Bulk Create Mail-Enabled Security Groups Using Exchange Online PowerShell

Automating the creation of mail-enabled security groups is a powerful way for Microsoft 365 administrators to streamline onboarding processes, enforce security policies, and improve manageability at scale. While Microsoft Graph PowerShell is often used for M365 group operations, it cannot be used to create mail-enabled security groups or distribution lists. If attempted, the following error will be thrown:

New-MgGroup : Cannot create a mail-enabled security groups and or distribution list

To work around this limitation, we use Exchange Online PowerShell for such tasks. The script below demonstrates how to bulk create mail-enabled security groups using a simple CSV input.

The Script

# Connect to Exchange Online
Connect-ExchangeOnline
                                
# Import the CSV file
$groups = Import-Csv -Path "MailEnabledSecurityGroups.csv"
                                
# Create each mail-enabled security group
foreach ($group in $groups) {
    try {
        New-DistributionGroup -Name $group.Name `
        -Alias $group.Alias `
        -PrimarySmtpAddress "$($group.Alias)@7xh7fj.onmicrosoft.com" `
        -Type Security
                                
        Write-Host "✅ Created: $($group.Name)" -ForegroundColor Green
    } catch {
        Write-Host "❌ Failed: $($group.Name)" -ForegroundColor Red
        Write-Host $_.Exception.Message
    }
}
                            

📌 How the Script Works

1. Connection:

It initiates a session with Exchange Online using Connect-ExchangeOnline. Make sure you have the Exchange Online PowerShell V2 module installed.

2. CSV Import:

The script reads a CSV file named MailEnabledSecurityGroups.csv which contains the names and aliases of the groups you wish to create.

3. Group Creation Loop:

For each entry in the CSV, it:

• Assigns the Name and Alias
• Builds the PrimarySmtpAddress using the alias
• Creates a mail-enabled security group using New-DistributionGroup -Type Security
4. Error Handling:

If any group creation fails, the script catches the error and outputs a helpful message without stopping execution.

CSV File Reference

Name,Alias
MailSecGroup 401,mailsgroup401
MailSecGroup 402,mailsgroup402
MailSecGroup 403,mailsgroup403
MailSecGroup 404,mailsgroup404
MailSecGroup 405,mailsgroup405

Further Enhancements

Here are a few improvements you can add to the base script:

• Dynamic domain assignment: Pull the domain name dynamically from your tenant.
• Validation: Check if the group already exists before attempting creation.
• Logging: Export the results (success/failure) to a log file or CSV for auditing.
• Emailing summary: Send a summary email upon completion of the batch operation.

Possible Errors & Solutions

Error	Cause	Solution
New-DistributionGroup : The term is not recognized	Exchange Online PowerShell module is missing	Install the module using Install-Module ExchangeOnlineManagement
You must call Connect-ExchangeOnline before calling any other cmdlets	Session not initialized	Run Connect-ExchangeOnline before executing the script
The proxy address is already being used	Duplicate alias/email address	Ensure aliases and SMTP addresses are unique
Access Denied	Insufficient permissions	Use an account with Exchange Admin or Global Admin role

Conclusion

If you're tasked with provisioning multiple mail-enabled security groups, this script can save hours of manual work. Remember, Graph PowerShell is not suitable for this use case. Instead, rely on Exchange Online PowerShell for handling mail-enabled security groups and distribution lists efficiently and reliably.