skip to Main Content

Configure Microsoft 365 groups in Exchange Hybrid

We did configure an Exchange Hybrid configuration and now want to let the organization use Microsoft 365 groups. That’s one of the checks we have in the Exchange Hybrid test plan checklist. So the Exchange on-premises mailboxes can also use the Microsoft 365 groups and not only the Exchange Online mailboxes. In this article, you will learn how to configure Microsoft 365 groups with on-premises Exchange Hybrid.

Microsoft 365 groups

Microsoft 365 Groups service enables teams to communicate, schedule meetings, and collaborate on documents more efficiently. All information shared with a group, from email messages sent to the group, to files stored in the group’s OneDrive for Business or SharePoint libraries, is available to any member of a group.

Suppose you’ve configured a hybrid deployment between your on-premises Exchange organization and Microsoft 365 or Office 365. In that case, you can make groups that are created in Microsoft 365 or Office 365 available to your on-premises users by following the steps in this article.

Prerequisites

You need to meet the below prerequisites before you configure Microsoft 365 groups in Exchange Hybrid:

  1. Azure AD Premium P1 or P2 license
  2. Exchange Hybrid deployment
  3. Exchange Server 2013 CU13 and higher/Exchange Server 2016 CU1 and higher/Exchange Server 2019
  4. Configured Single Sign-On (SSO) using Azure AD Connect

Note: Always keep your Exchange Server up to date with the latest Cumulative Update and Security Update.

Enable group writeback in Azure AD Connect

To enable group writeback in Azure AD Connect, follow the below steps:

Sign in to Azure AD Connect server.

Start Azure AD Connect. Click Configure.

Azure AD Connect configure

Click on Customize synchronization options. Click Next.

Azure AD Connect customize synchronization options

Fill in your Azure AD global administrator or hybrid identity administrator credentials. Click Next.

Connect to Azure AD with credentials

Check the checkbox Group writeback. Click Next.

Enable group writeback in Azure AD Connect

Select the on-premises destination for group writeback. Check the checkbox Writeback Group Distinguished Name with cloud Display Name. Click Next.

In our example, we will select the on-premises organizational unit Groups.

Select on-premises destination for group writeback

Enter the Enterprise Admin credentials to let Azure AD Connect set the necessary permission for you. Click Next.

Group writeback permissions

Check the checkbox Start the synchronization process when configuration completes. Click Configure.

Start synchronization process when configuration completes

Click on Exit.

Azure AD Connect configuration complete

Configure group domain

Add the group domain to Microsoft 365 admin center and the records in Public DNS by following the below steps:

Add domain in Microsoft 365 admin center

Fill in the groups domain. Click Use this domain.

In our example, it’s groups.exoip.com.

Add groups domain

Click on Continue.

Connect your domain

Copy the MX record, CNAME record, and TXT record.

Microsoft 365 domain records

Sign in to the Public DNS and fill in the copied MX, CNAME, and TXT records.

Add Microsoft 365 records to Public DNS

Go back to the add domain wizard in Microsoft 365 admin center. Click on Continue.

Microsoft 365 domain records continue

The domain setup will be complete. Click Done.

Domain setup complete

The domain groups.exoip.com appears in the Microsoft 365 domains list.

groups domain added to domains list

Add group domain as accepted domain

Add the group domain as an accepted domain in the Exchange Server on-premises organization.

Sign in to Exchange Server on-premises. Run Exchange Management Shell as administrator. Run the below command.

[PS] C:\>New-AcceptedDomain -Name "groups.exoip.com" -DomainName "groups.exoip.com" -DomainType InternalRelay

Name                           DomainName                     DomainType                   Default
----                           ----------                     ----------                   -------
groups.exoip.com               groups.exoip.com               InternalRelay                False

Add group domain to hybrid send connector

Run the Get-SendConnector cmdlet to get the hybrid send connector name.

