Office 365 – Distribution List Migration Version 2.0 – Part 13

Enabling support for partially mail enabled distribution groups.

Mail enabled distribution and mail enabled security groups are extensions of the native Active Directory distribution and security groups. Mail enablement is the process of extending the group with Exchange specific attributes that allow the group to be utilized for mail flow.

 

In typical installations Exchange on-premises is utilized to mail enable the distribution groups. Azure Active Directory Connect then replicates the group with the extended attributes into Azure where a forward synchronization process creates the distribution group in Exchange Online. If you are using this module you are most likely familiar with the source of authority of attributes and how Azure AD Connect maintains these attributes between both directories.

 

I recently worked with a customer that was experiencing several migration failures. When reviewing the log files provided the script was failing in multiple locations each referencing missing attributes. In each instance the group was found in Office 365 and was mail enabled.

 

Here is a typical mail enabled distribution group from Active Directory when mail enabled through Exchange. The highlighted entries were created through the enablement process.

 

Getting 1 entries:

Dn: CN=aFullGroup,OU=MigrationTest,OU=DLConversion,DC=domain,DC=domain,DC=com

cn: aFullGroup;

displayName: aFullGroup;

distinguishedName: CN=aFullGroup,OU=MigrationTest,OU=DLConversion,DC=domain,DC=domain,DC=com;

dSCorePropagationData: 0x0 = ( );

groupType: 0x8 = ( UNIVERSAL_GROUP );

instanceType: 0x4 = ( WRITE );

legacyExchangeDN: /o=domain domain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=a6034f00a6fa44fb8d42c41bcc3886f3-aFullGr;

mail: aFullGroup@domain.com;

mailNickname: aFullGroup;

msExchPoliciesIncluded (2): 11c1f0d3-7114-4275-ab8b-fc0db18d2164; {26491cfc-9e50-4857-861b-0cb8df22b5d7};

msExchRecipientDisplayType: 1;

msExchRequireAuthToSendTo: TRUE;

msExchUMDtmfMap (3): emailAddress:2385547687; lastNameFirstName:2385547687; firstNameLastName:2385547687;

msExchVersion: 44220983382016;

name: aFullGroup;

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=domain,DC=com;

objectClass (2): top; group;

objectGUID: e5eaef5e-72d2-42ab-bea5-748a3fe99cee;

objectSid: S-1-5-21-278042269-1514808692-1118015945-72208;

proxyAddresses (2): smtp:aFullGroup@domain.mail.onmicrosoft.com; SMTP:aFullGroup@domain.com;

reportToOriginator: TRUE;

sAMAccountName: aFullGroup;

sAMAccountType: 268435457 = ( NON_SECURITY_GROUP_OBJECT );

showInAddressBook (5): CN=Groups(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=domain domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain,DC=com; CN=All Groups(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=domain domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain,DC=com; CN=All Recipients(VLV),CN=All System Address Lists,CN=Address Lists Container,CN=domain domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain,DC=com; CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=domain domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain,DC=com; CN=All Distribution Lists,CN=All Address Lists,CN=Address Lists Container,CN=domain domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain,DC=com;

uSNChanged: 35656522;

uSNCreated: 35656507;

whenChanged: 3/7/2022 2:26:06 PM Coordinated Universal Time;

whenCreated: 3/7/2022 2:25:36 PM Coordinated Universal Time;

 

———–

 

When reviewing the attributes of the groups where migrations were attempted the following attributes are present. The group is not fully mail enabled.

 

Expanding base ‘CN=aPartialGroup,OU=MigrationTest,OU=DLConversion,DC=domain,DC=domain,DC=com’…

Getting 1 entries:

Dn: CN=aPartialGroup,OU=MigrationTest,OU=DLConversion,DC=domain,DC=domain,DC=com

cn: aPartialGroup;

distinguishedName: CN=aPartialGroup,OU=MigrationTest,OU=DLConversion,DC=domain,DC=domain,DC=com;

dSCorePropagationData: 0x0 = ( );

groupType: 0x80000008 = ( UNIVERSAL_GROUP | SECURITY_ENABLED );

instanceType: 0x4 = ( WRITE );

mail: aPartialGroup@domain.com;

msExchHideFromAddressLists: TRUE;

name: aPartialGroup;

objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=domain,DC=com;

objectClass (2): top; group;

objectGUID: 9f7376f9-4799-4bc6-a8e3-26ce045954ad;

objectSid: S-1-5-21-278042269-1514808692-1118015945-72209;

sAMAccountName: aPartialGroup;

sAMAccountType: 268435456 = ( GROUP_OBJECT );

uSNChanged: 33678207;

uSNCreated: 33678197;

whenChanged: 3/7/2022 2:34:29 PM Coordinated Universal Time;

whenCreated: 3/7/2022 2:33:38 PM Coordinated Universal Time;

 

———–

 

The group with partial attributes does appear in Exchange Online as a valid distribution group.

 

PS C:\Users\timmcmic> Get-DistributionGroup apartialgroup | select name,primarySMTPAddress

 

Name PrimarySmtpAddress

—- ——————

aPartialGroup aPartialGroup@domain.com

 

The Azure proxy calculation process and the Exchange Online forward synchronization process do not necessarily require a full attribute set in order to mail enable an object that is synchronized. In this instance the combination of the mail field plus msExchHiddenFromAddressLists were enough attributes to have the group represented as a distribution list in Exchange Online. This customer had written a custom distribution list provisioning on-premises to account for the decommissioning of Exchange which accounted for the partial attribute set being present in Active Directory.

 

To allow for the seamless migrations of these partial distribution groups a code has been adjusted to account for the missing on-premises attributes. The new code requires that the group be found in Active Directory and Exchange Online. For each attribute that is used or calculated, if the attribute is not present in the Active Directory the value from Exchange Online is utilized.

Here is a sample in the log file where the alias from Office 365 was substituted in place of the mailNickname attribute from Active Directory.

[3/7/2022 8:59:16 PM] – On premises group does not have alias / mail nick name -> using Office 365 value.

 

Using attributes that exist on the Office 365 object allow us to account for non-standard provisioning scenarios and scenarios where not all the expected attributes are present.