Hybrid environment. created a Mail-Enabled Security Group (MESG) on-prem. No issues with sync. Can receive mail to group both external - internal.
Purpose of the group was to create an email-address to use as a SendAs for a DoNotReply mailbox (ie we want the email to arrive from 'backup' vs DoNotReply. As probably known, if one creates an alias for backup on DoNotReply (DNR being default) the email will shown as received from DNR). Wanted to avoid a user mailbox.
It appears this is feasible/supported. Within 365 can assign MESG as a Trustee to the DoNotReply (unlike a contact for example). However mail does not flow as anticipated (mail will return with 554 5.2.0 Exception:SendAsDeniedException.MapiExceptionSendAsDenied;)
Validated without issue by adding/subtracting individual mailbox for the same functionality.
Additionally, this deployment is the DoNotReply account is used with a SMTP Mail relay.
Again the mail flow, etc is functional, other than wanting to use a SENDAS trustee of a MESG. The only interesting observation, is that if a user is added as Trustee the full email address is reflected as Trustee (email@example.com). MESG is added, but it reflects Displayname only (not @domain.com) - Used PS to remove and re-add trustee specifically by MESG Primary SMTP Address with success, yet the output reflects the name only.