SOLVED
Home

Azure AD Security Group - Can I mail enable the group?

%3CLINGO-SUB%20id%3D%22lingo-sub-134353%22%20slang%3D%22en-US%22%3EAzure%20AD%20Security%20Group%20-%20Can%20I%20mail%20enable%20the%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134353%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20way%20to%20mail%20enable%20an%20azure%20ad%20security%20group%3F%20This%20group%20is%20built%20in%20azure%20ad%20to%20take%20advantage%20of%20the%20robust%20Dynamic%20membership%20capabilities%2C%20and%20we%20would%20like%20to%20mail%20enable%20it%2C%20but%20not%20make%20it%20an%20office%20365%20group.%20We%20do%20not%20want%20it%20to%20have%20a%20sharepoint%20or%20planner%20or%20any%20of%20the%20other%20stuff%20that%20comes%20with%20an%20office%20365%20group.%20We%20just%20want%20the%20dynamic%20membership%20capabilities%20of%20the%20azure%20security%20group%2C%20as%20well%20as%20mail%20delivery%20to%20the%20group%20members.%20When%20creating%20the%20group%20it%20only%20gave%20us%20a%20slider%20that%20said%20enable%20office%20features%20yes%2Fno%20and%20I%20chose%20no.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-134353%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGroups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-150762%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Security%20Group%20-%20Can%20I%20mail%20enable%20the%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-150762%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20this%20will%20be%20working.%20You%20can%20use%20OPATH%20filter%20in%20the%20-Recipientfilter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134509%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Security%20Group%20-%20Can%20I%20mail%20enable%20the%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134509%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20as%20usual%20the%20UI%20only%20exposes%20some%20options%2C%20if%20you%20want%20better%20granularity%20you%20have%20to%20use%20PowerShell.%20Office%2C%20department%2C%20%22domain%22%20even%20can%20all%20be%20used%20to%20create%20DDG.%20The%20problem%20with%20those%20however%20is%20that%20you%20cannot%20use%20them%20to%20delegate%20permissions%20-%20they%20are%20not%20a%20security%20principal.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134397%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Security%20Group%20-%20Can%20I%20mail%20enable%20the%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134397%22%20slang%3D%22en-US%22%3E%3CP%3EActually%2C%20I%20think%20I%20found%20the%20powershell%20commands.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew-DynamicDistributionGroup%20-Name%20%22%23Test2%22%20-RecipientFilter%20%7B(RecipientType%20-eq%20'UserMailbox'%3CBR%20%2F%3E)%20-and%20(OFFICE%20-eq%20'TEST%20OFFICE')%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134392%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Security%20Group%20-%20Can%20I%20mail%20enable%20the%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134392%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E.%20That%20is%20what%20I%20suspected.%20When%20going%20with%20the%20Dynamic%20DG%20in%20Exchange%20Admin%20Center%20I%20only%20have%20a%20couple%20of%20options%2C%20Company%2C%20State%2C%20Department%20to%20choose%20from.%20Any%20way%20for%20me%20to%20use%20the%20Office%20Location%20instead%20without%20copying%20it%20to%20a%20custom%20attribute%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20739px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F25146iBFCF3B0E61A7C9CA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22dynamicOptions.PNG%22%20title%3D%22dynamicOptions.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-134382%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20Security%20Group%20-%20Can%20I%20mail%20enable%20the%20group%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-134382%22%20slang%3D%22en-US%22%3E%3CP%3ENope%2C%20you%20cannot%20have%20it%20all.%20If%20you%20want%20it%20to%20stay%20dynamic%20and%20use%20it%20as%20security%20principal%2C%20it%20cannot%20be%20mail-enabled.%20If%20you%20scrap%20the%20dynamic%20part%2C%20you%20can%20create%20Mail-enabled%20security%20group%20in%20Exchange.%20If%20you%20can%20leave%20without%20the%20security%20part%2C%20create%20dynamic%20DG%20in%20Exchange.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Robert Woods
Super Contributor

Is there any way to mail enable an azure ad security group? This group is built in azure ad to take advantage of the robust Dynamic membership capabilities, and we would like to mail enable it, but not make it an office 365 group. We do not want it to have a sharepoint or planner or any of the other stuff that comes with an office 365 group. We just want the dynamic membership capabilities of the azure security group, as well as mail delivery to the group members. When creating the group it only gave us a slider that said enable office features yes/no and I chose no.

5 Replies
Solution

Nope, you cannot have it all. If you want it to stay dynamic and use it as security principal, it cannot be mail-enabled. If you scrap the dynamic part, you can create Mail-enabled security group in Exchange. If you can leave without the security part, create dynamic DG in Exchange.

Thanks @Vasil Michev. That is what I suspected. When going with the Dynamic DG in Exchange Admin Center I only have a couple of options, Company, State, Department to choose from. Any way for me to use the Office Location instead without copying it to a custom attribute?

 

dynamicOptions.PNG

Actually, I think I found the powershell commands.

 

New-DynamicDistributionGroup -Name "#Test2" -RecipientFilter {(RecipientType -eq 'UserMailbox'
) -and (OFFICE -eq 'TEST OFFICE')}

Yup, as usual the UI only exposes some options, if you want better granularity you have to use PowerShell. Office, department, "domain" even can all be used to create DDG. The problem with those however is that you cannot use them to delegate permissions - they are not a security principal.

Highlighted

Yes, this will be working. You can use OPATH filter in the -Recipientfilter.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies