Forum Discussion
Cannot add a "contact" in Exchange Online to an Office 365 Group as a Guest
Thanks George Khalil for reaching out! Currently adding of mail contacts as guest is not supported, however there is way you can add mail contacts for which you would need the administrator to remove the other mail-enabled object, after which the guest user object can be added by the group owner or by an administrator running cmdlet with mSExchHideFromAddressLists property as $false, this property would ensure that the contact is visible in GAL.
You can refer tenant admin documentation https://support.office.com/en-us/article/Guest-access-to-Office-365-groups-Admin-Help-7c713d74-a144-4eab-92e7-d50df526ff96?ui=en-US&rs=en-US&ad=US
Alternatively there is a very good and informative article written by TonyRedmond https://www.petri.com/external-access-office-365-groups about guests in Groups, which includes details about Guests in Groups.
By the way, if you remove a mail-enabled contact so that you can add a new guest user for the same SMTP address, you might wonder whether that guest user object can be used in Exchange distribution lists. The official answer might be no, because the picker control used in EAC to select objects to add to DLs won't include guest users. However, PowerShell comes to the rescue (once again) as you can use the Add-DistributionGroupMember to add a guest user to a DL.
We are setup in a Hybrid environement. We have a ton of mail-contacts on our on-prem Exchange environment as they are members of distribution groups. Because of that, group owners are running into the error stated in this thread.
Removing the mail-contact will allow the group owner to add the user as a guest but removing the contact removes DL membership. Our distribution groups are on-prem and don't see the guest users that are in-cloud as expected. Running an add-distribtiongroupmember in the Office 365 PowerShell fails as the DL's are on-prem.
Seems to me that we need to re-create the distribtion groups in the cloud in order for guests to be added?
The problem with that is we integrate our ERP system with Exchange via PowerShell scripts to build/update these lists nightly based on roles. The PowerShell is expecting to see the lists on-prem which won't work because of the guest in-cloud accounts.
The only workaround I've come up with is to delete the on-prem mail-contact, have the group owner add the user as a guest (in-cloud), then re-create the mail-contact (on-prem). This all works but we get dirsync errors about a dupe.
Any cleaner way of doing this?
Why don't you exclude the on-premises from being synchronized with AAD? That way you can have on-prem mail contacts that don't interfere with the creation of guest user accounts. It might be messy, but it would avoid the duplicate errors you are seeing now.
That's actually what we have been discussing internally but as you said, may get really messy.
I'm at a conference with Michael Van Hybrid today and asked him what he would do... He's contemplating the issue right now and might come up with a better solution. I shall let you know what he says.
Thanks Todd for reaching out! I have sent you a private message. I will follow-up with you there.