A hybrid environment is set up between Exchange on-premises and Office 365. This time you…
Configure Microsoft 365 groups in Exchange Hybrid
We did configure an Exchange Hybrid configuration and now want to let the organization use Microsoft 365 groups. That’s one of the checks we have in the Exchange Hybrid test plan checklist. So the Exchange on-premises mailboxes can also use the Microsoft 365 groups and not only the Exchange Online mailboxes. In this article, you will learn how to configure Microsoft 365 groups with on-premises Exchange Hybrid.
Table of contents
- Microsoft 365 groups
- Prerequisites
- Enable group writeback in Microsoft Entra Connect
- Configure group domain
- Add group domain as accepted domain
- Add group domain to hybrid send connector
- Create Microsoft 365 group
- Add Microsoft 365 group primary email address
- Verify Microsoft 365 groups in AD on-premises
- Create forward lookup zone for group domain
- Test Microsoft 365 group
- Conclusion
Microsoft 365 groups
Microsoft 365 Groups service enables teams to communicate, schedule meetings, and collaborate on documents more efficiently. All information shared with a group, from email messages sent to the group, to files stored in the group’s OneDrive for Business or SharePoint libraries, is available to any member of a group.
Suppose you’ve configured a hybrid deployment between your on-premises Exchange organization and Microsoft 365 or Office 365. In that case, you can make groups that are created in Microsoft 365 or Office 365 available to your on-premises users by following the steps in this article.
Prerequisites
You need to meet the below prerequisites before you configure Microsoft 365 groups in Exchange Hybrid:
- Entra ID P1 or P2
- Exchange Hybrid deployment
- Exchange Server 2013 CU13 and higher/Exchange Server 2016 CU1 and higher/Exchange Server 2019
- Configured Single Sign-On (SSO) using Azure AD Connect
Note: Always keep your Exchange Server up to date with the latest Cumulative Update and Security Update.
Enable group writeback in Microsoft Entra Connect
To enable group writeback in Microsoft Entra Connect Sync, follow the steps in the article How to enable Group Writeback in Microsoft Entra Connect Sync.
Configure group domain
Add the group domain to Microsoft 365 admin center and the records in Public DNS by following the below steps:
- Sign in to Microsoft 365 admin center.
- Expand Settings and click on Domains.
- Click on Add domain.
- Fill in the groups domain.
- Click Use this domain.
In our example, it’s groups.exoip.com.
- Click on Continue.
- Copy the MX record, CNAME record, and TXT record.
- Sign in to the Public DNS.
- Fill in the copied MX, CNAME, and TXT records.
- Return to the add domain wizard in the Microsoft 365 admin center and click Continue.
- The domain setup will be complete.
- Click Done.
- Verify that the domain groups.exoip.com appears in the Microsoft 365 domains list.
Add group domain as accepted domain
Add the group domain as an accepted domain in the Exchange Server on-premises organization.
Sign in to Exchange Server on-premises. Run Exchange Management Shell as administrator. Run the New-AcceptedDomain cmdlet to create a new accepted domain.
New-AcceptedDomain -Name "groups.exoip.com" -DomainName "groups.exoip.com" -DomainType InternalRelay
The PowerShell output appears.
Name DomainName DomainType Default
---- ---------- ---------- -------
groups.exoip.com groups.exoip.com InternalRelay False
Add group domain to hybrid send connector
Run the Get-SendConnector cmdlet to get the hybrid send connector name.
Get-SendConnector
The output result appears.
Identity AddressSpaces Enabled
-------- ------------- -------
SpamBullOut {SMTP:*;1} True
Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c {smtp:exoip365.mail.onmicrosoft.com;1} True
Add the group domain to the hybrid send connector, created by the Hybrid Configuration Wizard in your on-premises Exchange organization, using the Set-SendConnector cmdlet.
Set-SendConnector -Identity "Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c" -AddressSpaces "exoip365.mail.onmicrosoft.com","groups.exoip.com"
Run the Get-SendConnector to verify the group domain is added successfully to the hybrid send connector.
Get-SendConnector -Identity Outbound* | select Identity,AddressSpaces | fl
The output appears.
Identity : Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c
AddressSpaces : {smtp:groups.exoip.com;1, smtp:exoip365.mail.onmicrosoft.com;1}
Important: Port 25 must be allowed between the on-premises Exchange Server and Microsoft 365/Office 365 to ensure that mail flow will work when sending an email to the Microsoft 365 group. Read more in the article Exchange Hybrid firewall ports.
Create Microsoft 365 group
To create a Microsoft 365 group in Exchange Online, follow these steps:
- Sign in to Microsoft 365 Exchange admin center.
