Create an Office 365 Dynamic Distribution List from members of an Azure AD Security Group

Occasional Contributor

Greetings.  We are trying to create a DDL from an on premise AD security group that is replicating to our Azure AD.  I have checked the Azure group, and it has all 3050 users in it that the OnPrem group has.  It is not mail enabled.


The syntax we are trying to use is:

"((RecipientType -eq 'UserMailbox') -and (MemberOfGroup -eq 'CN=[OnPremAD_Groupname],OU=[OU for groups in location],OU=[OU for location],DC=[AD Domain],DC=com'))"



"((RecipientType -eq 'UserMailbox') -and (MemberOfGroup -eq 'CN=ActualGroupName,OU=Groups,OU=Memphis,DC=Contoso,DC=com'))"


When I successfully created a DDL before from members of an Office 365 Group, I needed to include the Object ID.  For that I used the syntax:

"((RecipientType -eq 'UserMailbox') -and (MemberOfGroup -eq 'CN=[groupaliasname]_[group Object ID],OU=[company],OU=Microsoft Exchange Hosted Organizations,DC=NAMPR01A004,DC=prod,DC=outlook,DC=com'))"


Question #1, does the CN change for the AD group as it exists in the Azure AD? (I assume so)

Question #2, how do I list and see the CN of a group in the Azure AD?  It is not listed in the attributes when I do a "Get-AzureADGroup -ObjectID (group) | fl"

Question #3, do I need to attache the Object ID of the group to the group name once I have the correct CN for the Azure AD group? (I assume so)


Thanks for any help you can provide.




3 Replies
best response confirmed by DougTraylor (Occasional Contributor)

What you need to provide for the MemberOfGroup filter is the DistinguishedName of the group, which you can get from Get-Group/Get-DistributionGroup/etc. And yes, it does differ between on-premises and the cloud.


If your group is not mail-enabled though, chances are you will not be able to "see" it with any of the Exchange cmdlets, so that method will not work. 

Get-Group worked.  That was the tip I needed! Thanks. 

I'll try again with the AzureAD DistinguishedName, and if it still fails, I can make it mail-enabled.


Thanks again.



In my opinion the answers to the above question are,
1) Yes the CN value changes for the Active Directory Groups after migration to the cloud (Azure AD).

2) Microsoft has restricted the exposure of CN in Azure Schema. In my opinion, Azure Objects lack OU structure.

Moreover, It's simply not exposed anywhere. But as CN is practically a part of the DistinguishedName attribute, you can get it from the value of the attribute onPremisesDistinguishedName, which is available via the Graph or Azure AD (Get-AzureADUserExtension, or group extension property).

3) Yes attaching the Object ID of the group to the group name once you have the correct CN for the Azure AD group, would work.