Microsoft

Office 365 – Dynamic Distribution Groups in Exchange Hybrid

When running in an Exchange Hybrid configuration, DirSync/AADSync takes care of maintaining a consistent Global Address List (GAL) for both on-premises and cloud users. The one exception is with regards to Dynamic Distribution Groups; these objects need special care to ensure that the recipient filters produce the desired results and for the objects to show up in the cloud GAL.

Recipient Filters

There are endless ways that filters can be used with a Dynamic Distribution Group. Before you start moving mailboxes to Office 365, it’s important to evaluate these groups and their associated filters to make sure that users still fall into scope properly. The two areas you need to look at are the objects types and attributes being used by the filters.
For the object type, you may have a filter that basically states “all mailboxes with attribute X”. Well once you move a user to Exchange Online, that user is no longer a “UserMailbox” object in the on-premises Exchange organization and the user has now fallen out of scope of the group. The filter will need to be updated to now include “UserMailbox” objects as well as either “MailUser” or “Remote Mailbox” objects.
With attributes, many common attributes such as “company” or “department” will remain valid as these are still populated in your on-premises Active Directory. However, I’ve run across organizations using Exchange attributes such as “msExchHomeServerName”; depending on your intent, you may or may not need to modify these. If you want the dynamic group to represent users on a particular mail server (to send maintenance alerts, etc), then the group is doing exactly what you wanted as your Exchange Online user will not receive the message. If the assumption is that “users on server X are in office Y” and the group is used for a more general office purpose, you will need to modify this filter.

Exchange Online GAL

Neither DirSync nor AADSync will synchronize Dynamic Distribution Groups to Windows Azure Active Directory; as a result, Dynamic Distribution Groups located on-premises will not appear in the GAL for Exchange Online users. To make these groups appear, Microsoft recommends creation of a contact object directly in Exchange Online with the SMTP address of the on-premises dynamic group. Since the contact is created on the cloud side and the dynamic group does not sync, there is no risk of an address conflict. The Exchange Online users can then see the “group” (really represented by a contact) in the GAL and sending a message to it will route on-premises where the group members will be evaluated.
The script below will handle creation of the contact objects in Exchange Online for all Dynamic Distribution Groups on-premises. It creates the contact using the original display name and email address, sets CustomAttribute1 to “On-Premises DDG” for easy sorting and configures the object to only allow messages from authenticated users.

Additional Notes

When creating the objects in Exchange Online, keep in mind the delays involved before the objects appear in the user’s Offline Address Book. If there’s ever a question, check the address book via Outlook Web App (OWA).

References

Configure Dynamic Distribution Groups in a Hybrid Deployment

Script

The script for this post can be found in the Microsoft Script Center at the following link: Recreate-DDGs.ps1
 
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.

About the Author

More from this Author

Thoughts on “Office 365 – Dynamic Distribution Groups in Exchange Hybrid”

  1. Joe, great article. What happens once the Hybrid is decommissioned? I assume this is a temporary work around to allow mail flow to DDG’s pre Hybrid decommission. Correct?

  2. Thanks for the feedback.
    For some organizations, hybrid is a long-term strategy in which case you need those contacts in the cloud GAL so the users there can see them. If the plan is to decommission the on-premises environment, then there will come a point where you’ll need to create those DDGs in the cloud with the appropriate filters.

  3. Assuming the criteria is valid (uses attributes synchronized from on-premises AD), then yes.
    However there is no “sync-back” of groups which means your on-premises users would not see that DDG in their copy of the Global Address List.

  4. Could they still reply back to the email since its a valid address or would the “Only authenticated Users” options prevent them since we don’t all just anyone email to all our users?

  5. “However there is no “sync-back” of groups which means your on-premises users would not see that DDG in their copy of the Global Address List.”
    On prem would just continue using the on prem DDG, while 365 users use the mail contact pointed at the on prem DDG. So shouldn’t be a problem right?

  6. Josh-
    That is correct; mail will flow fine like that.
    The only nuance there is that the contact will appear as a different icon in the GAL than a group so if a user pays close attention, there is a slight difference in the on-premises and cloud user experience.

  7. Hi, thank you for your article, but it doesn’t work for me – when I try to enter new Contact in Exchange online administration, I get the error message about conflict between Online and On-premise (name used twice). In another article I read about PowerShell script from Microsoft, but unfortunately the script requests PS3.0, which I cannot install on server. PS3.0 on my workstation doesn’t contain the AD modules – this is endless loop for me.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up
Categories