CA using nested DDL
-I started off by creating a new DDL using the below command: PS C:\WINDOWS\system32> New-DynamicDistributionGroup -Name "NewDG" -RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (CustomAttribute1 -like 'DGTEST*')" Name ManagedBy ---- --------- NewDG -Checking the recipient filter the below is returned: PS C:\WINDOWS\system32> Get-DynamicDistributionGroup -Identity "NewDG"|FL RecipientFilter RecipientFilter : ((((RecipientTypeDetails -eq 'UserMailbox') -and (CustomAttribute1 -like 'DGTEST*'))) -and (-not(Name -like 'SystemMailbox{*')) -and (-not(Name -like 'CAS_{*')) -and (-not(RecipientTypeDetailsValue -eq 'MailboxPlan')) -and (-not(RecipientTypeDetailsValue -eq 'DiscoveryMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'PublicFolderMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'ArbitrationMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'AuxAuditLogMailbox')) -and (-not(RecipientTypeDetailsValue -eq 'SupervisoryReviewPolicyMailbox'))) -Members for the DDL show empty: PS C:\WINDOWS\system32> Get-DynamicDistributionGroupMember -Identity NewDG -Custom attribute for the user showing populated as below: PS C:\WINDOWS\system32> Get-Mailbox User1 |FL CustomAttribute1 CustomAttribute1 : DGTEST -Forced Refresh using PS as below PS C:\WINDOWS\system32> Set-DynamicDistributionGroup -Identity NewDG -ForceMembershipRefresh -Now showing members: PS C:\WINDOWS\system32> Get-DynamicDistributionGroupMember -Identity "NewDG" Name RecipientType ---- ------------- User1 UserMailbox -When trying to check recipient filter/membership using the comman PS C:\WINDOWS\system32> $FTE = Get-DynamicDistributionGroup -Identity "NewDG" PS C:\WINDOWS\system32> Get-Recipient -RecipientPreviewFilter ($FTE.RecipientFilter) -DDG was added as a member of DL, DL is added in a Conditional Access policy to enforce MFA, However, only direct members of the Group are enforced to use MFA, not nested DDL group members despite MS documentation stated that both DDL and nested memberships are supported. -In Azure Sign in portal, MFA CA policy says not applied. -Details show user assignment not matched i.e. not included in scope.Protecting Exchange 2016 with Azure Active Directory
I've recently had multiple customers who can't move some/all of their mailboxes to Exchange Online and are instead moving to Exchange 2016/2019 on-premises, but would still like to make use of the identity/security features provided by the Microsoft cloud, so I wrote a series of blogs showing how Hybrid Modern Authentication, along with Azure AD Conditional Access and Azure Application Proxy could be used to secure an on-premises Exchange 2016 organisation. https://mikeparker365.wordpress.com/2018/09/17/how-to-secure-exchange-2016-with-azure-ad-part-1-authenticating-owa-with-kerberos/ https://mikeparker365.wordpress.com/2018/09/19/how-to-secure-exchange-2016-with-azure-ad-part-2-hybrid-modern-authentication/ https://mikeparker365.wordpress.com/2018/09/25/how-to-secure-exchange-2016-with-azure-ad-part-3-azure-application-proxy/ Hope this is an interesting read, let me know if you have any questions, comments or corrections! Mike
