online to recognize and route the message appropriately. Manage mail contacts in Exchange Online | Microsoft Learn
  2. Disable DBEB for the Domain:
    Change the domain type from “Authoritative” to “Internal Relay” in Exchange Online. This disables DBEB for that domain, allowing messages to be relayed to on-premises servers.

Bhalchandra Atre, Arindam Thokder, Mithun Rathinam

Updated Jun 05, 2025
Version 3.0
announcements
exchange 2016
exchange 2019
exchange online
hybrid
on premises
setup
No CommentsBe the first to comment