Yes, Microsoft 365 Groups can receive emails. Every Microsoft 365 Group automatically gets a shared mailbox with its own SMTP address, and messages sent to that address land in the group’s inbox where every member can read, reply, and follow the conversation. By default, the group only accepts mail from people inside your tenant, and an administrator or group owner must flip a single setting to let outside senders email the group as explained in the Microsoft NDR 550 5.7.193 guidance.
The rule that creates most of the confusion is the Exchange Online attribute RequireSenderAuthenticationEnabled, which is set to true the moment a group is born. When that flag is true, Exchange Online Protection silently bounces any message from an unauthenticated (external) sender, and the consequence is lost client emails, missed vendor invoices, and support tickets that never reach the team as documented in the Set-UnifiedGroup PowerShell reference. This single default has triggered years of “why can’t customers email our group?” tickets on Microsoft Q&A.
According to the 2024 CodeTwo comparison of Groups vs distribution lists, Microsoft 365 Groups now power the collaboration backbone for millions of tenants, and Microsoft’s own telemetry shows Groups are the fastest-growing recipient object in Exchange Online. Getting the inbound mail flow right is no longer optional.
Here is what you will learn in this guide:
- ๐ฌ How Microsoft 365 Groups actually receive, store, and route incoming email
- ๐ How to turn external senders on or off without breaking compliance rules
- โ๏ธ How U.S. federal laws like HIPAA, SOX, GLBA, and the FRCP shape group mail retention
- ๐งญ How Groups compare to Distribution Lists, Shared Mailboxes, and Teams channel emails
- ๐ ๏ธ Which PowerShell cmdlets, admin center toggles, and mistakes to avoid during setup
How a Microsoft 365 Group Receives Email
A Microsoft 365 Group is a directory object that ties together a shared mailbox, a shared calendar, a SharePoint site, a Planner board, a OneNote notebook, and (optionally) a Microsoft Teams team. When the group is created, Exchange Online provisions a mailbox of type GroupMailbox and assigns it a primary SMTP address such as [email protected]. That mailbox is a real mailbox in Exchange Online, not a forwarding alias, which is why members can see every reply in the shared Conversations folder rather than scattered across personal inboxes as described in the CodeTwo feature breakdown.
When a sender hits that SMTP address, Exchange Online Protection runs the message through connection filtering, anti-malware, anti-spam, and transport rules in the same order it uses for user mailboxes. The message is then evaluated against the group’s delivery restrictions, and only after every check passes does the message land in the group mailbox. The consequence of failing any check is a non-delivery report (NDR) returned to the sender, and the most common NDR code is 550 5.7.193 which means “the group does not accept messages from external senders” per the Microsoft troubleshooting article on 550 5.7.193.
A common misconception is that Microsoft 365 Groups work like old-school distribution lists that forward email to each member. They do not. The group mailbox is the primary destination, and each member’s subscription setting decides whether a copy also drops into their personal inbox. If a member unsubscribes, the message still exists in the group mailbox forever, which is why eDiscovery and legal holds behave differently for Groups than for distribution lists.
The Role of the Group Mailbox
The group mailbox behaves like a hybrid between a user mailbox and a shared mailbox. It has its own 50 GB quota on most plans, its own folder structure (limited, as explained below), and its own retention policies. Members access it through Outlook on the web, new Outlook for Windows, Outlook mobile, or Microsoft Teams. Unlike a shared mailbox, a Microsoft 365 Group mailbox does not allow custom sub-folders inside the Inbox, and that limitation catches many teams by surprise as flagged in the Microsoft Q&A on shared mailbox vs Groups.
The real-world consequence of the no-subfolders rule is that teams who rely on folder-based triage (think law firms filing by matter number) often keep a shared mailbox alongside a Microsoft 365 Group. A common misconception is that Outlook’s categories can replace folders, but categories are per-user flags and do not persist the same way across every member’s view.
The group mailbox is also where compliance officers point their eDiscovery searches. Under the Federal Rules of Civil Procedure (FRCP) Rule 26, every message in that mailbox is a potentially discoverable electronically stored record. If a litigation hold is placed on the group, Exchange Online preserves every inbound and outbound message even after a member deletes it.
