SOLVED

Cannot add a "contact" in Exchange Online to an Office 365 Group as a Guest

Copper Contributor

Looks like this is an issue - I have successfully been able to add external recipients as guests in an Office 365 Group if they are not listed in the GAL, however when I come to add a contact listed in the GAL as a guest, I receive the below warning;

 

"You are trying to add a contact created by your admin. Contact your admin to add the user as a guest to this group"

 

Help please.

 

Thanks

31 Replies
best response confirmed by George Khalil (Copper Contributor)
Solution

Thanks @George Khalil for reaching out! Currently adding of mail contacts as guest is not supported, however there is way you can add mail contacts for which you would need the administrator to remove the other mail-enabled object, after which the guest user object can be added by the group owner or by an administrator running cmdlet with mSExchHideFromAddressLists property as $false, this property would ensure that the contact is visible in GAL.

You can refer tenant admin documentation https://support.office.com/en-us/article/Guest-access-to-Office-365-groups-Admin-Help-7c713d74-a144-...

 

Alternatively there is a very good and informative article written by @Tony Redmond https://www.petri.com/external-access-office-365-groups about guests in Groups, which includes details about Guests in Groups.

By the way, if you remove a mail-enabled contact so that you can add a new guest user for the same SMTP address, you might wonder whether that guest user object can be used in Exchange distribution lists. The official answer might be no, because the picker control used in EAC to select objects to add to DLs won't include guest users. However, PowerShell comes to the rescue (once again) as you can use the Add-DistributionGroupMember to add a guest user to a DL.


@Tony Redmond wrote:

By the way, if you remove a mail-enabled contact so that you can add a new guest user for the same SMTP address, you might wonder whether that guest user object can be used in Exchange distribution lists. The official answer might be no, because the picker control used in EAC to select objects to add to DLs won't include guest users. However, PowerShell comes to the rescue (once again) as you can use the Add-DistributionGroupMember to add a guest user to a DL.


This information has been very helpful to me.  So has Tony's article.  The question I have is...Can a guest user be added to a dynamic distribution list?

 

Thanks

 

Conceptually I don't see a problem as AAD will simply select the objects that you identify through the query. But I have not tried it and I do not have AAD premium enabled on a tenant right now so I can't test. Try it and let us know.

Thanks for your response.  I really appreciate it!

 

I usually setup dynamic groups by querying the custom attributes of mail recipients.  I don't know where to setup the custom attributes on a guest user.  However, I hadn't considered the idea of changing the query to just include certain users.  If you have any ideas about the custom attributes let me know.  Otherwise I'll try a different query.

 

Thanks again.

A guest user is an AAD object and can be edited as such. I found that the AAD console didn't support editing because it didn't like the form of address used (#EXT#), but the Office 365 Admin Console absolutely allows you to edit guest user details.

We are setup in a Hybrid environement. We have a ton of mail-contacts on our on-prem Exchange environment as they are members of distribution groups. Because of that, group owners are running into the error stated in this thread.

 

Removing the mail-contact will allow the group owner to add the user as a guest but removing the contact removes DL membership. Our distribution groups are on-prem and don't see the guest users that are in-cloud as expected. Running an add-distribtiongroupmember in the Office 365 PowerShell fails as the DL's are on-prem.

 

Seems to me that we need to re-create the distribtion groups in the cloud in order for guests to be added?

 

The problem with that is we integrate our ERP system with Exchange via PowerShell scripts to build/update these lists nightly based on roles. The PowerShell is expecting to see the lists on-prem which won't work because of the guest in-cloud accounts.

 

The only workaround I've come up with is to delete the on-prem mail-contact, have the group owner add the user as a guest (in-cloud), then re-create the mail-contact (on-prem). This all works but we get dirsync errors about a dupe.

 

 Any cleaner way of doing this?

Thanks Todd for reaching out! I have sent you a private message. I will follow-up with you there.

Why don't you exclude the on-premises from being synchronized with AAD? That way you can have on-prem mail contacts that don't interfere with the creation of guest user accounts. It might be messy, but it would avoid the duplicate errors you are seeing now.

That's actually what we have been discussing internally but as you said, may get really messy.

 

 

I'm at a conference with Michael Van Hybrid today and asked him what he would do... He's contemplating the issue right now and might come up with a better solution. I shall let you know what he says.

I work at a large university and we sync all contacts campus wide (multiple email tenants). Simply hiding these external contacts just isn't an option for my organization. We really want to roll out groups, but without this functionality we simply can't move forward. Any ideas on when this feature may be available?

We have the same issue in our organization.  I hope they come up with a better solution.

We have a similar issue. 

 

My customers organisation want contacts in the GAL and distribution lists loaded from our CRM nightly. 

 

Yet we need to give access to people at those email addresses access to Sharepoint / OneDrive etc using Guest accounts. 

 

Currently we are still maintaining an on prem instance of Sharepoint for these external users to access. We are under pressure to decomission this farm due to a datacenter move. 

 

The only other option we have is to license our external users sync their existing extranet AD accounts to Azure AD. Which we already tried once and failed due to the contacts being duplicate and accounts taking precident. Which then removed the contacts from the distribution lists!

 

The guest accounts and mail enabled contact need to either co-exist or be merged as a single object which retains the DL membership. 

 

 

 

 

 

 

 

 

 

 

 

 

 

I cound't agree more!  The guest access to groups is basically useless for my orgainization until it can coexist with exchange contacts.  We have a ton of distribution lists and forwarding accounts.  

 

This push that Microsoft has to move distribution groups to Office 365 groups isn't going to work for us.  It's kind of anoying to tell the truth.  I don't see distribution groups or forwarding accounts going away anytime soon so this needs to be supported.  

Thanks folks for the feedback! This is something that we are actively working on for first half of 2017. We will keep you posted with updates.

Thanks for the update Sahil most appreciated. 

 

 

Wow this is a really big limitation. This afternoon I put aside time to move a bunch of our groups from Linux MailMan to 365 Groups and fell at the first hurdle. It is very probable that the sort of "guest" users you will want to add to such a group would already reside in the GAL as a contact. Especially an organisation that is membership based like we are.

 

Shame.

 

Be good when thius is fixed.

 

1 best response

Accepted Solutions
best response confirmed by George Khalil (Copper Contributor)
Solution

Thanks @George Khalil for reaching out! Currently adding of mail contacts as guest is not supported, however there is way you can add mail contacts for which you would need the administrator to remove the other mail-enabled object, after which the guest user object can be added by the group owner or by an administrator running cmdlet with mSExchHideFromAddressLists property as $false, this property would ensure that the contact is visible in GAL.

You can refer tenant admin documentation https://support.office.com/en-us/article/Guest-access-to-Office-365-groups-Admin-Help-7c713d74-a144-...

 

Alternatively there is a very good and informative article written by @Tony Redmond https://www.petri.com/external-access-office-365-groups about guests in Groups, which includes details about Guests in Groups.

View solution in original post