Office 365 certainly has its plusses and minuses, and one of the areas that clearly falls in the latter category is how O365 handles mail-enabled security groups.
Consider the following scenario:
- You have an on-premise Active Directory sync’d to O365/Azure via ADSync.
- You have an on-premise security group that you mail-enable, creating an e-mail address @yourdomain.com.
- This mail-enabled group syncs to O365, and then exists in Exchange Online.
- You then mail-disable the group on-premise and wait for the change to sync to Exchange Online.
Logic would dictate that once the mail-enabled attribute was removed from the group, it would disappear from Exchange Online. Of course it’s not that simple.
What you will instead find is that the security group still shows in Exchange Online, however it now has a proxy address @yourdomain.onmicrosoft.com. It will also continue to be visible in both the online and offline address books. If you are trying to move groups to the cloud and/or cleanup your distribution lists, this can cause confusion.
The fix fortunately is easy, but it’s an extra step that shouldn’t be necessary IMO. Credit to Tim McMichael’s TechNet post for the details.
The process to properly remove a mail-enabled security group from Exchange Online is as follows:
- On-Premise, remove the mail-enabled attribute from the group using the Disable-DistributionGroup PowerShell command.
- On Exchange Online, find the group via Get-MsolGroup –SearchString “Group Name”.
- Once you’ve confirmed you have the right group, remove it via Get-MsolGroup –SearchString “Group Name” | Remove-MsolGroup
This will finally remove it from Exchange Online and your address books.
EDIT: There is a major caveat here to be aware of. If you are using mail-enabled security groups to grant permissions to shared calendars, you CANNOT remove the mail attributes or you will break access permissions. In that situation I would advise simply hiding the list from the address book.
For a product that makes things so much simpler on the instructional side, it certainly has complicated life on the network admin side.
I just wanted to say “Thanks!” Your post here just saved me what I’m sure would have been hours of head-scratching.
Thanks for the feedback. Glad it was helpful for you.