Managing Distribution Groups in an Exchange Hybrid Environment

EddieJennings

We're going through a transition from Exchange On-Premises to Exchange Online (though, we won't be 100% Exchange Online because $reasons), and I'm curious about those with functional hybrid environments handle this situation.

We have some distribution groups that are user managed through the Outlook client. Once that user's mailbox is migrated to Exchange Online, they are no longer able to manage said distribution group from Outlook.

From what I have gathered, there are two approaches to allow the user-management of the distribution groups.

1. Since the on-premises bits of Exchange aren't going away nor is on-prem AD, I can set up some role-based access control to where these users would log into the on-premises Exchange admin center to alter the distribution group membership.

2. Delete the on-premises distribution group and recreate the distribution group in Exchange Online.

The challenges I see with the first approach are user training, and the fact that the changes made to the distribution group aren't immediately reflected in the Azure directory, since changes would have to wait until the next AAD sync.

One challenge I see with the second approach is the fact that we're going to have a group object that exists in AAD that doesn't exist in the on-prem directory. That in itself might not be a problem, but in general our on-prem directory is the source of authoritative information, so methinks it would be wise to keep it and Azure in-sync.

jt1001001

I am going through the same headache. We have decided to opt for option 2 as we figure someday we will be out of hybrid mode and better do it now than later. We do see the issue with keeping both in sync but so long as we (I-T) keeps good documentation it should not be an issue.

Dashrender

Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?

I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.

dbeato

@EddieJennings Let me start by saying that the success of having a working Exchange Hybrid Environment with office 365 is this kind of planning/questioning so there are no gotchas.

My recommendation would be to use option 1. Option 2 causes problems for the users in the Onprem Exchange. They will not be able to send emails to those distribution groups in office 365 as it will not match between the two environments. The AAD Sync is about every 30 minutes so it should not be that bad.

dbeato

In the environments we manage we setup the Distribution Groups for our customers so it is a little easier for us.

Dashrender

Man.. Ditch local outlook - move to outlook on the web only.. huge problems solved.

EddieJennings

@dbeato said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings Let me start by saying that the success of having a working Exchange Hybrid Environment with office 365 is this kind of planning/questioning so there are no gotchas.

I agree completely. This whole project has moved far too fast for appropriate planning.

My recommendation would be to use option 1. Option 2 causes problems for the users in the Onprem Exchange. They will not be able to send emails to those distribution groups in office 365 as it will not match between the two environments. The AAD Sync is about every 30 minutes so it should not be that bad.

I'm leaning toward the first option as well.

EddieJennings

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?

I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.

We should be. It's something I need to verify.

Dashrender

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?

I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.

We should be. It's something I need to verify.

It's not the default. By default anyone can add any group they want - and add users to those groups of anyone (i.e. email addresses not in your company ) which ends up making your user list a giant mess (at least in my opinion).

EddieJennings

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Man.. Ditch local outlook - move to outlook on the web only.. huge problems solved.

I wish we could do that. The amount of time it would take for top-down buy-in for that far exceeds how long I'll be at this company

EddieJennings

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?

I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.

We should be. It's something I need to verify.

It's not the default. By default anyone can add any group they want - and add users to those groups of anyone (i.e. email addresses not in your company ) which ends up making your user list a giant mess (at least in my opinion).

That I know (it not being the default). And yes, it will lead to a giant mess.

Dashrender

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Man.. Ditch local outlook - move to outlook on the web only.. huge problems solved.

I wish we could do that. The amount of time it would take for top-down buy-in for that far exceeds how long I'll be at this company

That's unfortunate. I have half of docs doing this already, the other half shouldn't be that hard (they only have Local Outlook on their office computers anyhow, which they rarely use), otherwise it's webmail and phones.
Now the big pushback will be MFA.

EddieJennings

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

That's unfortunate. I have half of docs doing this already, the other half shouldn't be that hard (they only have Local Outlook on their office computers anyhow, which they rarely use), otherwise it's webmail and phones.
Now the big pushback will be MFA.

Irony = We use DUO for MFA and that buy-in wasn't too terrible. But it helped that we had an incident a couple of years ago that helped bang the drum of "MFA is a good idea."

Dashrender

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

That's unfortunate. I have half of docs doing this already, the other half shouldn't be that hard (they only have Local Outlook on their office computers anyhow, which they rarely use), otherwise it's webmail and phones.
Now the big pushback will be MFA.

Irony = We use DUO for MFA and that buy-in wasn't too terrible. But it helped that we had an incident a couple of years ago that helped bang the drum of "MFA is a good idea."

Definitely helpful. We have a few that won't have much of an issue with it - but we have others - if they don't have a shortcut, they can't find the interwebs...

dbeato

@EddieJennings DUO MFA doesn't work for clients such as Outlook and Mobile Email application so it is not helpful for it. It only works on OWA. Office 365 MFA does apply to all clients.

EddieJennings

@dbeato said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings DUO MFA doesn't work for clients such as Outlook and Mobile Email application so it is not helpful for it. It only works on OWA. Office 365 MFA does apply to all clients.

We are using DUO MFA with Outlook, Outlook App on mobile, and built-in Apple mail app.

manxam

@dbeato : If you're using Azure AD P1 or above and a Duo Access Gateway, then DUO can fully replace Outlook's "modern authentication" routine.
https://duo.com/docs/o365

dbeato

@manxam said in Managing Distribution Groups in an Exchange Hybrid Environment:

@dbeato : If you're using Azure AD P1 or above and a Duo Access Gateway, then DUO can fully replace Outlook's "modern authentication" routine.
https://duo.com/docs/o365

Yeah, that is for Office 365, I am talking on Exchange on Prem (Which is part of a Hybrid Environment) .

EddieJennings

I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).

Dashrender

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).

Are those that are left on prem - are they actual users? If so, I'm curious why they can't be migrated?