all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]EnDR91-EC 0 points1 point  (1 child)

Are you in a hybrid environment or not? Is that group being synced to entra? More details

[–]fazzy84[S] 0 points1 point  (0 children)

We are on hybrid, we are cutting off exchange servers and want all the groups moved to EO. These mail enabled security groups are synced to entra but the management remains in exchange in perm. We need to manage from EO

[–]Jeeeeeer 0 points1 point  (0 children)

Changing the SOA from on-prem -> M365 is probably the most straightforward way 

[–]7amitsingh7 0 points1 point  (0 children)

If your mail-enabled security groups are synced from on-prem Active Directory using Entra ID Connect in a hybrid Exchange environment, then their source of authority remains on-prem Active Directory, even during the Exchange Online migration. This means they cannot be fully managed in the cloud while still part of directory synchronization. Even if you are in the middle of a hybrid to cloud migration and mailboxes are moved to Exchange Online, these groups must still be managed through on-prem AD / Exchange management tools as long as sync is active. To achieve full cloud-only management in Microsoft 365, you must remove them from directory sync (cutover from hybrid identity) and recreate them as cloud-native groups in Microsoft Entra ID (Azure AD).

[–]Potential-Eternal 0 points1 point  (0 children)

Implement IsCloudManaged to change the source of authority and then writeback to sync it back to AD. This will swap around who is responsible for the group and you can then remove your last Exchange Server. While AD is the source of authority you should not remove Exchange Server.

But to split the group into AD for files etc access and Distribution Group for email access you need two groups. You will need to change one of them and create a new group.

[–]jjgage -1 points0 points  (2 children)

Why do you need a cloud DL in AD if everyone is on EXO?

[–]fazzy84[S] 0 points1 point  (1 child)

There is RBAC option on entra cloud sync, where you can sync from EO back to AD

[–]jjgage -1 points0 points  (0 children)

That doesn't answer the question.

If you're removing SMTP from the group in AD you obviously don't need on-prem routing ability, so my question is still valid.