Distribution Groups and Exchange Migration to M365
By: Jerryn Bunnell
CompuNet has migrated thousands of mailboxes to Microsoft 365 across the western United States within many industries. Out of this wide-spread experience a common question from our clients continues to surface itself.
"How do I migrate our distribution Groups to Microsoft 365?”
We'll discuss this below.
Prior to migrating to Exchange Online: Distribution Group Managers (users) can manage distribution Group membership via their Outlook client. After migrating the Distribution Group manager's mailbox to Exchange Online they are no longer allowed to manage distribution Group membership via their Outlook client.
When the user attempts to add/remove members to the distribution Group via Outlook they are presented with an error that says they are unable to add/remove members.
Why is this happening?
This constraint is called a “source of authority” restriction (call it a feature), and it is by design. It is intended to protect your on-premises Active Directory environment from being changed by 'external' entities.
The technical reason why
The distribution Group is an object that exists within the security boundary of your on-premises Active Directory. The user mailbox (after migration to Exchange Online) has become a cloud-based object. the Exchange Online mailbox lives within the Microsoft 365 security boundary and is still considered 'external' to your on-premises Active Directory environment. Even though it is tied to an on-premises/synchronized user account. (See below for links to related information)
Where to go from here...?
"Can I migrate my Distribution Groups to Microsoft 365/Azure AD?"
Recreating Groups in Microsoft 365
Today, Microsoft has not provided a tool that 'migrates' distribution Groups to Microsoft 365. You can synchronize them, or you can recreate them in Microsoft 365.
The process of recreating distribution Groups at a high level would follow these steps:
- If the Distribution Groups are currently synchronized with Azure Active Directory Connect
- remove them from the DirSync or move them into a non-syncing OU
- Ensure that Azure AD has fully removed them, and propagated changes (look at the admin center and verify that the last sync time has occurred)
- Create an export of the current Groups and their settings (PowerShell is your friend)
- Recreate the Distribution Groups in Microsoft 365 using the settings you exported on-premises.
- Add the necessary owners, managers, members
- When you are satisfied that your Groups are configured correctly you can remove your on-premises Distribution Groups
- Your users will be able to continue managing Distribution Groups via Outlook like they had prior to migrating to Exchange Online.
Con's (or potential con's)
- The process of migrating distribution Groups is possible, but the scale, and complexity of this solution varies with the scale of distribution Groups, and the complexity of your organization’s Group structure (if you have a lot of nested Groups it gets more interesting)
- If you migrate your Distribution Group objects to the cloud you will then manage those objects in the cloud. Sometimes there are automation integrations that either require configuration to continue functioning, or in worst case scenarios do not work when the Group lives in the cloud. This can be overcome with proper consideration.
The "Keeping Your Groups On-premises" Method
There is a workaround that you can create that will allow users to continue managing Distribution Group, although not from Outlook like they have done previously. This process gives the users permission to access an on-premises Exchange Admin Center to access Add/Remove membership functions for the Groups where they are the ‘Manager.’ This access does not allow the users to make any configuration changes to anything except Group membership for the Distribution Groups they are Grouped as 'Manager' on.
Typically, the follow up task for this is to push out a shortcut to an internal URL (for your Exchange Admin Center) and educating your users on the new method to access the EAC and add/remove members to their Distribution Groups.
Users may manage the Group membership of the Distribution Groups (and IT does not have to move this process to the support desk).
Your organization does not need to 'migrate' Distribution Groups to Microsoft 365.
Any automation tasks that interact with Distribution Groups can continue without alteration.
Con's (or potential con's)
Users still aren't able to manage Group membership via Outlook.
Users are required to learn a new method of making changes to Group membership. .
Creating the Exchange Server (on-premises) Role Assignment
Your organization can choose to instruct users to submit a support ticket requesting any changes to Group membership for Distribution Groups.
For more information...
Determining your Exchange Admin Center URL
Azure AD Connect Group Writeback
What Attributes are Synchronized with Azure AD Connect