Duplicating an on-prem mail-enabled security group as a cloud DL

Many Office 365 customers run into problems in a non-hybrid (simple coex) configuration where they used to have on-premise mail-enabled security groups, but they alllowed the group owners to update membership using the GAL in Outlook (with the Modify Members button). 

Once these groups are synced to the cloud and the users migrated along with them they must then be managed from on-prem and the Modify Members button in the Outlook GAL no longer works.  

Typically I advise people to replicate the group in the cloud and remove it on-prem (or mail-disable it, if it truly was used as a security group) so the users will maintain the same functionality in Outlook in the cloud.

This powershell script will duplicate a group that was DirSynced to the cloud, create a new cloud distribution group with the same name but with a trailing period (that you’ll need to remove later) and duplicate the owner, restricted list, allow lists and members.

# Replicate-OnPremSecurityGroupAsCloudDistributionGroup.ps1
    [Parameter(Position=0, Mandatory = $true, HelpMessage=”Identify the source mail-enabled security group that you will be migrating”)]
    [String] $Group

# Check to see if EXO powershell commands are already present, if so this means we don’t need to connect to the tenant again.
if (!(get-pssession | where {$_.ConfigurationName -match “Microsoft.Exchange”}))

# Connect to MSOnline
$cred = Get-Credential -Credential $user
if(!(get-module -name MSOnline)){import-module MSOnline}
Connect-MsolService -Credential $cred

# Connect to Exchange Online
$msoExchangeURL = “https://ps.outlook.com/powershell/”
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $msoExchangeURL -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session


# get the name of the group that’s an on-prem mail-enabled security group
$from = get-DistributionGroup | where {$_.displayname -match $group}

# confirm the group exists
if (!($from)) {write-host -ForegroundColor Red “Group Does not Exist!”;exit}

# create the new Distribution Group with the same name but add a period (.) to the end of the name since 2 groups can’t have the same name in the tenant.

$fromSMTP = $from.PrimarySmtpAddress.split(“@”)
$prefix = $fromsmtp[0]
$suffix = $fromsmtp[1]
$two = “2”
$newSMTP = “$prefix$two@$suffix

$to = New-DistributionGroup -Name “$from.” -ManagedBy $from.ManagedBy -Notes “CloudDL” -PrimarySmtpAddress $newSMTP
$togroupID = [string]$to.guid

#Write-host -fore green “Created new Distribution Group” $to

# apply the AcceptMessagesOnlyFrom array values to new group
Set-DistributionGroup -Identity $togroupID -AcceptMessagesOnlyFrom $from.AcceptMessagesOnlyFrom -AcceptMessagesOnlyFromDLMembers $from.AcceptMessagesOnlyFromDLMembers
Set-DistributionGroup -identity $togroupID -RejectMessagesFrom $from.RejectMessagesFrom -RejectMessagesFromDLMembers $from.RejectMessagesFromDLMembers

# capture the member list from the original group
$fromgroupID = [string]$from.guid
$frommembers = Get-DistributionGroupMember -Identity $fromgroupID

# apply the member list to the new group
foreach ($member in $frommembers)
{Add-DistributionGroupMember -Identity $togroupid -Member $member.PrimarySmtpAddress}

# remove the ProxyAddresses, Alias and eMail AD attributes in AD from the original group – or deleted it altogether
   # this needs to be done with either the Quest ActiveRoles AD powershell plugins or the activeDirectory powershell module – or do it manually

write-host -fore red “Don’t forget to remove Proxy,alias,mail from on-prem, sync, check its gone from cloud, then remove the trailing period”


Comments (1)

  1. utp12004 says:

    Why does this script end up saying Group Does not Exists! ? I can find the group on prem and dirsynced.

Skip to main content