cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Mail-enabled security groups

DiVojich
Brass Contributor

‎May 27 2020 06:12 AM

‎May 27 2020 06:12 AM

Mail-enabled security groups

Hi all,

I have several questions regarding mail-enabled security groups.

1.) can I use local AD groups & cloud-only groups for granting access
to SPO or I have to use cloud-only?
2.) are there any reasons not to use local sec groups?

Are local sec groups, not mail-enabled & can or can't you use them as DL's?
3.) if I buy EMS E3 licenses, could I do "dynamic-attribute based sec
group assignment? Would that only work for Azure cloud-only, or could it work
local sec groups synced to azure?

 

Kind regards,

Labels:
4,166 Views
0 Likes
2 Replies
Reply
2 Replies
Vasil Michev

‎May 27 2020 08:58 AM

‎May 27 2020 08:58 AM

Re: Mail-enabled security groups

You should be able to use synced ones just fine, but only mail-enabled ones. Dynamic membership is only for cloud-created ones.

0 Likes
Reply
aliat_IMANAMI

‎Jul 08 2021 08:29 AM - edited ‎Jul 08 2021 09:53 AM

‎Jul 08 2021 08:29 AM - edited ‎Jul 08 2021 09:53 AM

Re: Mail-enabled security groups

@DiVojich 

 
PFA answer to your questions and a recommended solution:
 
1.) Can I use local AD groups & cloud-only groups for granting access to SPO or I have to use cloud-only?
 
Sharepoint Online only links to cloud groups (exchange online).
 
2.) Are there any reasons not to use local sec groups?
You can certainly use local security groups to manage access for all on-premise resources.
 
2)Are local sec groups, not mail-enabled & can or can't you use them as DL's?
 
Local security groups can be mail-enabled via Power Shell, Provisioning new security groups can be mail-enabled upon creation. These groups can be used for emails like a Distribution List. In Fact Microsoft started to promote the use of mail-enabled security groups but the adaption rate did not turn that well.
 
3.) if I buy EMS E3 licenses, could I do "dynamic-attribute based sec group assignment? Would that only work for Azure cloud-only, or could it work local sec groups synced to azure?
 
Microsoft will only allow dynamic group memberships for a certain group type and it's available only for Cloud Groups (Exchange Online), With on-premise Exchange there is the option of QBDL (Query-Based Distribution List) that provides similar features, however, its limited in functionality as opposed to a regular DL or Security Group.
 
I have used multiple third-party platforms, which offers the capabilities to automate building dynamic-attribute based Security Groups (Mail-Enabled) / Distribution List or cloud-only Microsoft 365 Groups and Azure AD Security Groups.
 
Moreover,  their automate features can convert existing Groups into Smart Groups where memberships can be based on an LDAP filter. It can also plug two sources to feed the LDAP filter for accurate memberships. Let me know if you have any further questions.
 
 
0 Likes
Reply