Managing Distribution Groups in an Exchange Hybrid Environment
-
I am going through the same headache. We have decided to opt for option 2 as we figure someday we will be out of hybrid mode and better do it now than later. We do see the issue with keeping both in sync but so long as we (I-T) keeps good documentation it should not be an issue.
-
Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?
I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.
-
@EddieJennings Let me start by saying that the success of having a working Exchange Hybrid Environment with office 365 is this kind of planning/questioning so there are no gotchas.
My recommendation would be to use option 1. Option 2 causes problems for the users in the Onprem Exchange. They will not be able to send emails to those distribution groups in office 365 as it will not match between the two environments. The AAD Sync is about every 30 minutes so it should not be that bad.
-
In the environments we manage we setup the Distribution Groups for our customers so it is a little easier for us.
-
Man.. Ditch local outlook - move to outlook on the web only.. huge problems solved.
-
@dbeato said in Managing Distribution Groups in an Exchange Hybrid Environment:
@EddieJennings Let me start by saying that the success of having a working Exchange Hybrid Environment with office 365 is this kind of planning/questioning so there are no gotchas.
I agree completely. This whole project has moved far too fast for appropriate planning.
My recommendation would be to use option 1. Option 2 causes problems for the users in the Onprem Exchange. They will not be able to send emails to those distribution groups in office 365 as it will not match between the two environments. The AAD Sync is about every 30 minutes so it should not be that bad.
I'm leaning toward the first option as well.
-
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?
I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.
We should be. It's something I need to verify.
-
@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?
I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.
We should be. It's something I need to verify.
It's not the default. By default anyone can add any group they want - and add users to those groups of anyone (i.e. email addresses not in your company ) which ends up making your user list a giant mess (at least in my opinion).
-
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
Man.. Ditch local outlook - move to outlook on the web only.. huge problems solved.
I wish we could do that. The amount of time it would take for top-down buy-in for that far exceeds how long I'll be at this company
-
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
Here's a better question - have you limited who can make groups in Exchange/Teams/Sharepoint, etc?
I'm looking to start a O365 migration relatively soon, and I think this is one thing I will do - limit creation to only a few.
We should be. It's something I need to verify.
It's not the default. By default anyone can add any group they want - and add users to those groups of anyone (i.e. email addresses not in your company ) which ends up making your user list a giant mess (at least in my opinion).
That I know (it not being the default). And yes, it will lead to a giant mess.
-
@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
Man.. Ditch local outlook - move to outlook on the web only.. huge problems solved.
I wish we could do that. The amount of time it would take for top-down buy-in for that far exceeds how long I'll be at this company
That's unfortunate. I have half of docs doing this already, the other half shouldn't be that hard (they only have Local Outlook on their office computers anyhow, which they rarely use), otherwise it's webmail and phones.
Now the big pushback will be MFA. -
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
That's unfortunate. I have half of docs doing this already, the other half shouldn't be that hard (they only have Local Outlook on their office computers anyhow, which they rarely use), otherwise it's webmail and phones.
Now the big pushback will be MFA.Irony = We use DUO for MFA and that buy-in wasn't too terrible. But it helped that we had an incident a couple of years ago that helped bang the drum of "MFA is a good idea."
-
@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
That's unfortunate. I have half of docs doing this already, the other half shouldn't be that hard (they only have Local Outlook on their office computers anyhow, which they rarely use), otherwise it's webmail and phones.
Now the big pushback will be MFA.Irony = We use DUO for MFA and that buy-in wasn't too terrible. But it helped that we had an incident a couple of years ago that helped bang the drum of "MFA is a good idea."
Definitely helpful. We have a few that won't have much of an issue with it - but we have others - if they don't have a shortcut, they can't find the interwebs...
-
@EddieJennings DUO MFA doesn't work for clients such as Outlook and Mobile Email application so it is not helpful for it. It only works on OWA. Office 365 MFA does apply to all clients.
-
@dbeato said in Managing Distribution Groups in an Exchange Hybrid Environment:
@EddieJennings DUO MFA doesn't work for clients such as Outlook and Mobile Email application so it is not helpful for it. It only works on OWA. Office 365 MFA does apply to all clients.
We are using DUO MFA with Outlook, Outlook App on mobile, and built-in Apple mail app.
-
@dbeato : If you're using Azure AD P1 or above and a Duo Access Gateway, then DUO can fully replace Outlook's "modern authentication" routine.
https://duo.com/docs/o365 -
@manxam said in Managing Distribution Groups in an Exchange Hybrid Environment:
@dbeato : If you're using Azure AD P1 or above and a Duo Access Gateway, then DUO can fully replace Outlook's "modern authentication" routine.
https://duo.com/docs/o365Yeah, that is for Office 365, I am talking on Exchange on Prem (Which is part of a Hybrid Environment) .
-
I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).
-
@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:
I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).
Are those that are left on prem - are they actual users? If so, I'm curious why they can't be migrated?
-
@Dashrender said in Managing Distribution Groups in an Exchange Hybrid Environment:
@EddieJennings said in Managing Distribution Groups in an Exchange Hybrid Environment:
I ought to have clarified. DUO MFA comes into play with Outlook for our mailboxes that are in Exchange Online. On-prem mailboxes (the few we have left aren't subject to DUO).
Are those that are left on prem - are they actual users? If so, I'm curious why they can't be migrated?
Eventually all users will be migrated, so, yes, we still have real users on-prem.
This is outside the scope of the original question / scenario, but I've learned a good bit during this process with much of that learning validating a few things I already knew, such as the value of taking the necessary time to plan, and prep the environment for migration (removing unnecessary objects, etc.).