This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
My company is purely cloud-based with AzureAD and Exchange Online. Dynamic Distribution Lists are not as easy to manage in AAD/ExchangeOnline as they were in the traditional on-prem versions, AD/Exchange. The cloud-based versions do not enjoy the same level of interconnectivity as their on-prem cousins, and we cannot create/manage a DDL directly based on AAD Dynamic Group membership.
I wrote a small PowerShell script that queries Dynamic Group membership, then adds a specific label into one of the CustomAttribute fields in Exchange Online. The DDL's are then populated based on the contents of the CustomAttribute field. I manually run this script once a week. Obviously, this solution is not efficient or scalable.
I want to automate DDL management and understand there are a couple of methods. I could use Power Automate or Azure Automation. Ideally, I would like DDL membership to update in real-time as users are added to or removed from a Dynamic Group. I'm here today to ask the community which is the best method? Are there other methods that I'm missing?
Thank you for your time.
Edit: Adding this script excerpt:
Write-Output "Compiling list of employees"
Write-Output "Resetting Exchange customattribute fields 1 thru 3 for all users"
$all = Get-AzureADGroupMember -ObjectId "<all_employee_dynamic_group>" -all $true #Group name is "<all_emp>"
$all | Foreach-Object {
set-mailbox -identity $_.UserPrincipalName -customattribute1 $null -customattribute2 $null -customattribute3 $null
}
Write-Output "Reset complete"
...
# Set customattribute 1 to 'US' for US-based employees
Write-Output "Compiling list of US-based employees"
$us = Get-AzureADGroupMember -ObjectId "<all_us_employee_dynamic_group>" -all $true #Group name is "<all_us_emp>"
Write-Output "Setting Exchange customattribute1 to 'US' for US-based employees"
$us | foreach-object {
set-mailbox -identity $_.UserPrincipalName -customattribute1 "US"
}
Hi @Shawn Goodwin
As your issue is not related to OOS, I would remove its tag.
Thanks for your understandings.
If you cannot use the Azure Dynamic Distribution Group filter for Exchange online. Use the CustomAttribute field as a staging will be the most suitable workaround for your tenant. (The best one is finding whether there exist suitable filer field for Exchange online: -RecipientFilter, there exist may fields for using)
If there doesn't exist suitable filter for "-RecipientFilter", you may need to run your script to modify CustomAttribute for copy relationship between Azure AD and Exchange online. The command below may could improve some efficiency (Force Exchange online Dynamic Distribution Group update members based on the filter that you created):
Set-DynamicDistributionGroup -Identity <DDGIdentity> -ForceMembershipRefresh
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@KyleXu-MSFT Thank you for your taking the time to respond.
I already use a script that populates the CustomAttribute fields in Exchange, based on Azure AD properties. I added a script excerpt to my post.
The longest part of this script is wiping and resetting the customattributes. The Set-DynamicDistributionGroup -Identity <DDGIdentity> -ForceMembershipRefresh wouldn't help much because the customattributes were already set in the script. I can see where this would be useful if my script only added/removed newly changed users. I haven't gotten that far yet.
Unfortunately, a suitable -RecipeintFilter does not exist which will allow me to update an Exchange DDL based on AzureAD group membership. I was hopeful the filterable property "memberof" would work, but it will not, per the documentation; "This property only works with groups recognized by Exchange; therefore, Azure AD security groups do not work.".
As I'm looking to automate this process (rather than manually run this script weekly), do you think the best solution is Azure Automation to run the script on a regular cadence, or Microsoft Flow/Power Automate to manage the DDLs based on events?
Which filter that you used to create the AAD group? Why not use the "extensionAttribute1" to create Azure AD group directly?
The "extensionAttribute1" call the "CustomAttribute1" on Exchange online side. In this way, Exchange online and Azure AD group will keep same. If you want modify group member, you could modify this value directly.
@KyleXu-MSFT - I tried posting this as a reply to your last. For some reason, the page would not take it. I'm making it another "answer."
The AAD dynamic groups were setup prior to the DDLs. Those AAD dynamic groups are built using AAD user profile data (department, city, country, manager, etc). That data is managed from our HR dept through the WorkDay service.
When I started developing the DDLs, I did NOT know the -recipient filter memberof would NOT work between AAD and Exchange Online like it does between regular AD and Exchange on-prem. Hence the script I built. I also did not know the AAD ExtensionAttribute# would sync with Exchange Online CustomAttribute#.
Obviously, we're trying to keep this as automated as possible. I don't know if WorkDay has any fields that would map to AAD ExtensionAttribute fields. Even if they did, trying to explain to HR folks what should go in those fields and why would be challenging. Additionally, manually updating the ExtensionAttribute fields defeats the purpose of the automation.
Given all that, I think I see a light at the end of the tunnel. I can write a script to update each user's ExtensionAttribute# based on their profile data. Then use the ExtensionAttribute to CustomAttribute sync to manage the DDLs. Of course, this still requires the script to run periodically, which brings me back to my original question. Which automation tool do you think is better suited for this task, Azure Automation or Flow or some other tool I'm missing?
BTW, I understand you're showing automation options WITHIN AAD and Exchange. I just don't see a way forward to manage DDLs WITHOUT using some sort of script or 3rd-party tool.
Thank you for your help!
In this scenario, there doesn't exist a build-in tool could complete this one. For me, I will choose task schedule to run script to copy data to ExtensionAttribute daily.
Thank you for your help!!