Office 365 + AD Connect: Manage Groups

If you are using Office 365 with AD Connect your groups are probably in your on-premise Active Directory. If your groups are being synced from your own premises Active Directory, you won’t be able to manage them from the office 365.

You may run into the following error:

The action ‘Set-DistributionGroup’, can’t be performed on the object because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

This error occurs because Office 365 objects have a source of authority. in short, If Microsoft allows you to edit the attributes in Office 365, they would be quickly overwritten during the next AD connect sync. Instead of using the Office 365 administrative centers will need to edit the attributes in Active Directory.

Below is a list of Active Directory attributes that are synced to Office 365. use this list to help find the attributes that need to be edited.

Finding Attributes in Active Directory Users & Computers

If you don’t have exchange on-premise but you using AD Connect you’ll need to edit the Active Directory attributes directly. the easiest way is to enable Advanced Features in Active Directory users and computers then use the attribute editor in the group properties.

  1. Open Active Directory Users & Computers
  2. View > Advanced Features
How to enable Advanced Features in Active Directory Users & Computers
How to enable Advanced Features in Active Directory Users & Computers

Once Advanced Features is enabled you’ll see an Attribute Editor tab in the group properties.

Active Directory Users & Computers attribute editor tab
Active Directory Users & Computers attribute editor tab

Attribute Information

The following sections details restrictions put on the different attributes

Display Name

The display name should be a short and concise name for the group using an ASCII string.

How to edit the Display Name for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > general > Display Name

Exchange Online display name highlighted

How to edit the Display Name for groups synced from AD without Exchange on-premise

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > displayName

How to edit the Display Name for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -DisplayName ""

Alias

The alias is used heavily behind the scenes for searches. Use a-z, periods, dashes, and underscores. No spaces. It must be unique across your organization.

How to edit the Alias for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > general > Alias

Exchange Online alias highlighted

How to edit the Alias for groups synced from AD without Exchange on-premise

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor >mailNickname

How to edit the Alias for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -Alias ""

Primary Email address

How to edit the Primary Email Address for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > general > Email Address

Exchange Online email address highlighted

How to edit the Primary Email Address for groups synced from AD without Exchange on-premise

I recommend updating two fields at the same time:

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > mail

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > proxyAddresses

To set the proxyAddresses field append “SMTP:” to the beginning of the email address. the proxyAddresses may only have one email address that “SMTP:”

How to edit the Primary Email Address for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Notes

How to edit the Notes for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > general > Notes

Exchange Online email notes highlighted

How to edit the Notes for groups synced from AD without Exchange on-premise

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > description

How to edit the Notes for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Hide this group from address lists

How to edit the “Hide this group from address lists” for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > general > Hide this group from address lists

Hide this group from address lists

How to edit the “Hide this group from address lists” for groups synced from AD without Exchange on-premise

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchHideFromAddressLists

How to edit the “Hide this group from address lists” for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -HiddenFromAddressListsEnabled <$true | $false>

Owners

How to edit the Owners for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > ownership > Owners

How to edit the Owners for groups synced from AD without Exchange on-premise

How to edit the Owners for groups synced from AD without Exchange on-premise

The managedBy attribute is a user’s DN attribute. The DN attribute can be found in the user’s properties under the attribute editor tab.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > managedBy

How to edit the Owners for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Members

How to edit the Members for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > membership > members

How to edit the Members for groups synced from AD without Exchange on-premise

How to edit the Members for groups synced from AD without Exchange on-premise

Active Directory User & Computers (ADUC) > open the group properties > Members > Add

How to edit the Members for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Group Membership Permissions

How to edit the Group Membership Permissions for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > Membership approval > choose whether owner approval is required to join the group

How to edit the Group Membership Permissions for groups synced from AD without Exchange on-premise

How to edit the Group Membership Permissions for groups synced from AD without Exchange on-premise

The msExchGroupJoinRestriction must be one of the following numbers:

  • 0: Closed: Members can be added only by the group owners. All requests to join will be rejected automatically.
  • 1: Open: Anyone can join this group without being approved by the group owners.
  • 2: Owner approval: All requests are approved or rejected by the group owners.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchGroupJoinRestriction

How to edit the Group Membership Permissions for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -MemberJoinRestriction <Closed | Open | ApprovalRequired>

Group Leave Permissions

How to edit the Group Leave Permissions for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > Membership approval > Choose whether the group is open to leave

How to edit the Group Leave Permissions for groups synced from AD without Exchange on-premise

How to edit the Group Leave Permissions for groups synced from AD without Exchange on-premise

The msExchGroupDepartRestriction must be one of the following numbers:

  • 0: Closed: Members can be removed only by the group owners. All requests to leave will be rejected automatically.
  • 1: Open: Anyone can leave this group without being approved by the group owners.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchGroupDepartRestriction

How to edit the Group Leave Permissions for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -MemberDepartRestriction <Closed | Open | ApprovalRequired>

