Skip to content

Configure Microsoft 365 groups in Exchange Hybrid

We did configure an Exchange Hybrid configuration and now want to let the organization use Microsoft 365 groups. That’s one of the checks we have in the Exchange Hybrid test plan checklist. So the Exchange on-premises mailboxes can also use the Microsoft 365 groups and not only the Exchange Online mailboxes. In this article, you will learn how to configure Microsoft 365 groups with on-premises Exchange Hybrid.

Microsoft 365 groups

Microsoft 365 Groups service enables teams to communicate, schedule meetings, and collaborate on documents more efficiently. All information shared with a group, from email messages sent to the group, to files stored in the group’s OneDrive for Business or SharePoint libraries, is available to any member of a group.

Suppose you’ve configured a hybrid deployment between your on-premises Exchange organization and Microsoft 365 or Office 365. In that case, you can make groups that are created in Microsoft 365 or Office 365 available to your on-premises users by following the steps in this article.

Prerequisites

You need to meet the below prerequisites before you configure Microsoft 365 groups in Exchange Hybrid:

  1. Entra ID P1 or P2
  2. Exchange Hybrid deployment
  3. Exchange Server 2013 CU13 and higher/Exchange Server 2016 CU1 and higher/Exchange Server 2019
  4. Configured Single Sign-On (SSO) using Azure AD Connect

Note: Always keep your Exchange Server up to date with the latest Cumulative Update and Security Update.

Enable group writeback in Microsoft Entra Connect

To enable group writeback in Microsoft Entra Connect Sync, follow the steps in the article How to enable Group Writeback in Microsoft Entra Connect Sync.

Configure group domain

Add the group domain to Microsoft 365 admin center and the records in Public DNS by following the below steps:

  1. Sign in to Microsoft 365 admin center.
  2. Expand Settings and click on Domains.
  3. Click on Add domain.
Add domain in Microsoft 365 admin center
  1. Fill in the groups domain.
  2. Click Use this domain.

In our example, it’s groups.exoip.com.

Add groups domain
  1. Click on Continue.
Connect your domain
  1. Copy the MX record, CNAME record, and TXT record.
Microsoft 365 domain records
  1. Sign in to the Public DNS.
  2. Fill in the copied MX, CNAME, and TXT records.
Add Microsoft 365 records to Public DNS
  1. Return to the add domain wizard in the Microsoft 365 admin center and click Continue.
Microsoft 365 domain records continue
  1. The domain setup will be complete.
  2. Click Done.
Domain setup complete
  1. Verify that the domain groups.exoip.com appears in the Microsoft 365 domains list.
Groups domain added to domains list

Add group domain as accepted domain

Add the group domain as an accepted domain in the Exchange Server on-premises organization.

Sign in to Exchange Server on-premises. Run Exchange Management Shell as administrator. Run the New-AcceptedDomain cmdlet to create a new accepted domain.

New-AcceptedDomain -Name "groups.exoip.com" -DomainName "groups.exoip.com" -DomainType InternalRelay

The PowerShell output appears.

Name                           DomainName                     DomainType                   Default
----                           ----------                     ----------                   -------
groups.exoip.com               groups.exoip.com               InternalRelay                False

Add group domain to hybrid send connector

Run the Get-SendConnector cmdlet to get the hybrid send connector name.

Get-SendConnector

The output result appears.

Identity                                                      AddressSpaces                          Enabled
--------                                                      -------------                          -------
SpamBullOut                                                   {SMTP:*;1}                             True
Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c {smtp:exoip365.mail.onmicrosoft.com;1} True

Add the group domain to the hybrid send connector, created by the Hybrid Configuration Wizard in your on-premises Exchange organization, using the Set-SendConnector cmdlet.

Set-SendConnector -Identity "Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c" -AddressSpaces "exoip365.mail.onmicrosoft.com","groups.exoip.com"

Run the Get-SendConnector to verify the group domain is added successfully to the hybrid send connector.

Get-SendConnector -Identity Outbound* | select Identity,AddressSpaces | fl

The output appears.

Identity      : Outbound to Office 365 - aa7665fd-f66d-4c4a-8b17-4f6eccd6a45c
AddressSpaces : {smtp:groups.exoip.com;1, smtp:exoip365.mail.onmicrosoft.com;1}

Important: Port 25 must be allowed between the on-premises Exchange Server and Microsoft 365/Office 365 to ensure that mail flow will work when sending an email to the Microsoft 365 group. Read more in the article Exchange Hybrid firewall ports.

Create Microsoft 365 group

To create a Microsoft 365 group in Exchange Online, follow these steps:

  1. Sign in to Microsoft 365 Exchange admin center.
  2. Click on Recipients > Groups.
  3. Click on Add a group.
Add Microsoft 365 group in Exchange admin center
  1. Select Microsoft 365 (recommended).
  2. Click Next.
Select Microsoft 365 group type
  1. Fill in the group name. In our example, Test M365 Group.
  2. Click Next.
Fill in the Microsoft 365 group name
  1. Assign an owner.
Assign owners to Microsoft 365 group
  1. Add an Exchange on-premises mailbox user and Exchange Online mailbox user as members to the Microsoft 365 group.
Add members to Microsoft 365 group
  1. Fill in the group email address.
  2. Click Next.

