Configure Microsoft 365 Groups with on-premises Exchange hybrid
Learn how to enable on-premises Exchange users to use Microsoft 365 Groups in a hybrid deployment.
Microsoft 365 Groups service that enables teams to communicate, schedule meetings, and collaborate on documents more easily. All information shared with a group, from email messages sent to the group, to files stored in the group's OneDrive for Business or SharePoint libraries, is available to any member of a group. If you've configured a hybrid deployment between your on-premises Exchange organization and Microsoft 365 or Office 365, you can make groups that were created in Microsoft 365 or Office 365 available to your on-premises users by following the steps in this topic.
The following are experiences that on-premises mailbox users can expect after all the steps in this document have been performed:
- Expand a Microsoft 365 Group and view the members, just like in a distribution group, in Outlook on the web and Outlook desktop client while composing a new email.
- Send and receive emails and calendar invites to and from Microsoft 365 Groups.
- Collaborate on ODB documents sent by Microsoft 365 users.
- Access a SharePoint site, Planner, and OneNote associated with the Microsoft 365 Group.
Important
After the steps in this article have been successfully performed, the on-premises mailbox can perform the previously mentioned tasks. However, the Microsoft 365 Group will not appear in the navigation bar of Outlook on the web or Outlook desktop client. For a fully-fledged Microsoft 365 Groups experience, the mailbox must be present in Microsoft 365.
Check the Known issues section at the end of this topic for fixes to known issues.
Prerequisites
Before you start, make sure that you've done the following:
Purchased Microsoft Entra ID P1 or P2 licenses for your tenant. This is required to enable the Groups writeback feature in Microsoft Entra Connect.
Configured a hybrid deployment between your Exchange on-premises organization and Microsoft 365 or Office 365 and verified it's functioning correctly. For more information about Exchange hybrid deployments, see the following articles:
Installed a supported version of Exchange on-premises Exchange integration with Microsoft 365 Groups is available in CU1 and newer releases of Exchange 2016, and CU11 and newer releases of Exchange 2013. However, Exchange hybrid requires the latest Exchange 2013 or Exchange 2016 Cumulative Update (CU) to be installed on your on-premises Exchange servers. If you can't install the latest CU, the update released immediately prior to the current CU can be used.
Configured single sign-on using Microsoft Entra Connect (Microsoft Entra Connect). This is needed to allow users to click on the View group files or cloud attachment links in group email messages.
When configuring Microsoft Entra Connect for single sign-on in an Exchange hybrid deployment, we recommend that you use password synchronization. Active Directory Federation Services (AD FS) should only be used if you're in a large organization; if you have a complex on-premises Active Directory deployment (for example, multiple Active Directory forests); if another Microsoft product requires AD FS to work with Microsoft 365 or Office 365; or if, due to compliance policies, you're not able to synchronize passwords outside of your on-premises network. For more information about single sign-on, see Choose a solution for integrating on-premises Active Directory with Azure.
Enable Group writeback in Microsoft Entra Connect
This step synchronizes Microsoft 365 Groups from Exchange Online to Exchange on-premises.
Open the Microsoft Entra Connect wizard, select Configure and then click Next.
Select Customize synchronization options and then click Next.
On the Connect to Microsoft Entra ID page, enter your Microsoft 365 or Office 365 credentials. Click Next.
On the Optional features page, verify that the options you previously configured are still selected. The most commonly-selected options are Exchange hybrid and Password hash synchronization.
Select Group writeback and then click Next.
On the Writeback page, select an Active Directory organizational unit (OU) to store objects that are synchronized from Microsoft 365 or Office 365 to your on-premises organization, and then click Next.
On the Ready to configure page, click Configure.
When the wizard is complete, click Exit on the Configuration complete page.
Open Active Directory Users and Computers on an Active Directory domain controller and locate the user account that begins with AAD_. Make note of this account's name. You can also use a PowerShell cmdlet to Determine your AD DS Connector Account
Open the Windows PowerShell on the Microsoft Entra Connect server, and run the following commands.
