Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure AD Security Group - Can I mail enable the group?

Steel Contributor

Is there any way to mail enable an azure ad security group? This group is built in azure ad to take advantage of the robust Dynamic membership capabilities, and we would like to mail enable it, but not make it an office 365 group. We do not want it to have a sharepoint or planner or any of the other stuff that comes with an office 365 group. We just want the dynamic membership capabilities of the azure security group, as well as mail delivery to the group members. When creating the group it only gave us a slider that said enable office features yes/no and I chose no.

6 Replies
best response confirmed by VI_Migration (Silver Contributor)
Solution

Nope, you cannot have it all. If you want it to stay dynamic and use it as security principal, it cannot be mail-enabled. If you scrap the dynamic part, you can create Mail-enabled security group in Exchange. If you can leave without the security part, create dynamic DG in Exchange.

Thanks @Vasil Michev. That is what I suspected. When going with the Dynamic DG in Exchange Admin Center I only have a couple of options, Company, State, Department to choose from. Any way for me to use the Office Location instead without copying it to a custom attribute?

 

dynamicOptions.PNG

Actually, I think I found the powershell commands.

 

New-DynamicDistributionGroup -Name "#Test2" -RecipientFilter {(RecipientType -eq 'UserMailbox'
) -and (OFFICE -eq 'TEST OFFICE')}

Yup, as usual the UI only exposes some options, if you want better granularity you have to use PowerShell. Office, department, "domain" even can all be used to create DDG. The problem with those however is that you cannot use them to delegate permissions - they are not a security principal.

Yes, this will be working. You can use OPATH filter in the -Recipientfilter.

@Vasil Michev Have there been any changes on mail-enabling dynamic Azure security groups? In our use case, we need dynamic mail-enabled groups to assign sensitivity labels and Exchange Dynamic Groups don't work for that and I don't want to create a Microsoft 365 Group with all of its trimmings.

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

Nope, you cannot have it all. If you want it to stay dynamic and use it as security principal, it cannot be mail-enabled. If you scrap the dynamic part, you can create Mail-enabled security group in Exchange. If you can leave without the security part, create dynamic DG in Exchange.

View solution in original post