Forum Discussion
AhmedSHMK
Oct 01, 2024Brass Contributor
CA using nested DDL
-I started off by creating a new DDL using the below command:
PS C:\WINDOWS\system32> New-DynamicDistributionGroup -Name "NewDG" -RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (CustomAttribute1 -like 'DGTEST*')"
Name ManagedBy
---- ---------
NewDG
-Checking the recipient filter the below is returned:
PS C:\WINDOWS\system32> Get-DynamicDistributionGroup -Identity "NewDG"|FL RecipientFilter
RecipientFilter : ((((RecipientTypeDetails -eq 'UserMailbox') -and (CustomAttribute1 -like 'DGTEST*'))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq
'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox'))
-and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox')))
-Members for the DDL show empty:
PS C:\WINDOWS\system32> Get-DynamicDistributionGroupMember -Identity NewDG
-Custom attribute for the user showing populated as below:
PS C:\WINDOWS\system32> Get-Mailbox User1 |FL CustomAttribute1
CustomAttribute1 : DGTEST
-Forced Refresh using PS as below
PS C:\WINDOWS\system32> Set-DynamicDistributionGroup -Identity NewDG -ForceMembershipRefresh
-Now showing members:
PS C:\WINDOWS\system32> Get-DynamicDistributionGroupMember -Identity "NewDG"
Name RecipientType
---- -------------
User1 UserMailbox
-When trying to check recipient filter/membership using the comman
PS C:\WINDOWS\system32> $FTE = Get-DynamicDistributionGroup -Identity "NewDG"
PS C:\WINDOWS\system32> Get-Recipient -RecipientPreviewFilter ($FTE.RecipientFilter)
PS C:\WINDOWS\system32> Get-Recipient -RecipientPreviewFilter ($FTE.RecipientFilter)
-DDG was added as a member of DL, DL is added in a Conditional Access policy to enforce MFA, However, only direct members of the Group are enforced to use MFA, not nested DDL group members despite MS documentation stated that both DDL and nested memberships are supported.
-In Azure Sign in portal, MFA CA policy says not applied.
-Details show user assignment not matched i.e. not included in scope.
No RepliesBe the first to reply