Note: The Microsoft 365 Exchange admin center is not yet ready for selecting the @groups subdomain when creating a Microsoft 365 group, and you will need to change this in the next step.

Add Microsoft 365 group email address
  1. Click Create group.
Review and finish adding Microsoft 365 group
  1. Click Close.
Microsoft 365 group created

Add Microsoft 365 group primary email address

After you add the group, you need to add and change the primary SMTP to @groups.domain.com because the Microsoft 365 Exchange admin center is not yet ready for selecting a subdomain when creating a Microsoft 365 group.

  1. Click on the Microsoft 365 group from the list.
  2. Select Edit.
Edit Microsoft 365 group
  1. Add the @groups.domain.com primary SMTP address.
  2. Click Save changes.
Add Microsoft 365 primary email address
  1. Verify that the Microsoft 365 groups successfully appears with the groups.domain.com primary SMTP address.
Microsoft 365 group in the list

Verify Microsoft 365 groups in AD on-premises

Don’t forget to force sync Microsoft Entra Connect or wait a maximum of 30 minutes before the sync is automatically run.

Start-ADSyncSyncCycle -PolicyType Delta

Start Active Directory Users and Computers and verify that the Microsoft 365 group appears.

Microsoft 365 group in on-premises AD

Double-click the group and verify the e-mail field.

Microsoft 365 group email

Click on the Members tab and verify that both the Exchange on-premises user mailbox and Exchange Online user mailbox appear.

Microsoft 365 group members

Create forward lookup zone for group domain

Configure a forward lookup zone for the group domain on the on-premises DNS server by following the below steps:

Start DNS Manager and create a new forward lookup zone.

In our example, it’s the primary zone groups.exoip.com.

Create forward lookup zone for group domain

Create a new MX record in the internal DNS. Fill in the FDQN, which is the Microsoft 365 MX address you copied earlier.

MX record internal DNS

Create a new CNAME record in the internal DNS. Fill in the alias name autodiscover and the FQDN autodiscover.outlook.com.

CNAME record internal DNS

This is what the records look like in the forward lookup zone.

Forward lookup zone internal DNS

Test Microsoft 365 group

Verify that Microsoft 365 groups work in the Exchange Hybrid configuration.

Sign in to Outlook with the Exchange Online mailbox user. The groups section will automatically add the Microsoft 365 group to the assigned member.

Click on the Test M365 Group. Click on New Email.

New email to M365 group

Ensure that the Test M365 Group shows in the To… field. Click Send.

Send email to M365 group

The email will arrive in the Test M365 Group.

Email arrival in M365 group

Sign in to Outlook with the Exchange on-premises mailbox user and verify that it successfully delivered the email.

Email arrives in on-premises mailbox user

Reply to the email and ensure the Test M365 Group appears in the To… field. Click Send.

Reply email to M365 group

The email reply will arrive in the Test M365 Group mailbox.

Read more: Enable Self-Service Password Reset »

Conclusion

You learned how to configure Microsoft 365 groups in Exchange Hybrid. Go through the steps, and don’t miss any of them. Ensure you send an email to the Microsoft 365 group from the Exchange on-premises and Exchange Online mailbox.

Did you enjoy this article? You may also like Compare AD group members with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 6 Comments

  1. Hello and thank you so much for all of your work on this site!

    To further this question, in this post you did not mention needing the subdomain or the DNS work: https://www.alitajran.com/group-writeback-microsoft-entra-connect-sync/

    It seems you are accomplishing the same goal in both posts, but in this one you are using a subdomain and doing DNS work, whereas in the linked post above, you did not use a subdomain or do DNS work.

    Can you help me understand, if my goal is to use Entra Connect Group Writeback v1 to have 365 Groups write back as distribution groups, is a subdomain and DNS work a necessity or not?

    Thank you again Ali!

    1. Hi Michael,

      That is a good observation, and you’re correct. There are two guides.

      Some need to set up group writeback so the organization can use the Microsoft 365 groups for mail flow (this article).

      Suppose you will not use it for mail flow (as I can understand from you), a subdomain and DNS are not needed, and you can follow the guide you mentioned.

  2. Dear Ali,

    One thing confuses me, why did you make a new subdomain and do all the things like DNS.
    Is it required to make a new Microsoft 365 group?

    1. For mail flow to work for groups between the two organizations, we need to establish an additional domain name. Microsoft recommends adding a dedicated subdomain called “groups”.

  3. Thats a very nice guide thank you !
    What about this groups are they going to appear to Global Address list? or are they excluded?

    If they appear in GAL it would be an issue because every user that creates a group can appear in the GAL.

    1. For Exchange on-premises users, it will NOT appear in the GAL.
      For Exchange Online users, it will appear in the GAL.

      If you don’t want the group to appear in the GAL for the Exchange Online users, you can hide it.

Leave a Reply

Your email address will not be published. Required fields are marked *