Configure Microsoft 365 groups in Exchange Hybrid

We did configure an Exchange Hybrid configuration and now want to let the organization use Microsoft 365 groups. That’s one of the checks we have in the Exchange Hybrid test plan checklist. So the Exchange on-premises mailboxes can also use the Microsoft 365 groups and not only the Exchange Online mailboxes. In this article, you will learn how to configure Microsoft 365 groups with on-premises Exchange Hybrid.

Microsoft 365 groups

Microsoft 365 Groups service enables teams to communicate, schedule meetings, and collaborate on documents more efficiently. All information shared with a group, from email messages sent to the group, to files stored in the group’s OneDrive for Business or SharePoint libraries, is available to any member of a group.

Suppose you’ve configured a hybrid deployment between your on-premises Exchange organization and Microsoft 365 or Office 365. In that case, you can make groups that are created in Microsoft 365 or Office 365 available to your on-premises users by following the steps in this article.

Prerequisites

You need to meet the below prerequisites before you configure Microsoft 365 groups in Exchange Hybrid:

1. Azure AD Premium P1 or P2 license
2. Exchange Hybrid deployment
3. Exchange Server 2013 CU13 and higher/Exchange Server 2016 CU1 and higher/Exchange Server 2019
4. Configured Single Sign-On (SSO) using Azure AD Connect

Note: Always keep your Exchange Server up to date with the latest Cumulative Update and Security Update.

Enable group writeback in Azure AD Connect

To enable group writeback in Azure AD Connect, follow the below steps:

Sign in to Azure AD Connect server.

Start Azure AD Connect. Click Configure.

Click on Customize synchronization options. Click Next.

Fill in your Azure AD global administrator or hybrid identity administrator credentials. Click Next.

Check the checkbox Group writeback. Click Next.

Select the on-premises destination for group writeback. Check the checkbox Writeback Group Distinguished Name with cloud Display Name. Click Next.

In our example, we will select the on-premises organizational unit Groups.

Enter the Enterprise Admin credentials to let Azure AD Connect set the necessary permission for you. Click Next.

Check the checkbox Start the synchronization process when configuration completes. Click Configure.

Click on Exit.

Configure group domain

Add the group domain to Microsoft 365 admin center and the records in Public DNS by following the below steps:

• Sign in to Microsoft 365 Exchange Admin Center
• Expand Settings and click on Domains
• Click on Add domain

Fill in the groups domain. Click Use this domain.

In our example, it’s groups.exoip.com.

Click on Continue.

Copy the MX record, CNAME record, and TXT record.

Sign in to the Public DNS and fill in the copied MX, CNAME, and TXT records.

Go back to the add domain wizard in Microsoft 365 admin center. Click on Continue.

The domain setup will be complete. Click Done.

The domain groups.exoip.com appears in the Microsoft 365 domains list.

Add group domain as accepted domain

Add the group domain as an accepted domain in the Exchange Server on-premises organization.

Sign in to Exchange Server on-premises. Run Exchange Management Shell as administrator. Run the below command.

[PS] C:\>New-AcceptedDomain -Name "groups.exoip.com" -DomainName "groups.exoip.com" -DomainType InternalRelay

Name                           DomainName                     DomainType                   Default
----                           ----------                     ----------                   -------
groups.exoip.com               groups.exoip.com               InternalRelay                False

Add group domain to hybrid send connector

Run the Get-SendConnector cmdlet to get the hybrid send connector name.

[PS] C:\>Get-SendConnector

Identity                                                      AddressSpaces                          Enabled
--------                                                      -------------                          -------
SpamBullOut                                                   {SMTP:*;1}                             True
Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c {smtp:exoip365.mail.onmicrosoft.com;1} True

Add the group domain to the hybrid send connector, created by the Hybrid Configuration Wizard in your on-premises Exchange organization, using the Set-SendConnector cmdlet.

[PS] C:\>Set-SendConnector -Identity "Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c" -AddressSpaces "exoip365.mail.onmicrosoft.com","groups.exoip.com"

Run the Get-SendConnector to verify the group domain is added successfully to the hybrid send connector.

[PS] C:\>Get-SendConnector -Identity Outbound* | select Identity,AddressSpaces | fl


Identity      : Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c
AddressSpaces : {smtp:groups.exoip.com;1, smtp:exoip365.mail.onmicrosoft.com;1}

Important: Port 25 must be allowed from and to the on-premises Exchange Server to ensure that mail flow will work when sending an email to the Microsoft 365 group. Read more in the article Exchange Hybrid firewall ports.

Create Microsoft 365 group

To create a Microsoft 365 group in Exchange Online, follow these steps:

• Sign in to Microsoft 365 Exchange admin center
• Click on Recipients > groups
• Click on New Microsoft 365 group

Note: Use the old Microsoft 365 Exchange admin center because the new Microsoft 365 Exchange admin center is not yet ready for selecting the @groups subdomain when creating a Microsoft 365 group.

Fill in the group information you want to create and click on Save.

In our example:

• Group name: Test M365 Group
• Group email address: testm365group
• Group subdomain from dropdown menu: groups.exoip.com

The group will be created, and it will show the group properties.

• Click on membership
• Add an Exchange on-premises mailbox user and Exchange Online mailbox user as members to the Microsoft 365 group
• Click Save

Verify Microsoft 365 groups in AD on-premises

Don’t forget to force sync Azure AD Connect or wait a maximum of 30 minutes before the sync is automatically run.

PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

Start Active Directory Users and Computers and verify that the Microsoft 365 group appears.

Double-click the group and verify the e-mail field.

Click on the Members tab and verify that both the Exchange on-premises user mailbox and Exchange Online user mailbox appear.

Create forward lookup zone for group domain

Configure a forward lookup zone for the group domain on the on-premises DNS server by following the below steps:

Start DNS Manager and create a new forward lookup zone.

In our example, it’s the primary zone groups.exoip.com.

Create a new MX record in the internal DNS. Fill in the FDQN, which is the Microsoft 365 MX address you copied earlier.

Create a new CNAME record in the internal DNS. Fill in the alias name autodiscover and the FQDN autodiscover.outlook.com.

This is what the records look like in the forward lookup zone.

Test Microsoft 365 group

Verify that Microsoft 365 groups work in the Exchange Hybrid configuration.

Sign in to Outlook with the Exchange Online mailbox user. The groups section will automatically add the Microsoft 365 group to the assigned member.

Click on the Test M365 Group. Click on New Email.

Ensure that the Test M365 Group shows in the To… field. Click Send.

The email will arrive in the Test M365 Group.

Sign in to Outlook with the Exchange on-premises mailbox user and verify that it successfully delivered the email.

Reply to the email and ensure that the Test M365 Group appears in the To… field. Click Send.

The email reply will arrive in the Test M365 Group mailbox.

Read more: Enable Self-Service Password Reset »

Conclusion

You learned how to configure Microsoft 365 groups in Exchange Hybrid. Go through the steps and don’t miss any of them. Ensure that you send an email to the Microsoft 365 group from the Exchange on-premises and Exchange Online mailbox.

Did you enjoy this article? You may also like Compare AD group members with PowerShell. Don’t forget to follow us and share this article.