03-24-2020 01:53 PM
03-24-2020 01:53 PM
Greetings. We are trying to create a DDL from an on premise AD security group that is replicating to our Azure AD. I have checked the Azure group, and it has all 3050 users in it that the OnPrem group has. It is not mail enabled.
The syntax we are trying to use is:
"((RecipientType -eq 'UserMailbox') -and (MemberOfGroup -eq 'CN=[OnPremAD_Groupname],OU=[OU for groups in location],OU=[OU for location],DC=[AD Domain],DC=com'))"
"((RecipientType -eq 'UserMailbox') -and (MemberOfGroup -eq 'CN=ActualGroupName,OU=Groups,OU=Memphis,DC=Contoso,DC=com'))"
When I successfully created a DDL before from members of an Office 365 Group, I needed to include the Object ID. For that I used the syntax:
"((RecipientType -eq 'UserMailbox') -and (MemberOfGroup -eq 'CN=[groupaliasname]_[group Object ID],OU=[company].onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR01A004,DC=prod,DC=outlook,DC=com'))"
Question #1, does the CN change for the AD group as it exists in the Azure AD? (I assume so)
Question #2, how do I list and see the CN of a group in the Azure AD? It is not listed in the attributes when I do a "Get-AzureADGroup -ObjectID (group) | fl"
Question #3, do I need to attache the Object ID of the group to the group name once I have the correct CN for the Azure AD group? (I assume so)
Thanks for any help you can provide.
03-25-2020 12:18 AMSolution
What you need to provide for the MemberOfGroup filter is the DistinguishedName of the group, which you can get from Get-Group/Get-DistributionGroup/etc. And yes, it does differ between on-premises and the cloud.
If your group is not mail-enabled though, chances are you will not be able to "see" it with any of the Exchange cmdlets, so that method will not work.
03-25-2020 06:11 AM
Get-Group worked. That was the tip I needed! Thanks.
I'll try again with the AzureAD DistinguishedName, and if it still fails, I can make it mail-enabled.