How can I convert a Mail-Enabled Security Group back to being a Security Group?

Vincent L 60 Reputation points
2023-09-11T12:51:24.98+00:00

Hello everyone,

We have been encountering an issue with on-prem managed Mail-Enabled Security Groups: no matter how we try to convert them back to being Security Groups, Exchange Online sees them as being Mail-Enabled Security Groups, and ends up creating a new email address for them with @XXXX.onmicrosoft.com domain. This behaviour seems to happen for all groups as far as we can tell.

We have tried:

  • To run Disable-DistributionGroup from on-prem Exchange, but the group is not seen by Exchange:
[PS] C:\Windows\system32>Disable-DistributionGroup -Identity "XXXX"
The operation couldn't be performed because object 'XXXX' couldn't be found on 'XXXX'.
    + CategoryInfo          : NotSpecified: (:) [Disable-DistributionGroup], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=GXXXX,RequestId=XXXX,TimeStamp=XXXX]
    [FailureCategory=Cmdlet-ManagementObjectNotFoundException] A93254E5,Microsoft.Exchange.Management.R
  ecipientTasks.DisableDistributionGroup
    + PSComputerName        : XXXX.local

  • Strip the group of all mail-related attributes on AD:

On Prem AD: proxyAddresses attribute gets a new X500 address (x500:/o=ExchangeLabs/ou=Exchange Administrative Group (XXXX)/cn=Recipients/cn=XXXX) after sync cycle finishes

Exchange Online: a new email address is created for the group with the domain @XXXX.onmicrosoft.com


  • Convert the group via Powershell Set-ADGroup -Identity "GroupName" -GroupCategory Security cmdlt: this does not seem to have any sort of impact

  • Use Exchange on-prem to convert the group to Mail-Enable, then to Disable it back:
[PS] C:\Windows\system32>Enable-DistributionGroup -Identity "XXXX"
Creating a new session for implicit remoting of "Enable-DistributionGroup" command...
Name                   DisplayName            GroupType                  PrimarySmtpAddress
----                   -----------            ---------                  ------------------
XXXX                   XXXX                   Universal, SecurityEnabled XXXX

[PS] C:\Windows\system32>Disable-DistributionGroup -Identity "XXXX"
Confirm
Are you sure you want to perform this action?
Disabling distribution group "XXXX" will remove the Exchange properties from the Windows group object.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): a

[PS] C:\Windows\system32>Disable-DistributionGroup -Identity "XXXX"
The operation couldn't be performed because object 'XXXX' couldn't be found on 'XXXX.local'.
    + CategoryInfo          : NotSpecified: (:) [Disable-DistributionGroup], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=XXXX,RequestId=XXXX,TimeStamp=XXXX]
      [FailureCategory=Cmdlet-ManagementObjectNotFoundException] A93254E5,Microsoft.Exchange.Management.R
  ecipientTasks.DisableDistributionGroup
    + PSComputerName        : XXXX.local

--> All these tests are telling me on-prem Exchange does not consider these groups as being Mail-Enabled, and yet Exchange Online sees them as being Mail-Enabled. Then Exchange Online gives them an email address if there's not one provided by Active Directory. I'm not sure why or how to fix this.

Would you please have any idea why this is happening and how to fix it? Thanks a lot!

Microsoft Exchange Online
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,440 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,603 questions
{count} votes

Accepted answer
  1. Andy David - MVP 147.6K Reputation points MVP
    2023-09-11T12:59:24.1333333+00:00

    Disable them on-prem with Disable-DistributionGroup

    If they are on-prem and sycning with ExO then that shoild work assuming they are mail-enabled.

    If not, then enable them again, then disable on-prem

    After that, Delete the group in Azure and let it sync.

    https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.groups/remove-mggroup?view=graph-powershell-1.0&preserve-view=true

    Remove-MgGroup -GroupId 'f6b9791b-dfc1-40d6-9ab6-7b29126c534a'
    

    That will remove the mail enabled group in Azure and sync just the security group

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Vincent L 60 Reputation points
    2023-09-12T06:44:15.3033333+00:00

    Hello @Andy David - MVP

    Many thanks for the reply, this is very much appreciated! :)

    I have tried what you suggested, but to no avail: the group is still seen as Mail-Enabled by Azure/Exchange Online. The only part I could not try so far was the MgGroup as MS Graph does not have the correct permissions configured for it on our tenant yet, I am working on that to test and provide feedback as soon as I can.

    I am wondering though, does that Remove-MgGroup command allows to bypass the fact that this is an on-prem group? As the "Delete" option for that group is greyed out in Entra.

    0 comments No comments

  2. Vincent L 60 Reputation points
    2023-09-12T09:50:00.6933333+00:00

    UPDATE:

    After considering the issue with MS Graph described in my last post, I decided to attempt it with other commands, namely Remove-AzureADGroup:

    Remove-AzureADGroup -ObjectId "f6b9791b-dfc1-40d6-9ab6-7b29126c534a"

    So I deleted the X500 address from the on-prem object, then ran the command quoted above, started a sync cycle and finally the Azure AD object gets synchronized correctly as a Security object! :)

    Many thanks again @Andy David - MVP , that MVP tag is well-deserved


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.