The Role of Azure AD and Exchange Online
A Microsoft 365 Group is a dual-identity object. In Entra ID (formerly Azure AD), it appears as a Group with a groupTypes value of Unified. In Exchange Online, the same object is exposed as a UnifiedGroup that you manage with the Set-UnifiedGroup cmdlet per the Microsoft Q&A cmdlet guidance. Any change you make to the Exchange side (for example, flipping the external-sender flag) is written to the same directory object the Entra admin center shows.
This matters because two different admin roles can touch the same group. An Exchange admin can change mail-flow settings, while an Entra admin can change membership. A common mistake is assigning the wrong role and then wondering why the “Allow external senders” toggle is greyed out, a scenario documented in the Microsoft Q&A on role permissions.
The consequence of role misalignment is slow incident response. When a customer complains that emails are bouncing, the help-desk technician needs the Distribution Groups role in Exchange Online, not just the Groups admin role in Entra, to flip the setting live.
Default Behavior: Internal vs. External Senders
By default, a brand-new Microsoft 365 Group rejects every message from outside your tenant. The exact attribute is RequireSenderAuthenticationEnabled = $true, and Exchange Online treats an “authenticated” sender as anyone who signed in with a user account in your tenant. Every other sender, even a trusted partner with a verified SPF record, gets a 550 5.7.193 bounce unless you change the setting as explained in the C# Corner guide to restricting external senders.
The governing logic sits inside Exchange Online Protection’s recipient filtering stage. Microsoft built the default this way to reduce phishing and spoofing risk, because an open group alias is a favorite target for business email compromise (BEC) attacks. The immediate negative consequence of ignoring the default (turning it off for every group) is a wider attack surface and a higher chance that a spoofed vendor invoice reaches your accounts-payable team.
A common misconception is that the “Allow external senders to email this group” checkbox in the admin center also controls whether guests inside the group can receive replies. It does not. Guest replies are governed by a separate tenant-level setting called AllowToAddGuests and by the anti-spoofing protections inside Defender for Office 365, as noted in a 2025 Reddit thread on external guest reply failures.
Turning External Senders On (Admin Center)
The simplest path is the new Exchange admin center. An administrator signs into admin.exchange.microsoft.com, opens Recipients โ Groups, clicks the group, selects the Settings tab, and ticks Allow external senders to email this group as described in the Microsoft NDR 550 5.7.193 admin steps. Save, and wait up to one hour for the change to replicate across Exchange Online.
The consequence of rushing this change is confusion: a sender tests the address five minutes after you save, still gets a bounce, and reports that “the fix did not work.” In reality, the directory change has not yet reached every server. The one-hour replication window is documented by Microsoft and should be built into every change-management ticket.
A common mistake is flipping the setting in the old Exchange admin center and assuming it applies to every group. Some tenants still run the classic EAC, and a 2022 Microsoft Q&A thread shows the checkbox occasionally fails to persist in the legacy UI, requiring a PowerShell fallback.
Turning External Senders On (PowerShell)
For bulk changes, PowerShell is faster and auditable. Connect with Connect-ExchangeOnline, then run Set-UnifiedGroup -Identity "Marketing" -RequireSenderAuthenticationEnabled $false to open a single group to external senders, using the syntax in the MorganTechSpace PowerShell walkthrough. To open every group at once, pipe Get-UnifiedGroup into the same cmdlet.
The consequence of running the “open everything” command without a filter is catastrophic: every internal-only group suddenly accepts mail from anyone on the internet, including spammers. A safer pattern is to filter first, for example Get-UnifiedGroup | Where-Object {$_.AccessType -eq 'Public'}, and confirm the count before piping to Set-UnifiedGroup.
To audit which groups are currently open, run Get-UnifiedGroup | Select Alias, AccessType, RequireSenderAuthenticationEnabled as shown in the TechCommunity audit thread. The output becomes a defensible artifact for SOX and HIPAA audits because it proves exactly which aliases were reachable from the public internet on a given date.
Three Real-World Scenarios
Scenarios bring the rules to life. Below are the three most common mail-flow situations we see in mid-market and enterprise tenants.
