Administrators may enable security groups on premises as distribution groups.
[PS] C:>Get-DistributionGroup BlogSecurityGroup
Name DisplayName GroupType PrimarySmtpAddress
—- ———– ——— ——————
BlogSecurityGroup BlogSecurityGroup Universal, SecurityEnabled BlogSecurityGroup@domain.org
Azure Active Directory Connect will provision these groups and they will appear as mail enabled objects in Exchange Online.
PS C:> Get-DistributionGroup BlogSecurityGroup
Name DisplayName GroupType PrimarySmtpAddress
—- ———– ——— ——————
BlogSecurityGroup BlogSecurityGroup Universal, SecurityEnabled BlogSecurityGroup@domain.org
There may be requirements to remove the mail enabled attributes of the group. This is done on premises through disable-distributiongroup.
[PS] C:>Disable-DistributionGroup BlogSecurityGroup
Confirm
Are you sure you want to perform this action?
Disabling distribution group “BlogSecurityGroup” will remove the Exchange properties from the Windows group object.
When the distribution group has been disabled it still appears in Exchange Online as a mail enabled group. In this instance with a proxy address that defaults to the default onmicrosoft.com domain.
PS C:> Get-DistributionGroup BlogSecurityGroup
Name DisplayName GroupType PrimarySmtpAddress
—- ———– ——— ——————
BlogSecurityGroup BlogSecurityGroup Universal, SecurityEnabled BlogSecurityGroup@domain.onmicrosoft.com
If the group must be completely removed from Exchange Online – the associated MSOL object must be removed.
PS C:> Get-MsolGroup -SearchString BlogSecurityGroup
ObjectId DisplayName GroupType Description
——– ———– ——— ———–
c2d0b7df-f0d5-4f0a-9470-edfa56e4910e BlogSecurityGroup MailEnabledSecurity
PS C:> Get-MsolGroup -SearchString BlogSecurityGroup | Remove-MsolGroup
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): y
Exchange Online will receive notification that the group has been removed and fully clean up the associated distribution group object.
PS C:> Get-DistributionGroup BlogSecurityGroup
The operation couldn’t be performed because object ‘BlogSecurityGroup’ couldn’t be found on
‘CO1PR06A002DC01.NAMPR06A002.prod.outlook.com’.
+ CategoryInfo : NotSpecified: (:) [Get-DistributionGroup], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=DM6PR06MB4026,RequestId=62703e0c-3437-49b9-9b84-be6253159d2e,TimeStamp=4/29/2018
6:18:49 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] FC078746,Microsoft.Exchange.Management.RecipientTasks.GetDistributionGroup
+ PSComputerName : ps.outlook.com
If the group still exists on premises Azure AD Connect will recreate it as a security enabled group during the next synchronization cycle.
woops. I didn’t think the security group itself would be removed, it was.. guess I’m doing this the long way after all 🙂
LikeLike
Nic – what exactly are you trying to do?
LikeLike
We had some mail-enabled security groups that were used for SPO permissions, initially when having run this command it appears the groups temporarily disappear but after ADSync runs they re-appear and are still allocated as they previously were.
LikeLike
Nic
If you followed everything in this article then I do not expect groups to return with any of their previous settings. Deleting the group through azure should force ad connect to reprovision an entirely new group.
Maybe things have changed…
TIMMCMIC
LikeLike