Setting up Synchronized Office 365 Groups
Overview
The Office 365 Directory Synchronization (DirSync) allows you to extend the Active Directory on-premises for Azure Directory and thus allow centralized management of users and groups. In the article DirSync: List of attributes that are synced by the Azure Active Directory Sync Tool It presents the documentation of all the attributes and objects that are synchronized with the tool.
In this article I configured an environment with two servers, a domain controller and a DirSync server, all Active Directory objects are synchronized to Office 365. With all the synchronized directory, the user of email addresses and groups are configured by the object information in Active Directory,
The group settings are defined in attributes object in Active Directory therefore Office 365 management portal does not allow changes to these settings.
An error reports that the group settings must be made in Active Directory and synchronized with the cloud.
| The action 'Set-DistributionGroup', 'AcceptMessagesOnlyFromSendersOrMembers,RequireSenderAuthenticationEnabled', can't be performed on the object 'Group01' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization. |
1st Solution
The first option is to migrate the group's management for Exchange Online. This will enable the configuration of all the properties of the groups.
There is no need to delete the Active Directory group, visit the group settings and remove the email field.
Synchronize the information to Office 365, the group should be removed from Exchange Online distribution groups.
Then create a new group with the same name and e-mail.
And add members.
2nd Solution
The second option is to configure the attributes of the group in Active Directory and synchronize to Exchange Online. The following attributes configure the group properties:
- *authOrig - *configure which users can send mail to the group
- msExchHideFromAddressLists - Hide the group from address list
- *msExchRequireAuthToSendTo - *configures if group will accept email for external users or only of corporate users
- msExchEnableModeration - enables the moderation distribution group
- msExchModeratedByLink - set in conjunction with msExchEnableModeration tells you who is the group moderator
- msExchBypassModerationLink - set in conjunction with msExchEnableModeration configure which users can send email to the group without moderation
- publicDelegates - sets which user can use the group to Send on Behalf permission
- msExchSenderHintTranslations - configures the email message tips
But these attributes do not exist by default in the Active Directory Schema, they are created in the on-premises Exchange installation process. The Exchange installation wizard expands Schema creating these and a number of other attributes and classes to support the Exchange settings.
One option is to download Exchange media and run only the first Schema preparation step shown in here Prepare Active Directory and domains. The problem with this solution is that the wizard creates a chain of other attributes and classes that will not be used.
I want to create in Active Directory Schema only the attributes above, in article How to Create a Custom Attribute in Active Directory demonstrates the process of configuring the console Schema and create attributes.
Be careful! Changes in the Schema can't be deleted. Before starting any operation back up Active Directory.
In the file below separated the desired attributes. Copy the contents to a Notepad and name the file schema.ldf
| # --------------------------------------------------------------------- # This file contains the attributes to be created to configure the properties # Of distribution lists. # To set the Schema will use the Ldifde cmd # ldifde -i -k -f schema.ldf -j c:\temp -c "DC=x" "DC=home,DC=local" # --------------------------------------------------------------------- # --------------------------------------------------------------------- # This section lists the attributes to be created. # --------------------------------------------------------------------- # --------------------------------------------------------------------- # Attribute type boolean ($true, $false or $not set). # Attribute that enables hide the group from # address list search # --------------------------------------------------------------------- dn: CN=ms-Exch-Hide-From-Address-Lists,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-Hide-From-Address-Lists adminDisplayName: ms-Exch-Hide-From-Address-Lists attributeID: 1.2.840.113556.1.4.7000.102.73 attributeSyntax: 2.5.5.8 isMemberOfPartialAttributeSet: FALSE isSingleValued: TRUE lDAPDisplayName: msExchHideFromAddressLists name: ms-Exch-Hide-From-Address-Lists oMSyntax: 1 objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema schemaIdGuid:: lgscopOw0hGqBgDAT47t2A== searchFlags: 0 # --------------------------------------------------------------------- # Controls which users can send email to the group. If the attribute is "not # set" the group accepts mail from all internal and external users. # It