Scenario 1: External Client Emails a Marketing Group
| Sender Action | Exchange Result |
|---|---|
Client emails [email protected] with default group settings | Message bounces with NDR 550 5.7.193 |
Admin runs Set-UnifiedGroup -RequireSenderAuthenticationEnabled $false | Message delivers to the shared Conversations folder |
| Marketing manager Priya Patel replies from the group address | Client sees the reply from [email protected] |
| Client replies to Priya’s reply | New message lands in the same conversation thread |
Scenario 2: Teams Channel Email From a Vendor
| Sender Action | Exchange Result |
|---|---|
Vendor emails the channel’s auto-generated address ending in @amer.teams.ms | Message posts as a channel conversation, not an Outlook email |
| Vendor attaches a 30 MB invoice PDF | Attachment uploads to the channel’s SharePoint Files tab |
| Owner Marcus Lee enables “Only members” restriction | Future vendor emails bounce until the vendor is added |
| Vendor emails the underlying Microsoft 365 Group alias instead | Message lands in the group mailbox if external senders are allowed |
Scenario 3: Compliance Hold on a Legal Group
| Custodian Action | Compliance Outcome |
|---|---|
| Legal assistant Dana Nguyen deletes an email from the group inbox | Message stays recoverable in Recoverable Items for 14 days |
| Microsoft Purview places a litigation hold on the group | Message is preserved indefinitely, even after hard-delete |
| Opposing counsel issues an FRCP Rule 34 request | eDiscovery search surfaces every message in the group mailbox |
| Dana tries to “PST export” the group to bypass the hold | Export is blocked and the action is logged in the unified audit log |
Named Examples of Groups Receiving Email
Abstract rules matter less than concrete stories. Here are three named examples that illustrate how real organizations use Microsoft 365 Groups to receive email.
Example 1 โ Priya Patel, Marketing Manager at a SaaS startup. Priya creates a Microsoft 365 Group called Campaigns so her five-person team can triage partner replies. For two weeks, no one receives anything, and Priya blames the agency for not responding. After opening a ticket, she learns about RequireSenderAuthenticationEnabled, flips the setting in the Exchange admin center, and the backlog of 37 missed partner emails never arrives because bounced mail is not resent automatically. The lesson is to configure external-sender access before you publish the address.
Example 2 โ Marcus Lee, IT director at a 400-person accounting firm. Marcus inherits 120 Microsoft 365 Groups from a prior admin and has no idea which ones accept outside mail. He runs Get-UnifiedGroup | Select Alias, RequireSenderAuthenticationEnabled per the TechCommunity audit script, exports to CSV, and discovers 14 groups are wide open to the internet. He closes 11 and documents the remaining three as approved intake aliases, satisfying the firm’s SOX Section 404 internal-controls review.
Example 3 โ Dana Nguyen, paralegal at a mid-sized law firm. Dana manages a Client-Intake group mailbox that receives referrals from external attorneys. When a malpractice suit is filed against the firm, opposing counsel serves an FRCP Rule 26 preservation demand. The firm’s compliance officer places the group on litigation hold in Microsoft Purview, freezing every inbound message. Dana learns she cannot delete, move, or export any item, and the hold survives even after she leaves the firm.
Microsoft 365 Groups vs. Related Recipient Objects
Choosing the wrong recipient object is one of the top three migration mistakes Microsoft consultants see. The table below lines up the four most common options.
| Feature | Microsoft 365 Group | Distribution List |
|—|—|
| Shared mailbox with Conversations | Yes | No โ emails only relay to members |
| PowerShell cmdlet | Set-UnifiedGroup | Set-DistributionGroup |
| External senders by default | Blocked | Blocked |
| Integrates with Teams and SharePoint | Yes | No |
| Supports litigation hold | Yes, via Purview | Limited โ holds go on individual mailboxes |
| Sub-folders inside inbox | No | N/A |
| License required for the mailbox | No | No |
The practical takeaway from the CodeTwo comparison is that distribution lists are a pure relay object. A message dies the moment it is delivered to each member, which is wonderful for privacy but terrible for eDiscovery. Microsoft 365 Groups keep a central copy forever unless a retention policy removes it.
