Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Best way to setup a process for emailing a dynamic security group in Office 365

Copper Contributor

Question for the Hive Mind. As the title suggests, I am trying to setup a process for emailing a dynamic security group in Azure AD. The dynamic security group is for all active users, excluding users with specific job titles (Service Accounts, etc). As any organization, we have a lot of new and terminated users, so I need a security group that automatically updates based on my defined variables. I'd like to send out communications to this security group via email and I thought I would be able to create a Office 365 group and tie it to a security group - silly me for thinking that would be a logical thing to do.

I know mail-enabled security groups and dynamic distribution groups are a thing in EAC, but they seem convoluted in setting up and each are not a tenable solution. Mail-enabled sec groups do not allow adding other security groups or adding users dynamically via rule attributes. Dynamic distribution lists allow rule based attributes, but I don't understand their "Custom Attribute" defined words and how they relate to a user account.

Advice?

4 Replies
best response confirmed by Thomas Stensitzki (MVP)
Solution

Dynamic security groups are not mail enabled, so you cannot use them for that purpose. You can create an Office 365 Group with dynamic membership from the same place though, and that will do the trick.

 

And to correct your latter statement - you can add other security groups as a member of mail-enabled security group, however as those are not recognized as valid Exchange recipients, you will still not be able to use them for email purposes. 

@Vasil Michev I would prefer not to use an Office 365 Group, as its not meant to be collaborative or social based. This dynamic group is solely meant for communications. 

 

Looks like my only route here is creating a dynamic distribution group using rules. I don't understand what the custom attributes (1-15) point to in the attributes of the Azure AD user accounts? When I create a dynamic security group, I can point to attributes such as "jobTitle" and a value in that field. Can someone please explain that?

You can. The UI limits you to just a handful of attributes, user PowerShell and the New-DynamicDistributionGroup cmdlet instead.

@Vasil Michev the downside is that users cannot expand such lists to select individual members unfortunately.

1 best response

Accepted Solutions
best response confirmed by Thomas Stensitzki (MVP)
Solution

Dynamic security groups are not mail enabled, so you cannot use them for that purpose. You can create an Office 365 Group with dynamic membership from the same place though, and that will do the trick.

 

And to correct your latter statement - you can add other security groups as a member of mail-enabled security group, however as those are not recognized as valid Exchange recipients, you will still not be able to use them for email purposes. 

View solution in original post