is a multi value attribute and must be configured with the users # CN (CN = User05 05, OU = Users, DC = home, DC = local) # --------------------------------------------------------------------- dn: CN=ms-Exch-Auth-Orig,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-Auth-Orig adminDisplayName: ms-Exch-Auth-Orig attributeID: 1.2.840.113556.1.2.129 attributeSyntax: 2.5.5.7 isMemberOfPartialAttributeSet: TRUE isSingleValued: FALSE lDAPDisplayName: authOrig mapiId: 36056 name: ms-Exch-Auth-Orig oMSyntax: 127 oMObjectClass:: VgYBAgULHQ== objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema linkID: 110 schemaIdGuid:: l3PfqOrF0RG7ywCAx2ZwwA== searchFlags: 0 # --------------------------------------------------------------------- # Attribute boolean type($ true, $ false or $ not set). # Attribute that controls the delivery of email according to its origin. # When set to $true the group accepts only internal users emails. # When set to $not set or $false the group accepts mail from internal users # And external. # --------------------------------------------------------------------- dn: CN=ms-Exch-RequireAuthToSendTo,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-RequireAuthToSendTo adminDisplayName: ms-Exch-RequireAuthToSendTo attributeID: 1.2.840.113556.1.4.5062 attributeSyntax: 2.5.5.8 isMemberOfPartialAttributeSet: TRUE isSingleValued: TRUE lDAPDisplayName: msExchRequireAuthToSendTo name: ms-Exch-RequireAuthToSendTo oMSyntax: 1 objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema schemaIdGuid:: O+sz9Vv3s0+y+wjNU3qE0Q== searchFlags: 0 # --------------------------------------------------------------------- # Attribute boolean type($true, $false or $not set). # Attribute that enables the moderation of distribution list # When set to $true the gupo is set to moderate, # --------------------------------------------------------------------- dn: CN=ms-Exch-Enable-Moderation,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-Enable-Moderation adminDisplayName: ms-Exch-Enable-Moderation attributeID: 1.2.840.113556.1.4.7000.102.50969 attributeSecurityGuid:: iYopH5jeuEe1zVcq1T0mfg== attributeSyntax: 2.5.5.8 isMemberOfPartialAttributeSet: TRUE isSingleValued: TRUE lDAPDisplayName: msExchEnableModeration mapiId: 36021 name: ms-Exch-Enable-Moderation oMSyntax: 1 objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema schemaIdGuid:: Zy3NakZwWEmL13HOvGi4pw== searchFlags: 0 # ------------------------------------------------- -------------------- # It is a multi attribute value and must be configured with the Users # CN (CN = User05 05, OU = Users, DC = home, DC = local) # The attribute sets the email moderators of the group, # ------------------------------------------------- -------------------- dn: CN=ms-Exch-Moderated-By-Link,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-Moderated-By-Link adminDisplayName: ms-Exch-Moderated-By-Link attributeID: 1.2.840.113556.1.4.7000.102.50952 attributeSecurityGuid:: iYopH5jeuEe1zVcq1T0mfg== attributeSyntax: 2.5.5.1 isMemberOfPartialAttributeSet: TRUE isSingleValued: FALSE lDAPDisplayName: msExchModeratedByLink mapiId: 36013 name: ms-Exch-Moderated-By-Link oMSyntax: 127 oMObjectClass:: KwwCh3McAIVK objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema linkID: 1128 schemaIdGuid:: 48Xh5oJ10EOWcYcYVCpshg== searchFlags: 0 # --------------------------------------------------------------------- # It is a multi attribute value and must be configured with the CN users # The attribute configures users who are not moderated for # Sending messages to moderated groups # --------------------------------------------------------------------- dn: CN=ms-Exch-Bypass-Moderation-Link,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-Bypass-Moderation-Link adminDisplayName: ms-Exch-Bypass-Moderation-Link attributeID: 1.2.840.113556.1.4.7000.102.51140 attributeSecurityGuid:: iYopH5jeuEe1zVcq1T0mfg== attributeSyntax: 2.5.5.1 isMemberOfPartialAttributeSet: TRUE isSingleValued: FALSE lDAPDisplayName: msExchBypassModerationLink mapiId: 36050 name: ms-Exch-Bypass-Moderation-Link oMSyntax: 127 oMObjectClass:: KwwCh3McAIVK objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema linkID: 1180 schemaIdGuid:: mD4ZYllmJE+OR5v209ommA== searchFlags: 0 # --------------------------------------------------------------------- # Attribute that enables the configuration # Send on Behalf for the group. # --------------------------------------------------------------------- dn: CN=ms-Exch-Public-Delegates,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-Public-Delegates adminDisplayName: ms-Exch-Public-Delegates attributeID: 1.2.840.113556.1.2.238 attributeSyntax: 2.5.5.1 isMemberOfPartialAttributeSet: TRUE isSingleValued: FALSE lDAPDisplayName: publicDelegates mapiId: 32789 name: ms-Exch-Public-Delegates oMSyntax: 127 oMObjectClass:: KwwCh3McAIVK objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema linkID: 14 schemaIdGuid:: mv/48JER0BGgYACqAGwz7Q== searchFlags: 0 # --------------------------------------------------------------------- # Enable MailTips for the group # --------------------------------------------------------------------- dn: CN=ms-Exch-Sender-Hint-Translations,CN=Schema,CN=Configuration,DC=x changetype: ntdsSchemaAdd adminDescription: ms-Exch-Sender-Hint-Translations adminDisplayName: ms-Exch-Sender-Hint-Translations attributeID: 1.2.840.113556.1.4.7000.102.50899 attributeSyntax: 2.5.5.12 isMemberOfPartialAttributeSet: TRUE isSingleValued: FALSE lDAPDisplayName: msExchSenderHintTranslations mapiId: 36012 name: ms-Exch-Sender-Hint-Translations oMSyntax: 64 objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=x objectClass: attributeSchema rangeLower: 2 rangeUpper: 500 schemaIdGuid:: nWqelDwkvkWvEPfyaFiyKQ== searchFlags: 0 # --------------------------------------------------------------------- # Appies the attribuutes # --------------------------------------------------------------------- dn: changetype: ntdsSchemaModify replace: schemaUpdateNow schemaupdatenow: 1 - # --------------------------------------------------------------------- # This section modifies group classess adding the attributes # --------------------------------------------------------------------- dn: CN=Group,CN=Schema,CN=Configuration,DC=x changetype: modify add: mayContain mayContain: msExchHideFromAddressLists mayContain: authOrig mayContain: msExchRequireAuthToSendTo mayContain: msExchEnableModeration mayContain: msExchModeratedByLink mayContain: msExchBypassModerationLink mayContain: publicDelegates mayContain: msExchSenderHintTranslations - |
These values were taken from the Exchange Server installation media, in the file path <Exchange installation media>\setup\ServerRoles\common\setup\data.*.
*
| Attribuutes | Exchange File |
| CN=ms-Exch-Auth-Orig | schema2.ldf |
| CN=ms-Exch-RequireAuthToSendTo | schema36.ldf |
| CN=ms-Exch-Enable-Moderation | schema61.ldf |
| CN=ms-Exch-Moderated-By-Link | schema61.ldf |
| CN=ms-Exch-Bypass-Moderation-Link | schema65.ldf |
| CN=ms-Exch-Public-Delegates | schema2.ldf |
| CN=ms-Exch-Sender-Hint-Translations | schema59.ldf |
| CN=ms-Exch-Hide-From-Address-Lists | schema0.ldf |
I created a folder C:\Temp on domain controller and put schema.ldf file there. To perform the changes you must be a member of the Enterprise Admin and Schema Admins group.
To import the file will be used the ldifde command. At the end of the command replace text 'DC=domain, DC=local "with the full domain name to be changed. In my demo domain name has home.local the final command is as in print.
ldifde -i -k -f schema.ldf -j c:\temp -c "DC=x" "DC=domain,DC=local"
The -j option creates a log file of actions.
Restart the Active Directory Domain Services to apply the changes.
The list of attributes should be available in the group properties.
With the available attributes in each group just set accordilly. Below is show how to change each setting and the result on the Exchange Online management portal.
Hide Group Address from Address List
To hide the group mail address of the contact list configure the ms-Exch-Hide-From-Address-Lists attribute. Open group properties change the attribute value.
Change the value to True to hide group mail
After synchronizing the option Hide this group from address list should be selected for the group.
This attribute also can be used to hide the addresses of synchronized users. Add the attribute in the user class in Active Directory Schema and set the same way for each user.
Setting up users with Send Email Permission to the Group
In Delivery Management is possible to configure a list of users who can send mail to the group.
To set up authOrig property you must use PowerShell. Use the cmdlet to configure.
Set-ADGroup group01 -Add @{authOrig='CN=User01 01, OU=Usuarios,DC=home,DC=local'}
Synchronize the changes and verify that the group was set up with the users.
Restricting Group to Accept Only Internal Emails
To restrict only internal users set attribute msExchRequireAuthToSendTo, this attribute can be set directly in the Active Directory console.
Set attribute to $True
The option Only senders inside my organization was set
Setting Moderation
To start the moderation for a group enable the feature in msExchEnableModeration attribute*. Change* the attribute value to *$True *
Then configure the group moderator in msExchModeratedByLink attribute and users who can send email to the group without moderation in *msExchBypassModerationLink. *
After synchronization users must be configured in the group.
Configuring MailTips
The msExchSenderHintTranslations sets the attribute for the object MailTip. Go to the group properties and edit.
Set the attribute like below.
default:<html><body>Maiiltip Group01</body></html>
The MailTip for the group should appear.
When a user enters the group as the recipient email tip should be displayed.
Setting Send on Behalf Permission
To configure the user with permission to send on behalf a group email configure publicDelegates attribute.
Add the users Common Name that will have the permission.
On group properties the user name should be set.
When a user sends the email using the group email address it should contain username
