Users can't manage group synced from on-premises to Microsoft 365 in a hybrid environment

• Applies to:

  Exchange Online, Exchange Server 2016 Enterprise Edition, Exchange Server 2013 Enterprise, Exchange Server 2010 Enterprise

Original KB number:   4041533

Symptoms

Consider the following scenario:

• In a hybrid environment, groups are synchronized from the on-premises environment to Microsoft 365.
• In the on-premises environment, you can only set one entry in the Managed by field for the local Active Directory Domain Service (AD DS).
• Users who are group owners (that are also synchronized from the local AD DS) and have their mailboxes in Microsoft 365 use the Dsquery.exe tool to manage the groups, as per the recommended method in Owners of an on-premises distribution group that's synced to Microsoft 365 can't manage the distribution group in Exchange Online.

In this scenario, users can't manage the groups.

Cause

This is default behavior because the local AD DS reads the permissions that are set on the local AD group. Because these users are not listed in the local AD permissions, they are unable to edit group membership.

Resolution

To resolve this issue, you may have to assign owner permissions to more than one user. Although the purely Microsoft 365 groups can have multiple owners set, the hybrid setup requires additional action:

Add permissions for the users who have to manage the groups from Exchange Management Shell:

Add-ADPermission -Identity "All Staff" -User UserName -AccessRights WriteProperty -Properties "Member"

For more information about this cmdlet, see Add-ADPermission.

You can use the following cmdlet to check permissions:

Get-ADPermission Contoso.com -User UserName

Note

If you receive an Access Denied error message when you run the Add-ADPermission cmdlet, see Access denied when you try to give user "send-as" or "receive as" permission for a Distribution Group in Exchange Server.

More information

Still need help? Go to Microsoft Community.