- Click on Recipients > Groups.
- Click on Add a group.
- Select Microsoft 365 (recommended).
- Click Next.
- Fill in the group name. In our example, Test M365 Group.
- Click Next.
- Assign an owner.
- Add an Exchange on-premises mailbox user and Exchange Online mailbox user as members to the Microsoft 365 group.
- Fill in the group email address.
- Click Next.
Note: The Microsoft 365 Exchange admin center is not yet ready for selecting the @groups subdomain when creating a Microsoft 365 group, and you will need to change this in the next step.
- Click Create group.
- Click Close.
Add Microsoft 365 group primary email address
After you add the group, you need to add and change the primary SMTP to @groups.domain.com because the Microsoft 365 Exchange admin center is not yet ready for selecting a subdomain when creating a Microsoft 365 group.
- Click on the Microsoft 365 group from the list.
- Select Edit.
- Add the @groups.domain.com primary SMTP address.
- Click Save changes.
- Verify that the Microsoft 365 groups successfully appears with the groups.domain.com primary SMTP address.
Verify Microsoft 365 groups in AD on-premises
Don’t forget to force sync Microsoft Entra Connect or wait a maximum of 30 minutes before the sync is automatically run.
Start-ADSyncSyncCycle -PolicyType Delta
Start Active Directory Users and Computers and verify that the Microsoft 365 group appears.
Double-click the group and verify the e-mail field.
Click on the Members tab and verify that both the Exchange on-premises user mailbox and Exchange Online user mailbox appear.
Create forward lookup zone for group domain
Configure a forward lookup zone for the group domain on the on-premises DNS server by following the below steps:
Start DNS Manager and create a new forward lookup zone.
In our example, it’s the primary zone groups.exoip.com.
Create a new MX record in the internal DNS. Fill in the FDQN, which is the Microsoft 365 MX address you copied earlier.
Create a new CNAME record in the internal DNS. Fill in the alias name autodiscover and the FQDN autodiscover.outlook.com.
This is what the records look like in the forward lookup zone.
Test Microsoft 365 group
Verify that Microsoft 365 groups work in the Exchange Hybrid configuration.
Sign in to Outlook with the Exchange Online mailbox user. The groups section will automatically add the Microsoft 365 group to the assigned member.
Click on the Test M365 Group. Click on New Email.
Ensure that the Test M365 Group shows in the To… field. Click Send.
The email will arrive in the Test M365 Group.
Sign in to Outlook with the Exchange on-premises mailbox user and verify that it successfully delivered the email.
Reply to the email and ensure the Test M365 Group appears in the To… field. Click Send.
The email reply will arrive in the Test M365 Group mailbox.
Read more: Enable Self-Service Password Reset »
Conclusion
You learned how to configure Microsoft 365 groups in Exchange Hybrid. Go through the steps, and don’t miss any of them. Ensure you send an email to the Microsoft 365 group from the Exchange on-premises and Exchange Online mailbox.
Did you enjoy this article? You may also like Compare AD group members with PowerShell. Don’t forget to follow us and share this article.
Hello and thank you so much for all of your work on this site!
To further this question, in this post you did not mention needing the subdomain or the DNS work: https://www.alitajran.com/group-writeback-microsoft-entra-connect-sync/
It seems you are accomplishing the same goal in both posts, but in this one you are using a subdomain and doing DNS work, whereas in the linked post above, you did not use a subdomain or do DNS work.
Can you help me understand, if my goal is to use Entra Connect Group Writeback v1 to have 365 Groups write back as distribution groups, is a subdomain and DNS work a necessity or not?
Thank you again Ali!
Hi Michael,
That is a good observation, and you’re correct. There are two guides.
Some need to set up group writeback so the organization can use the Microsoft 365 groups for mail flow (this article).
Suppose you will not use it for mail flow (as I can understand from you), a subdomain and DNS are not needed, and you can follow the guide you mentioned.
Dear Ali,
One thing confuses me, why did you make a new subdomain and do all the things like DNS.
Is it required to make a new Microsoft 365 group?
For mail flow to work for groups between the two organizations, we need to establish an additional domain name. Microsoft recommends adding a dedicated subdomain called “groups”.
Thats a very nice guide thank you !
What about this groups are they going to appear to Global Address list? or are they excluded?
If they appear in GAL it would be an issue because every user that creates a group can appear in the GAL.
For Exchange on-premises users, it will NOT appear in the GAL.
For Exchange Online users, it will appear in the GAL.
If you don’t want the group to appear in the GAL for the Exchange Online users, you can hide it.