Query on Active Directory Groups

Question

Hi All,

I am using an Exchange Server Subscription Edition (SE) hybrid environment. User accounts are created on-premises and then migrated to Exchange Online.

We have several Active Directory security groups that were created directly in Active Directory. These groups were not created using the on-premises Exchange Admin Center or Exchange Management Shell.

During the creation of these groups, the administrators populated the email-related attributes directly in Active Directory. i dont see these groups in Exchange onprem Admin center under groups tab

For example:

• Group Name: SomeGroup
• Email Address: somegroup(at)mydomain.com

These groups are synchronized to Microsoft Entra ID. In the Exchange Online Admin Center, I can see these groups listed as Mail-Enabled Security Groups, but the only email address displayed is: somegroup(at)mydomain.onmicrosoft.com

I have the following questions:

1. If a user sends an email to somegroup(at)mydomain.onmicrosoft.com, will the message be delivered to all members of the group?
2. Some of these groups appear in the Global Address List (GAL)/Address Book, while others do not. I am not sure why there is a difference in visibility, as all of these groups were created in the same way. Could someone please help me understand what might be causing this behavior?

Answer 1

Hi @Glenn Maxwell

In a hybrid Exchange environment, this behavior is expected when mail-enabled security groups are created directly in Active Directory without using Exchange management tools.

If the group is synchronized to Microsoft Entra ID and appears in Exchange Online as a Mail-Enabled Security Group, email delivery is primarily determined by the proxyAddresses attribute.

-If somegroup(at)mydomain.com exists in proxyAddresses and is correctly synchronized, mail sent to this address will be delivered to all group members.

-If only somegroup(at)mydomain.onmicrosoft.com appears in Exchange Online, this typically indicates that the on-premises primary SMTP address was not properly stamped, not correctly synchronized, or not fully recognized during Exchange Online recipient provisioning.

Mail sent to any valid and correctly synchronized SMTP address in proxyAddresses will be delivered, provided the object is recognized as a valid Exchange recipient.

The difference in Global Address List (GAL) visibility is most likely due to incomplete or inconsistent Exchange provisioning of the groups.

Since these groups were created directly in Active Directory and not created or managed using Exchange Admin Center or Exchange Management Shell, they may be missing or inconsistently populated Exchange-related attributes such as:

• proxyAddresses,
• mailNickname,
• msExchHideFromAddressLists
• Exchange recipient metadata (including recipient type and address list visibility attributes).

The most common causes of GAL inconsistency are:

• msExchHideFromAddressLists being set to True (object hidden from address lists)
• Or Exchange Online not fully recognizing the object as a properly provisioned mail-enabled security group

As a result, some groups are fully recognized Exchange recipients and appear in the GAL and others are only partially provisioned, leading to inconsistent visibility.

This is a common scenario in hybrid environments where groups are mail-enabled directly in Active Directory without Exchange provisioning. Exchange relies on a consistent and complete set of recipient attributes.

To ensure consistent behavior across all groups, it is recommended to:

• Manage mail-enabled security groups using Exchange tools (Exchange Management Shell or Exchange Admin Center)
• Ensure correct population of proxyAddresses, mailNickname, and related Exchange attributes
• Verify synchronization using Microsoft Entra Connect after updates

I hope this information is helpful.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".       

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Answer 2

1. For ******@mydomain.onmicrosoft.com

Mail-enabled security groups are Active Directory security groups that are mail-enabled and can be used to distribute messages to all members of the group.

From the provided information:

• The groups are synchronized and appear in Exchange Online as Mail-Enabled Security Groups.
• The primary SMTP address shown in Exchange Online is ******@mydomain.onmicrosoft.com.

In Exchange/Exchange Online, the primary SMTP address is what is used for delivery. When a message is sent to that primary address, it is delivered to the group and then distributed to all group members.

Therefore, if a user sends an email to ******@mydomain.onmicrosoft.com, it will be delivered to the mail-enabled security group and then to all members of that group, assuming:

• The group is correctly mail-enabled.
• The group is a supported type (universal mail-enabled security group or a mail-enabled non-universal group that is still managed).

Mail-enabled security groups are explicitly described as being usable to distribute messages to recipients:

• “Mail-enabled security groups… can be used to assign access permissions to resources in Active Directory and can also be used to distribute messages.”

2. Why some groups appear in the GAL and others do not

For mail-enabled security groups and distribution groups, visibility in the Global Address List (GAL) is controlled by properties on the group object. The documentation highlights:

• Groups have a Display name that appears in the global address list and on the To: line when email is sent to the group.
• There is a Hide this group from address lists option. If this is selected, the group does not appear in the GAL, and senders must know the alias or email address to send messages.

Relevant points from the context:

• “Display name: This value should help users immediately recognize what the group is used for. This name appears in the global address list…”
• “Hide this group from address lists: Select this check box if you don't want users to see the group in the global address list. If this check box is selected, a sender has to know and type the group's alias or email address to send messages to the group.”

Given that some of the groups appear in the GAL and others do not, likely causes include:

• Hide-from-address-lists setting differs: Some groups may have the “Hide this group from address lists” (or equivalent attribute) enabled, while others do not.
• Display name / mail-enabled completeness: A group must be properly mail-enabled and have a display name for it to appear in the GAL. The context notes that missing display names can cause synchronization issues for mail-enabled groups.

To summarize:

• Groups that are not hidden from address lists and are properly mail-enabled with a display name will appear in the GAL.
• Groups configured to be hidden from address lists (or missing required mail-enabled attributes such as display name) will not appear in the GAL, even though they can still receive mail if addressed directly by SMTP address.

---

References:

• Manage mail-enabled security groups in Exchange Server
• Manage distribution groups
• Recipients in Exchange Server
• Recipients
• Active Directory security groups
• Mail-enabled groups that have an email address aren't synchronized to Microsoft 365