[PS] C:\>Get-SendConnector

Identity                                                      AddressSpaces                          Enabled
--------                                                      -------------                          -------
SpamBullOut                                                   {SMTP:*;1}                             True
Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c {smtp:exoip365.mail.onmicrosoft.com;1} True

Add the group domain to the hybrid send connector, created by the Hybrid Configuration Wizard in your on-premises Exchange organization, using the Set-SendConnector cmdlet.

[PS] C:\>Set-SendConnector -Identity "Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c" -AddressSpaces "exoip365.mail.onmicrosoft.com","groups.exoip.com"

Run the Get-SendConnector to verify the group domain is added successfully to the hybrid send connector.

[PS] C:\>Get-SendConnector -Identity Outbound* | select Identity,AddressSpaces | fl


Identity      : Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c
AddressSpaces : {smtp:groups.exoip.com;1, smtp:exoip365.mail.onmicrosoft.com;1}

Important: Port 25 must be allowed from and to the on-premises Exchange Server to ensure that mail flow will work when sending an email to the Microsoft 365 group. Read more in the article Exchange Hybrid firewall ports.

Create Microsoft 365 group

To create a Microsoft 365 group in Exchange Online, follow these steps:

Add Microsoft 365 group in Exchange admin center

Choose the group type Microsoft 365 (recommended). Click Next.

Choose group type Microsoft 365

Fill in the name Test M365 Group. Click Next.

Fill in Microsoft 365 group name

Assign the Microsoft 365 global administrator as an owner. Click Next.

Assign owners to Microsoft 365 group

Add an Exchange on-premises mailbox user and Exchange Online mailbox user as members to the Microsoft 365 group. Click Next.

Add members to Microsoft 365 group

Finish the add group wizard.

Verify Microsoft 365 groups in AD on-premises

Don’t forget to force sync Azure AD Connect or wait a maximum of 30 minutes before the sync is automatically run.

PS C:\> Start-ADSyncSyncCycle -PolicyType Delta

Start Active Directory Users and Computers and verify that the Microsoft 365 group appears.

Microsoft 365 group in on-premises AD

Double-click the group and verify the e-mail field.

Microsoft 365 group email

Click on the Members tab and verify that both the Exchange on-premises user mailbox and Exchange Online user mailbox appear.

Microsoft 365 group members

Create forward lookup zone for group domain

Configure a forward lookup zone for the group domain on the on-premises DNS server by following the below steps:

Start DNS Manager and create a new forward lookup zone.

In our example, it’s the primary zone groups.exoip.com.

Create forward lookup zone for group domain

Create a new MX record in the internal DNS. Fill in the FDQN, which is the Microsoft 365 MX address you copied earlier.

MX record internal DNS

Create a new CNAME record in the internal DNS. Fill in the alias name autodiscover and the FQDN autodiscover.outlook.com.

CNAME record internal DNS

This is what the records look like in the forward lookup zone.

Forward lookup zone internal DNS

Test Microsoft 365 group

Verify that Microsoft 365 groups work in the Exchange Hybrid configuration.

Sign in to Outlook with the Exchange Online mailbox user. The groups section will automatically add the Microsoft 365 group to the assigned member.

Click on the Test M365 Group. Click on New Email.

New email to M365 group

Ensure that the Test M365 Group shows in the To… field. Click Send.

Send email to M365 group

The email will arrive in the Test M365 Group.

Email arrival in M365 group

Sign in to Outlook with the Exchange on-premises mailbox user and verify that it successfully delivered the email.

Email arrives in on-premises mailbox user

Reply to the email and ensure that the Test M365 Group appears in the To… field. Click Send.

Reply email to M365 group

The email reply will arrive in the Test M365 Group mailbox.

Read more: Enable Self-Service Password Reset »

Conclusion

You learned how to configure Microsoft 365 groups in Exchange Hybrid. Go through the steps and don’t miss any of them. Ensure that you send an email to the Microsoft 365 group from the Exchange on-premises and Exchange Online mailbox.

Did you enjoy this article? You may also like Compare AD group members with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published.