Exchange Online: Managing Distribution List Ownership

organisations2 min. read

The Ticket: The "Ghost" Administrator

A client's HR manager is trying to update a company-wide announcement list, but they keep getting "Access Denied" errors because the previous manager, who left the company six months ago, is still the only listed owner. This is a common bottleneck in growing organizations. We need to jump into the Exchange Admin Center (EAC) to clean up the stale ownership and delegate control to the current stakeholders so the helpdesk stops getting tickets for simple member additions.

Pre-Flight Check

• Permissions: Exchange Administrator or Global Admin.
• Tools: Exchange Admin Center (EAC).
• Impact: Low - Updating owners does not affect mail flow or current group membership.

The Solution

1. Access the EAC: Navigate to admin.exchange.microsoft.com and log in with your administrative credentials.
2. Locate the Group: Go to Recipients > Groups in the left-hand sidebar.
3. Filter for Distribution Lists: Click the Distribution List tab at the top of the groups page.
4. Select the Group: Click the name of the specific list you need to modify. A side panel will slide out.
5. Manage Owners:
   • Click the Members tab in the side panel.
   • Select View all and manage owners.
6. Add a New Owner:
   • Click + Add owners.
   • Search for the user, select their name, and click Add.
7. Remove an Old Owner:
   • Note: A list must have at least one owner. You cannot remove the last owner without adding a new one first.
   • Select the checkbox next to the user you want to remove.
   • Click the three dots (...) at the top and select Remove owners.
   • Confirm the change by clicking Yes.

The "Why" (Root Cause)

Why do we bother with "Owners" instead of just letting the IT team handle everything? In a managed environment, delegation is the goal. By assigning a department head as an "Owner," they gain the ability to manage group members directly through Outlook or the web portal without needing an IT ticket.

If a Distribution List (DL) is "orphaned" (meaning it has no active owner because the previous one was deleted or unlicensed), the group becomes a security liability. It continues to receive mail, but no one is auditing who is actually on the list. In some environments, if the owner's account is completely purged from Entra ID, the DL may even refuse to accept new members or changes until a new owner is forcefully injected by an administrator.

Under the Hood (Technical Deep Dive)

When you update an owner in the EAC, you are modifying the ManagedBy attribute of the Active Directory / Entra ID object. Unlike the Members attribute, which governs who receives the mail, the ManagedBywrite permissions for that object's membership list.

Exchange Online uses a hidden mechanism called Role Based Access Control (RBAC). When a user is added to the ManagedBy attribute, the MyDistributionGroups management role is assigned to them for that specific scope. This allows the user to use the Add-DistributionGroupMember and Remove-DistributionGroupMember cmdlets behind the scenes when they use the Outlook interface.

One critical technical detail: By default, adding someone to ManagedBy does not automatically make them a member of the list. They can manage the group, but they won't receive the emails unless they are also added to the Members tab.

RMM & Automation Tips

• Orphaned Group Audit: Use your RMM to run a monthly PowerShell audit to find groups where the owner is disabled or missing. Get-DistributionGroup -ResultSize Unlimited | Get-Group | Where-Object {$_.ManagedBy -eq $null}
• Bulk Owner Update: If you need to add a "Service Account" as an owner to every group in a tenant for management purposes: $Groups = Get-DistributionGroup -ResultSize Unlimited $Groups | ForEach-Object {Set-DistributionGroup -Identity $_.Identity -ManagedBy @{Add="[email protected]"}}

Troubleshooting & Edge Cases

• Edge Case 1: The "One Owner" Rule. If you try to remove the only owner, the EAC will throw a "Validation Error." You must follow the "Add before you Subtract" workflow.
• Edge Case 2: On-Premise Sync (AD Connect). If the client has a hybrid setup (Local Active Directory syncing to M365), you cannot change the owner in the web portal. You will see an error stating "The object is being synchronized from your on-premises environment." You must perform the update in the local Active Directory Users and Computers (ADUC) on the ManagedBy tab of the group object.
• Edge Case 3: Hidden Lists. If the list is hidden from the Global Address List (GAL), it will still show up in the EAC, but users (even owners) won't be able to find it in Outlook to manage it. You may need to temporarily unhide it or manage members manually.