Distribution Groups and Exchange Migration to M365
   By: Jerryn Bunnell

CompuNet has migrated thousands of mailboxes to Microsoft 365 across the western United States within many industries. Out of this wide-spread experience a common question from our clients continues to surface itself.

"How do I migrate our distribution Groups to Microsoft 365?”


We'll discuss this below.

Scenario
Prior to migrating to Exchange Online: Distribution Group Managers (users) can manage distribution Group membership via their Outlook client. After migrating the Distribution Group manager's mailbox to Exchange Online they are no longer allowed to manage distribution Group membership via their Outlook client.

Symptoms
When the user attempts to add/remove members to the distribution Group via Outlook they are presented with an error that says they are unable to add/remove members.

Why is this happening?
This constraint is called a “source of authority” restriction (call it a feature), and it is by design. It is intended to protect your on-premises Active Directory environment from being changed by 'external' entities.

The technical reason why
The distribution Group is an object that exists within the security boundary of your on-premises Active Directory. The user mailbox (after migration to Exchange Online) has become a cloud-based object. the Exchange Online mailbox lives within the Microsoft 365 security boundary and is still considered 'external' to your on-premises Active Directory environment. Even though it is tied to an on-premises/synchronized user account. (See below for links to related information)

Where to go from here...?
"Can I migrate my Distribution Groups to Microsoft 365/Azure AD?"

Option 1

Recreating Groups in Microsoft 365

Today, Microsoft has not provided a tool that 'migrates' distribution Groups to Microsoft 365. You can synchronize them, or you can recreate them in Microsoft 365.
The process of recreating distribution Groups at a high level would follow these steps:

  • If the Distribution Groups are currently synchronized with Azure Active Directory Connect
    • remove them from the DirSync or move them into a non-syncing OU
    • Ensure that Azure AD has fully removed them, and propagated changes (look at the admin center and verify that the last sync time has occurred)
  • Create an export of the current Groups and their settings (PowerShell is your friend)
  • Recreate the Distribution Groups in Microsoft 365 using the settings you exported on-premises.
  • Add the necessary owners, managers, members
  • When you are satisfied that your Groups are configured correctly you can remove your on-premises Distribution Groups

 

Pro's

  • Your users will be able to continue managing Distribution Groups via Outlook like they had prior to migrating to Exchange Online.

Con's (or potential con's)

  • The process of migrating distribution Groups is possible, but the scale, and complexity of this solution varies with the scale of distribution Groups, and the complexity of your organization’s Group structure (if you have a lot of nested Groups it gets more interesting)
  • If you migrate your Distribution Group objects to the cloud you will then manage those objects in the cloud. Sometimes there are automation integrations that either require configuration to continue functioning, or in worst case scenarios do not work when the Group lives in the cloud. This can be overcome with proper consideration.

 

Option 2

The "Keeping Your Groups On-premises" Method

There is a workaround that you can create that will allow users to continue managing Distribution Group, although not from Outlook like they have done previously. This process gives the users permission to access an on-premises Exchange Admin Center to access Add/Remove membership functions for the Groups where they are the ‘Manager.’ This access does not allow the users to make any configuration changes to anything except Group membership for the Distribution Groups they are Grouped as 'Manager' on.

Typically, the follow up task for this is to push out a shortcut to an internal URL (for your Exchange Admin Center) and educating your users on the new method to access the EAC and add/remove members to their Distribution Groups.

Pro's
Users may manage the Group membership of the Distribution Groups (and IT does not have to move this process to the support desk).
Your organization does not need to 'migrate' Distribution Groups to Microsoft 365.
Any automation tasks that interact with Distribution Groups can continue without alteration.

Con's (or potential con's)
Users still aren't able to manage Group membership via Outlook.
Users are required to learn a new method of making changes to Group membership. .

Creating the Exchange Server (on-premises) Role Assignment

Another Option

Your organization can choose to instruct users to submit a support ticket requesting any changes to Group membership for Distribution Groups.

For more information...

Set-ManagementRoleAssignment
https://docs.microsoft.com/en-us/powershell/module/exchange/set-managementroleassignment?view=exchange-ps

New-RoleGroup
https://docs.microsoft.com/en-us/powershell/module/exchange/new-roleGroup?view=exchange-ps

Get-ManagementRole
https://docs.microsoft.com/en-us/powershell/module/exchange/get-managementrole?view=exchange-ps

Get-ManagementRoleEntry
https://docs.microsoft.com/en-us/powershell/module/exchange/get-managementroleentry?view=exchange-ps

Determining your Exchange Admin Center URL
https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/virtual-directories?view=exchserver-2019

Azure AD Connect Group Writeback
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-Group-writeback

What Attributes are Synchronized with Azure AD Connect
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-sync-attributes-synchronized

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.