Working with hybrid- AND cloud only users

%3CLINGO-SUB%20id%3D%22lingo-sub-1139742%22%20slang%3D%22en-US%22%3EWorking%20with%20hybrid-%20AND%20cloud%20only%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1139742%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20our%20environment%20we%20have%20one%20batch%20of%20users%20who%20are%20cloud%20only%2C%20in%20Azure%20AD%2C%20and%20one%20batch%20who%20are%20connected%20to%20our%20on-prem%20AD%20and%20migrated%20to%20the%20cloud.%20These%20two%20batches%20of%20users%20have%20different%20domains%2C%20but%20belong%20to%20the%20same%20organization.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20the%20default%20setting%20for%20calendar%20sharing%20set%20to%20reviewer.%20Now%20I%20would%20like%20to%20change%20this%20so%20that%20the%20AAD%20users%20have%20%22Availability%20only%22%20access%20to%20AD%20users%20and%20vice%20versa.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20way%20I%20can%20think%20of%20to%20do%20this%20is%20to%20make%20a%20dynamic%20distribution%20group%20with%20all%20AD%20users%20and%20set%20AD%20users%20default%20sharing%20to%20%22Availability%20only%22.%20Then%20give%20that%20ddl%20%22Reviewer%22%20rights.%20And%20on%20the%20AAD%20users%20default%20would%20have%20to%20be%20%22Reviewer%22%20and%20then%20give%20that%20ddl%20%22availability%20only%22%20rights.%20Possibly%3F%3CBR%20%2F%3EI%20feel%20like%20there%20should%20be%20a%20better%20way%3F%20I%20find%20it%20difficult%20to%20work%20with%20the%20AAD%20users%20and%20Exchange%20online%20sometimes.%20I%20must%20be%20missing%20something.%20Anyone%20have%20any%20thoughts%20or%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1139742%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1140136%22%20slang%3D%22en-US%22%3ERe%3A%20Working%20with%20hybrid-%20AND%20cloud%20only%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1140136%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20cannot%20use%20Dynamic%20DGs%20for%20that%2C%20they%20are%20not%20a%20valid%20security%20principals%20and%20cannot%20be%20used%20for%20anything%20permission%20related.%20You'll%20have%20to%20create%20mail-enabled%20security%20groups%20and%20maintain%20their%20membership%20accordingly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142268%22%20slang%3D%22en-US%22%3ERe%3A%20Working%20with%20hybrid-%20AND%20cloud%20only%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142268%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer.%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20there%20is%20no%20way%20to%20automate%20this%20without%20using%203rd%20party%20software%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1144307%22%20slang%3D%22en-US%22%3ERe%3A%20Working%20with%20hybrid-%20AND%20cloud%20only%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144307%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20how%20third-party%20software%20will%20help%20here...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1149978%22%20slang%3D%22en-US%22%3ERe%3A%20Working%20with%20hybrid-%20AND%20cloud%20only%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149978%22%20slang%3D%22en-US%22%3ESorry%20-%20I%20meant%20adding%20to%20the%20script%20creating%20new%20users%20to%20make%20them%20a%20member%20of%20the%20mail-enabled%20security%20group.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

In our environment we have one batch of users who are cloud only, in Azure AD, and one batch who are connected to our on-prem AD and migrated to the cloud. These two batches of users have different domains, but belong to the same organization. 

 

We have the default setting for calendar sharing set to reviewer. Now I would like to change this so that the AAD users have "Availability only" access to AD users and vice versa. 

 

The only way I can think of to do this is to make a dynamic distribution group with all AD users and set AD users default sharing to "Availability only". Then give that ddl "Reviewer" rights. And on the AAD users default would have to be "Reviewer" and then give that ddl "availability only" rights. Possibly?
I feel like there should be a better way? I find it difficult to work with the AAD users and Exchange online sometimes. I must be missing something. Anyone have any thoughts or ideas?

4 Replies
Highlighted

You cannot use Dynamic DGs for that, they are not a valid security principals and cannot be used for anything permission related. You'll have to create mail-enabled security groups and maintain their membership accordingly.

Highlighted

@Vasil Michev 

Thank you for your answer. 

So there is no way to automate this without using 3rd party software? 

Highlighted

Not sure how third-party software will help here...

Highlighted
Sorry - I meant adding to the script creating new users to make them a member of the mail-enabled security group.