A second comparison worth keeping on your desk involves shared mailboxes. Shared mailboxes also keep a central copy, but they lack the Teams/SharePoint integration and they accept external senders by default, as summarized in the CloudSwitched 2026 guide. A common misconception is that a shared mailbox “is free” while a Microsoft 365 Group “costs money.” Both are free from a licensing standpoint, though a shared mailbox over 50 GB does require a license, a nuance that Peritos Solutions covers in its O365 recipient-object comparison.
U.S. Legal and Compliance Angles
Federal law reaches deep into how Microsoft 365 Groups store and surface email. Three statutes matter most: HIPAA, SOX, and GLBA. Each rule has a plain-English meaning, a consequence for violators, and a common misconception.
HIPAA’s Security Rule at 45 CFR ยง 164.312 requires covered entities to implement access controls and audit logs for electronic protected health information (ePHI). If a Microsoft 365 Group named Patient-Referrals accepts external email, the practice must enable transport encryption, apply a DLP policy, and log access. The consequence of ignoring the rule is a tiered civil penalty that can exceed $2 million per violation category per year under the HHS enforcement schedule.
Sarbanes-Oxley (SOX) Section 802 makes it a crime to destroy corporate records relevant to a federal investigation, and Section 404 forces public companies to prove their internal controls work. A Microsoft 365 Group that receives vendor invoices is a financial record within the meaning of SOX, and a retention policy under 7 years is a red flag during an audit. The consequence of a SOX violation is personal: fines and up to 20 years in prison for officers who certify misleading controls.
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, enforced by the FTC at 16 CFR Part 314, requires financial institutions to restrict customer nonpublic personal information to authorized users. A wide-open Microsoft 365 Group that catches customer emails is a textbook GLBA gap. The consequence is FTC enforcement plus state-level action under laws such as the New York DFS Part 500 cybersecurity rule.
State Nuances Worth Knowing
California’s CCPA/CPRA treats any personal information inside a group mailbox as a “consumer record,” and failure to honor a deletion request within 45 days triggers a $7,500 statutory penalty per intentional violation. Texas HB 4 (2023) expands breach-notification timing to 30 days and applies to any mailbox holding Texas-resident data. New York’s SHIELD Act imposes reasonable-safeguard duties on any entity handling New York residents’ private information, and courts have read “reasonable” to include mailbox-level access reviews.
The consequence of ignoring state overlay rules is that a single misconfigured group can trigger notification duties in every state where an affected resident lives. A common misconception is that a California-only policy is enough; multi-state exposure is the norm, not the exception.
FRCP and eDiscovery
Federal Rules of Civil Procedure 26 and 34 make every message in a Microsoft 365 Group mailbox potentially discoverable. Once a party reasonably anticipates litigation, the duty to preserve attaches, and a litigation hold in Microsoft Purview is the standard response. The consequence of letting a retention policy delete group messages after the duty attaches is spoliation, which courts have sanctioned with adverse-inference instructions and, in extreme cases, default judgments such as in Zubulake v. UBS Warburg.
A common misconception is that turning on a litigation hold stops ingestion of new mail. It does not. New messages continue to arrive and are preserved along with existing ones, which is exactly the behavior courts expect.
Mistakes to Avoid
Even experienced admins trip over the same potholes. Below are the mistakes we see most often, each paired with its real consequence.
- Leaving
RequireSenderAuthenticationEnabledat default for a customer-facing alias, which silently bounces every client email. - Flipping the external-sender toggle on every group with a blind
Get-UnifiedGroup | Set-UnifiedGroup, which exposes HR, legal, and finance aliases to inbound spam. - Creating a Microsoft 365 Group when a distribution list would do, which wastes storage and complicates eDiscovery.
- Forgetting that a Microsoft 365 Group mailbox cannot host custom sub-folders, so teams expecting folder-based triage stall out.
- Assigning only the Groups admin role in Entra when the technician also needs the Distribution Groups role in Exchange Online.
- Testing a settings change within minutes of saving, instead of waiting the documented one-hour replication window before retesting.
- Placing a retention policy shorter than 7 years on groups that receive financial records, which violates SOX Section 802.