External Sender Permissions

How to edit the External Sender Permissions for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > delivery management > Only senders inside my organization

How to edit the External Sender Permissions for groups synced from AD without Exchange on-premise

How to edit the External Sender Permissions for groups synced from AD without Exchange on-premise

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchRequireAuthToSendTo

How to edit the External Sender Permissions for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -RequireSenderAuthenticationEnabled <$true | $false>

Send To Permissions

How to edit the Send To Permissions for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > delivery management > If you want to restrict who can send messages to the group

How to edit the Send To Permissions for groups synced from AD without Exchange on-premise

How to edit the Send To Permissions for groups synced from AD without Exchange on-premise

The authOrig attribute is a list of users DN attribute. The DN attribute can be found in the user’s properties under the attribute editor tab.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > authOrig

If you cannot edit the authOrig attribute in ADUC you can use the following PowerShell script:

$Group = DN of the Group
$UserDN = DN of the user
Import-module activedirectory
if ($UserDN) {<br/> Set-ADGroup -Identity $Group -Add @{authOrig=@($UserDN)}<br/>} else {<br/>write-host "Couldn't find User" -ForegroundColor Red<br/>}

How to edit the Send To Permissions for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Moderator Approval

How to edit the Moderator Approval for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > message approval > Messages sent to this group have to be approved by a moderator

How to edit the Moderator Approval for groups synced from AD without Exchange on-premise

How to edit the Moderator Approval for groups synced from AD without Exchange on-premise

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchEnableModeration

How to edit the Moderator Approval for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -ModerationEnabled <$true | $false>

Moderators

How to edit the Moderators for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > message approval > Group moderators

How to edit the Moderators for groups synced from AD without Exchange on-premise

How to edit the Moderators for groups synced from AD without Exchange on-premise

The msExchModeratedByLink attribute is a list of users DN attribute. The DN attribute can be found in the user’s properties under the attribute editor tab.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchModeratedByLink

How to edit the Moderators for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Skip Approval

How to edit the “Skip Approval” for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > message approval > Senders who don’t require message approval

How to edit the “Skip Approval” for groups synced from AD without Exchange on-premise

How to edit the “Skip Approval” for groups synced from AD without Exchange on-premise

The msExchBypassModerationLink attribute is a list of users DN attribute. The DN attribute can be found in the user’s properties under the attribute editor tab.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchBypassModerationLink

How to edit the “Skip Approval” for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Sender Notification

How to edit the Sender Notification for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > message approval > Select moderation notifications

How to edit the Sender Notification for groups synced from AD without Exchange on-premise

How to edit the Sender Notification for groups synced from AD without Exchange on-premise

The msExchModerationFlags must be one of the following numbers:

  • 6: Notify all senders when their messages aren’t approved.
  • 2: Notify senders in your organization when their messages aren’t approved.
  • 0: Don’t notify anyone when a message isn’t approved.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchModerationFlags

How to edit the Sender Notification for groups synced from AD with Exchange on-premise

Using the Exchange Management Shell

Set-DistributionGroup -Identity GroupName -SendModerationNotifications <Never | Internal | Always>

Email Addresses

How to edit the Email Addresses for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > Email options > email address

How to edit the Email Addresses for groups synced from AD without Exchange on-premise

How to edit the Email Addresses for groups synced from AD without Exchange on-premise

The proxyAddresses field must start with “smtp:” for all email aliases followed by the email address. The primary email address must start with “SMTP:”.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > proxyAddresses

How to edit the Email Addresses for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Mail Tip

How to edit the Mail Tip for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > MailTip

How to edit the Mail Tip for groups synced from AD without Exchange on-premise

How to edit the Mail Tip for groups synced from AD without Exchange on-premise

The string you want to display must be set in msExchSenderHintTranslations and wrapped with

default:<html><body>text to be displayed</body></html>

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > msExchSenderHintTranslations

How to edit the Mail Tip for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Send As

How to edit the Send As Permissions for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > Group delegation > Send As

How to edit the Send As Permissions for groups synced from AD without Exchange on-premise

How to edit the Send As Permissions for groups synced from AD without Exchange on-premise

Use the Exchange Admin Center as you would for cloud only groups. (see above)

How to edit the Send As Permissions for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.

Send On Behalf of

How to edit the Send On Behalf of Permissions for cloud only groups

Exchange Admin Center (EAC) > recipients > groups > Double-click the group to edit > Group delegation > Send on Behalf

How to edit the Send On Behalf of Permissions for groups synced from AD without Exchange on-premise

How to edit the Send On Behalf of Permissions for groups synced from AD without Exchange on-premise

The publicDelegates attribute is a list of users DN attribute. The DN attribute can be found in the user’s properties under the attribute editor tab.

Active Directory User & Computers (ADUC) > open the group properties > Attribute Editor > publicDelegates

How to edit the Send On Behalf of Permissions for groups synced from AD with Exchange on-premise

Use the Exchange Management Console for your on-premise server.