One of the common limitations that organizations discover when deploying Exchange Online is the inability of users to “self-manage” distribution groups that are synchronized.
I’ve written about this in the past including putting together a workaround for environments that have Exchange 2013 on-premises. However, if you want users to be able to do what they’ve always done and manage Distribution Groups via Outlook, those groups will need to be moved to the cloud.
Below is a script that helps automate the process of moving the groups.
The limitation is essentially that objects that are synced from on-premises can only be modified in the on-premises AD. When a user tries to modify a Distribution Group via Outlook, it is trying to modify the object in the cloud Global Address List (GAL) and not the on-premises one. As a result, the operation fails.
Moving the Distribution Group involves recreating the group in the cloud GAL however there are some attributes such as the email addresses that cannot be duplicated. This means you need to export out the existing groups configuration, remove the old group and then create the new group.
The assumption is that you have no on-premises mailboxes at this point or people in the on-premises environment do not need the Distribution Group in their GAL. If users still need to see the object, you could do something where you create a mail contact on-premises that points to the Distribution Group in the cloud and exclude that mail contact from the sync scope so there is not a conflict on the address.
There are a number of ways this can be done, this process has worked for me and provides some ability to validate your changes before removing the old group completely.
At a high level, the process is as follows:
- Create a “placeholder group” in the cloud with all attributes populated except the email addresses
- Export out the current email addresses to a CSV
- Remove the on-premises by filtering it from the sync scope
- Finalize the placeholder group by changing it’s name to the proper name and importing in the email addressees
- Permanently remove the on-premises group by deleting it
Running the Script
To create the placeholder group and export the CSV, you’re going to run the following command:
.\Recreate-DistributionGroup.ps1 -Group "DL-Marketing" -CreatePlaceHolder
This will create a group in the cloud with the name “Cloud-PreviousDisplayName” and hide it from the GAL.
After the placeholder group is created, you will want to validate the new group. You can then delete the old group from the cloud by removing it from the sync scope. For current versions of AAD Connect, this can be done by populating the “adminDescription” attribute with the value “Group_NoSync”. See “Office 365 – The (Previously) Undocumented AAD Connect Filter” for more information on this attribute.
Once your sync cycle completes, you can run the following command to make the final cutover:
.\Recreate-DistributionGroup.ps1 -Group "DL-Marketing" -Finalize
Assuming everything looks good with the new cloud group, you can delete the on-premises one and setup a mail contact if desired.
The script for this post can be found in the Microsoft Script Center at the following link: Recreate-DistributionGroup.ps1
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.