Hello everyone,
We have been encountering an issue with on-prem managed Mail-Enabled Security Groups: no matter how we try to convert them back to being Security Groups, Exchange Online sees them as being Mail-Enabled Security Groups, and ends up creating a new email address for them with @XXXX.onmicrosoft.com domain. This behaviour seems to happen for all groups as far as we can tell.
We have tried:
- To run Disable-DistributionGroup from on-prem Exchange, but the group is not seen by Exchange:
[PS] C:\Windows\system32>Disable-DistributionGroup -Identity "XXXX"
The operation couldn't be performed because object 'XXXX' couldn't be found on 'XXXX'.
+ CategoryInfo : NotSpecified: (:) [Disable-DistributionGroup], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=GXXXX,RequestId=XXXX,TimeStamp=XXXX]
[FailureCategory=Cmdlet-ManagementObjectNotFoundException] A93254E5,Microsoft.Exchange.Management.R
ecipientTasks.DisableDistributionGroup
+ PSComputerName : XXXX.local
- Strip the group of all mail-related attributes on AD:
On Prem AD: proxyAddresses attribute gets a new X500 address (x500:/o=ExchangeLabs/ou=Exchange Administrative Group (XXXX)/cn=Recipients/cn=XXXX) after sync cycle finishes
Exchange Online: a new email address is created for the group with the domain @XXXX.onmicrosoft.com
- Convert the group via Powershell Set-ADGroup -Identity "GroupName" -GroupCategory Security cmdlt: this does not seem to have any sort of impact
- Use Exchange on-prem to convert the group to Mail-Enable, then to Disable it back:
[PS] C:\Windows\system32>Enable-DistributionGroup -Identity "XXXX"
Creating a new session for implicit remoting of "Enable-DistributionGroup" command...
Name DisplayName GroupType PrimarySmtpAddress
---- ----------- --------- ------------------
XXXX XXXX Universal, SecurityEnabled XXXX
[PS] C:\Windows\system32>Disable-DistributionGroup -Identity "XXXX"
Confirm
Are you sure you want to perform this action?
Disabling distribution group "XXXX" will remove the Exchange properties from the Windows group object.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): a
[PS] C:\Windows\system32>Disable-DistributionGroup -Identity "XXXX"
The operation couldn't be performed because object 'XXXX' couldn't be found on 'XXXX.local'.
+ CategoryInfo : NotSpecified: (:) [Disable-DistributionGroup], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=XXXX,RequestId=XXXX,TimeStamp=XXXX]
[FailureCategory=Cmdlet-ManagementObjectNotFoundException] A93254E5,Microsoft.Exchange.Management.R
ecipientTasks.DisableDistributionGroup
+ PSComputerName : XXXX.local
--> All these tests are telling me on-prem Exchange does not consider these groups as being Mail-Enabled, and yet Exchange Online sees them as being Mail-Enabled. Then Exchange Online gives them an email address if there's not one provided by Active Directory. I'm not sure why or how to fix this.
Would you please have any idea why this is happening and how to fix it? Thanks a lot!