Dynamic Distribution Groups in Exchange Hybrid environments

Using Dynamic Distribution Groups (DDG’s for short) in a Hybrid environment poses a certain challenge. First of all, these DDG’s do NOT sync with Azure AD Connect. Second, you have to base your filters on synced attributes and not local OU structure. And lastly you need to provide a mail-contact on the opposite side of the DDG. Yes, you need to decide where you place the DDG’s (on-premises or Exchange Online) and then provide the other side with a mail-contact, pointing to the DDG, for address book lookups. For my post I’ll put my DDG’s in Exchange Online and hence create mail-contacts for each DDG in my on-premises Exchange environment for easy GAL lookups.

In this example I’ll create DDG’s that filter on 3 custom attributes;

• CustomAttribute3
  (Account type: F (Full-Time Employee), C (External Consultant))
• CustomAttribute6
  (If any text – exclude from DDG)
• CustomAttribute11
  (Department: HR, IT, Dev)

By using any combination of these attributes we can have great flexibillity in filtering recipients in our DDG’s. One often asked function is an easy way of excluding a specific recipient for a limited time. Often used when sending to ‘All Company Employees’ asking for chipping in to a birthday gift for a colleague. In or DDG’s we only need to put any text into field 6 and that person is excluded from the email list as by magic. Just don’t forget to await Azure AD Sync to complete a sync cycle (happens every 30 minutes) or force a manual sync with “Start-ADSyncSyncCycle delta“.

Since we are creating a custom query for our DDG’s we need to make use of Powershell, remotely connect to Exchange Online. After we are connected, issue the command:

New-DynamicDistributionGroup -Name “Mail Group IT” -Alias “mail_group_it” -RecipientFilter {((RecipientType -eq ‘UserMailbox’ -or RecipientType -eq ‘MailUser’) -and ((CustomAttribute6 -notlike “*” -and CustomAttribute11 -eq ‘IT’ -and (CustomAttribute3 -eq ‘F’ -or CustomAttribute3 -eq ‘C’))))} -PrimarySmtpAddress “mail_group_it@aureance1.mail.onmicrosoft.com”

In the above command we create a Dynamic Distribution Group, DDG, called Mail Group IT the contains both Full-Time Employees and external consultants. To preview the recipient filter, we need to run:

1. $ddg = Get-DynamicDistributionGroup -Identity “Mail Group IT”
2. Get-Recipient -RecipientPreviewFilter $ddg.RecipientFilter

All that’s left for us to make this complete is to add a mail-contact in our on-premises environment so that our on-premise users can find our DDG in the Global Address Book, GAL. This command needs to be performed in Exchange Management Shell to hit your local Exchange environment.

New-MailContact -Name “Mail Group IT” -OrganizationalUnit “corp.azureance.com/users” -ExternalEmailAddress “mail_group_it@azureance.mail.onmicrosoft.com”

One important thing to consider is to place the contact in a OU that isn’t being synchronized to Azure Active Directory. Otherwise you’ll get duplicate entries for the Exchange Online users, both the real DDG and the pointer contact, which is confusing. Simply don’t synchronize it to keep things clean.

One last thing to comment is why we make use of @azureance.mail.onmicrosoft.com as Primary SMTP Address and External Email Address. The SMTP name space <tenant>.mail.onmicrosoft.com (azureance is my tenant name) is called the routing address in an Exchange Hybrid configuration. It’s the glue between Exchange Online and Exchange on-premises mail objects. It is also the address that gets specified in the auto generated SMTP Send Connector called “Outbound to Office 365”. This connector makes it so that all email addressed or routed to that name space it authenticated and encrypted between both environments, making it both secure but also marked as internal. You can verify this by looking at the email header, specifically X-MS-Exchange-Organization-AuthAs: Internal. This is the correct way of linking objects between the two environments.