This is actually not terribly simple - that is to say, it's more complicated than one might think. In a non-AD-sync scenario, you simply edit DL properties ans specify which group should have permissions to send to the selected DL (or use powershell to accomplish the same). However, in an AD-sync scenario you can't modify DL properties because they are copied from local AD.
The security group (to which you are restricting permission to send to the given distribution list) must:
- Have an email address
- Be a universal security group
- Have its displayName attribute set
...otherwise the group won't be availble to Exchange Online. If these properties weren't set, you need to do it and then either wait for changes to sync up to Exchange Online or force the sync. You also need to lookup the distinguished name (distinguishedName attribute) of the security group, which will be used in a later step.
in the local AD you have to modify dlMemSubmitPerms attribute on the object to which you wish to restrict access. Trouble is, the dlMemSubmitPerms attribute is of type DN-binary, which can't be edited by ADSI Edit or the ADUC if it's not already populated, which means you have to use LDP.EXE, which is as user-friendly as command-line DNS management in Linux (hint: not very).
When using LDP.exe, you first connect to your domain controller, then you bind to the connection, then you show the AD tree. Once you navigate to the object you wish to modify, you right-click on it, select Modify, and now you chain commands together to execute on the object, which you then execute by clicking the Run button.
The Operation you need to execute is to Add to dlMemSubmitPerms, and the value that you add is the distinguishedName of the group which you wish to have permissions to send to the DL. Once you specify the Add operation, the attribute name (dlMemSubmitPerms), the value (CN=[security group],CN=... etc.) that you recorded in Pre-requisites and click on the Run button, LDP.exe will do what you've asked. Hopefully, there won't be any error messages. Now you can switch to ADUC or ADSIE and verify that the dlMemSubmitPerms attribute contains the distinguished name of the group which you wish to have access to send to the group.
Once verified, the properties need to be propagated to Exchange Online via an automated or manual directory synchronization, after which you can sign in to the portal and view DL properties to make sure your changes synced up.