Ready for a rough week to come to and end.

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).

Are those that are left on prem - are they actual users? If so, I'm curious why they can't be migrated?

Eventually all users will be migrated, so, yes, we still have real users on-prem.

This is outside the scope of the original question / scenario, but I've learned a good bit during this process with much of that learning validating a few things I already knew, such as the value of taking the necessary time to plan, and prep the environment for migration (removing unnecessary objects, etc.).

I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).

@dbeato said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings DUO MFA doesn't work for clients such as Outlook and Mobile Email application so it is not helpful for it. It only works on OWA. Office 365 MFA does apply to all clients.

We are using DUO MFA with Outlook, Outlook App on mobile, and built-in Apple mail app.

Had to sleep, too. On-call week means getting up early every day for some tasks.

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

That's unfortunate. I have half of docs doing this already, the other half shouldn't be that hard (they only have Local Outlook on their office computers anyhow, which they rarely use), otherwise it's webmail and phones.
Now the big pushback will be MFA.

Irony = We use DUO for MFA and that buy-in wasn't too terrible. But it helped that we had an incident a couple of years ago that helped bang the drum of "MFA is a good idea."

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?

I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.

We should be. It's something I need to verify.

It's not the default. By default anyone can add any group they want - and add users to those groups of anyone (i.e. email addresses not in your company ) which ends up making your user list a giant mess (at least in my opinion).

That I know (it not being the default). And yes, it will lead to a giant mess.

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Man.. Ditch local outlook - move to outlook on the web only.. huge problems solved.

I wish we could do that. The amount of time it would take for top-down buy-in for that far exceeds how long I'll be at this company

@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:

Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?

I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.

We should be. It's something I need to verify.

@dbeato said in Managing Distribution Groups in an Exchange Hybrid Environment:

@EddieJennings Let me start by saying that the success of having a working Exchange Hybrid Environment with office 365 is this kind of planning/questioning so there are no gotchas.

I agree completely. This whole project has moved far too fast for appropriate planning.

My recommendation would be to use option 1. Option 2 causes problems for the users in the Onprem Exchange. They will not be able to send emails to those distribution groups in office 365 as it will not match between the two environments. The AAD Sync is about every 30 minutes so it should not be that bad.

I'm leaning toward the first option as well.