The first step in this method is to create a distribution group. The members of this group will be the users who are restricted from sending external emails. It does not need to be a security group, but it does need to be universal in scope.
Next, create a new Transport Rule with the following configuration.
- From a member of a distribution list (and choose the distribution group you created above)
- Sent to users that are inside or outside of the organization, or partners (and choose “Outside”)
- Send rejection message to sender with enhanced status code (I set the status code to 5.7.1 and configure a message such as “You are not authorized to send email to recipients outside of this organization”)
- Except when a recipient’s address matches text patterns (and add any domain names or email addresses they should still be allowed to send to)
After the new rule has taken effect the members of that distribution group will not be able to send to external recipients, whether they use the To, CC, or BCC fields to do so, and will still be able to send to those domains or email addresses you configure as an exception to the rule (even if the message includes other recipients that will get blocked, the permitted ones will still receive the email).