- Ignoring the unified audit log after opening a group to external senders, missing the compliance artifact that proves the change was authorized.
- Using the classic Exchange admin center when the new EAC is the supported surface for group settings in 2026.
- Relying on Teams channel email without realizing the channel address is a different mailbox than the underlying group mailbox.
- Skipping DLP and Safe Attachments policies on groups that accept outside mail, which invites BEC and ransomware payloads.
Do’s and Don’ts
Follow these guardrails to keep group mail flow clean and defensible.
Do’s
- Do name your group with a clear department prefix so owners know what it is, because sprawl is the number-one complaint from enterprise admins.
- Do document who owns each group in the directory itself, since ownerless groups become compliance ghosts.
- Do turn on litigation hold through Microsoft Purview before deleting any group, because deletion without a hold is spoliation under FRCP Rule 37(e).
- Do test external mail flow from a personal Gmail account after flipping the setting, since internal-only tests give a false pass.
- Do review
Get-UnifiedGroup | Select Alias, RequireSenderAuthenticationEnabledat least quarterly, because silent configuration drift is common. - Do apply DLP policies tuned for the group’s business purpose, because a generic tenant-wide policy rarely matches finance or HR risk.
Don’ts
- Do not open every group to external senders “for simplicity,” since the attack surface grows linearly with the number of open aliases.
- Do not rely on user-level Outlook rules to triage group mail, because those rules only apply to the member’s personal mailbox copy.
- Do not store sensitive customer data in a group named generically like Team, because eDiscovery reviewers will miss it.
- Do not skip the admin role assignment step, because the UI silently greys out when the role is missing.
- Do not ignore NDR 550 5.7.193 as “spam filtering,” because it is almost always a configuration problem you can fix in one click.
- Do not delete a group to “clean up,” since the underlying SharePoint site, Planner board, and Teams team vanish with it.
Pros and Cons
Every recipient choice is a tradeoff. Below are the five strongest arguments on each side for Microsoft 365 Groups as an email-receiving object.
Pros
- Built-in shared mailbox means every member sees the same conversation, because the message is stored centrally.
- Tight Teams and SharePoint integration keeps files, chat, and email aligned, which cuts context-switching time.
- Native support for Microsoft Purview retention and litigation hold simplifies compliance, because one policy covers the whole group.
- No extra license for the group mailbox itself, because the shared mailbox capacity is included with any Exchange Online plan.
- Flexible access โ public or private โ lets teams decide who can join without bothering an admin, because self-service is baked in.
Cons
- No sub-folders inside the group inbox, which frustrates matter- or ticket-based workflows because triage relies on folders.
- External senders blocked by default, which delays legitimate client mail because admins forget to flip the flag.
- Group sprawl is easy to create and hard to clean up, because anyone can create a group unless you restrict it.
- Deleting a group destroys its SharePoint site and Planner board, which turns cleanup into a high-stakes operation.
- Mixed admin model across Entra and Exchange confuses newer technicians, because the right role for the right task is not obvious.
Step-by-Step Process to Enable External Email
Follow this nine-step process to switch a Microsoft 365 Group from internal-only to externally reachable without breaking compliance.
- Confirm the business need in writing, because SOX and HIPAA audits expect a documented justification for every open alias.
- Assign yourself the Distribution Groups Exchange role, because the UI requires it as noted in the Microsoft Q&A on roles.
- Open the new Exchange admin center at
admin.exchange.microsoft.com, because the classic EAC is deprecated. - Navigate to Recipients โ Groups, select the target group, and click Settings.
- Tick Allow external senders to email this group and click Save.
- Wait up to 60 minutes for replication, because the Microsoft KB explicitly calls out this delay.
- Test from an outside address such as a personal Gmail account, because internal tests will pass regardless of the setting.
- Apply or confirm a DLP policy, Safe Attachments, and Safe Links, because opening the group widens your BEC exposure.
- Record the change in your unified audit log export, because that artifact is the one your auditor will ask for first.
Key Entities to Know
Several Microsoft and external entities shape how Groups receive email. Exchange Online is the mail server; Entra ID is the directory; Microsoft Purview handles retention and eDiscovery; Microsoft Defender for Office 365 handles advanced threat protection; and the Federal Trade Commission and Department of Health and Human Services enforce GLBA and HIPAA respectively. Courts apply the FRCP, and state attorneys general enforce CCPA, SHIELD, and similar laws.
Key people in a typical deployment include the Exchange admin, the compliance officer, the group owner, and the end user. Each has a distinct role: the Exchange admin configures mail flow, the compliance officer sets retention, the group owner curates membership, and the end user sends and receives the actual email. A common misconception is that the group owner can unilaterally change every setting, but the external-sender toggle is delegated through Exchange roles, not group ownership.
Court Rulings That Shaped Group Mail Compliance
Three precedents loom over every enterprise email system, including Microsoft 365 Groups.
Zubulake v. UBS Warburg (S.D.N.Y. 2003-2005) established that electronically stored information, including email, must be preserved once litigation is reasonably anticipated. The consequence of ignoring Zubulake is an adverse-inference instruction to the jury, which usually ends the case.
Victor Stanley, Inc. v. Creative Pipe, Inc. (D. Md. 2010) expanded sanctions for spoliation and listed 124 separate discovery abuses, many of which involved deleted email. The court imposed monetary sanctions and referred counsel for contempt, reminding every admin that mailbox hygiene is a legal, not just technical, duty.
Small v. Univ. Med. Ctr. (D. Nev. 2018) reinforced that a party’s litigation hold must reach every mailbox likely to hold relevant information, which includes Microsoft 365 Group mailboxes. The consequence of scoping the hold too narrowly is terminating sanctions.
FAQs
Can a Microsoft 365 Group receive emails from outside the organization?
Yes. After an admin or group owner enables Allow external senders to email this group in the Exchange admin center, or runs Set-UnifiedGroup -RequireSenderAuthenticationEnabled $false, outside senders can email the group.
Is a Microsoft 365 Group the same as a distribution list?
No. A distribution list only relays email to each member, while a Microsoft 365 Group stores messages in a shared mailbox and adds Teams, SharePoint, Planner, and OneNote integration.
Do I need a license for the group mailbox?
No. The group mailbox itself does not consume a license, though each member still needs an Exchange Online or Microsoft 365 license to access it.
Can I place a Microsoft 365 Group on litigation hold?
Yes. Microsoft Purview lets compliance administrators apply a hold to any Microsoft 365 Group mailbox, preserving every inbound and outbound message indefinitely.
Does the group mailbox support sub-folders?
No. The group inbox does not allow custom sub-folders, and teams needing folder-based triage usually pair the group with a shared mailbox.
Can a guest user send email to the group?
Yes. If the admin enables external senders, any address โ including a guest โ can email the group, though Defender for Office 365 still applies anti-spoofing checks.
Does external-sender mail flow differ for public vs. private groups?
No. Public and private refer to who can join the group, not who can email it; both obey the RequireSenderAuthenticationEnabled flag independently.
Do I need to wait after flipping the external-sender setting?
Yes. Microsoft documents up to a one-hour replication delay, so test with an outside account only after an hour has passed.
Can PowerShell open every group to external senders at once?
Yes. Get-UnifiedGroup | Set-UnifiedGroup -RequireSenderAuthenticationEnabled $false applies the change tenant-wide, though this is rarely a good idea.
Does eDiscovery search cover Microsoft 365 Group mailboxes?
Yes. Microsoft Purview eDiscovery indexes group mailboxes the same way it indexes user mailboxes, and searches return every preserved message.
Can I forward group email to an external address?
No. Microsoft blocks external-to-external auto-forwarding by default under its anti-spoofing rules, so a forwarding rule inside the group mailbox will fail silently.
Is NDR 550 5.7.193 always a configuration issue?
Yes. That specific code means the recipient group does not accept external senders, and the fix is the RequireSenderAuthenticationEnabled flag.
Do Microsoft 365 Groups support the Teams channel email address?
Yes. Each standard channel can generate its own @amer.teams.ms address, but the underlying group mailbox remains a separate SMTP endpoint.
Can I restrict who outside the organization can email the group?
Yes. Mail-flow (transport) rules in Exchange Online let you allow-list specific domains while keeping the group closed to everyone else.