$AzureADConnectSWritebackAccountDN = <AAD_ account DN> Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1" Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN $AzureADConnectSWritebackAccountDN
Configure a group domain
The primary SMTP domain of a Microsoft 365 Group is called a group domain. By default, the default accepted domain in your Exchange Online organization is chosen as the group domain. For better interoperation with on-premises servers, we recommended adding a dedicated groups domain. You can add a domain using the following steps. For more information about multi-domain support for Microsoft 365 Groups, check out Multi-domain support for Microsoft 365 Groups.
Add your new domain to your Microsoft 365 or Office 365 organization. If you need help with adding a domain to Microsoft 365 or Office 365, check out Add a domain to Microsoft 365.
Create the following public DNS records with your DNS provider.
DNS record name DNS record type DNS record value groups.contoso.com MX groups-contoso-com.mail.protection.outlook.com1 autodiscover.groups.contoso.com CNAME autodiscover.outlook.com 1 The format of this DNS record value is <domain key>.mail.protection.outlook.com. To find out what your domain key is, check out Gather the information you need to create DNS records.
Caution
If the MX DNS record for the group domain is set to the on-premises Exchange server, mail flow won't work correctly between users in the on-premises Exchange organization and the Microsoft 365 Group.
Add the group domain as an accepted domain in your on-premises Exchange organization using the following command. This is needed so that the hybrid Send connector can be used to deliver outbound mail to the group domain in Microsoft 365 or Office 365.
New-AcceptedDomain -Name groups.contoso.com -DomainName groups.contoso.com -DomainType InternalRelay
Important
Ensure that on-premises servers can resolve the MX entry added for the group's domain in step 2. The group's domain must be added as InternalRelay, otherwise, it will cause mail flow issues.
Add the group domain to the hybrid Send connector, created by the Hybrid Configuration wizard in your on-premises Exchange organization, using the following command.
Set-SendConnector -Identity "Outbound to Office 365" -AddressSpaces "contoso.mail.onmicrosoft.com","groups.contoso.com"Note
If the Send connector isn't updated, or if the group domain isn't added as an accepted domain in the on-premises Exchange organization, mail sent from an on-premises mailbox won't be delivered to the group unless the group is configured to receive mail from external senders.
How do you know this worked?
To make sure that groups are working with your Exchange hybrid deployment, you should test them using an on-premises mailbox and using a mailbox that's been moved from your on-premises organization to Microsoft 365 or Office 365. Use the steps in the following sections to do each test.
Test using an on-premises mailbox
- Add an on-premises mailbox to a Microsoft 365 Group.
- Add a Microsoft 365 or Office 365 mailbox to the same Microsoft 365 Group.
- Log in to the Microsoft 365 or Office 365 mailbox using Outlook on the web.
- Post a message to the group using the Microsoft 365 or Office 365 mailbox.
- Open the on-premises mailbox using Outlook 2016 or Outlook on the web.
- Verify that the mailbox received an email message containing the post sent to the Microsoft 365 Group.
- In the same mailbox, compose a reply to the message and send it to the group.
- Verify that the message can be viewed by all of the members of the group.
Test using a mailbox moved to Microsoft 365 or Office 365
- Move a mailbox from your on-premises Exchange organization to Microsoft 365 or Office 365.
- Add the mailbox to a Microsoft 365 Group.
- In a new browser session, log into the mailbox that was moved to Microsoft 365 or Office 365.
- In Outlook on the web, verify that the group is listed in the left navigation bar.
- Post a message to the group.
- Verify that the message can be viewed by all of the members of the group.
Known issues
Older versions of Microsoft Entra Connect won't install DSACLS.exe: You need to install RSAT or the latest Version of Microsoft Entra Connect to manage permissions on groups (if required).
Groups don't appear for mailboxes moved to Microsoft 365 or Office 365: When a user is moved from your on-premises Exchange organization to Microsoft 365 or Office 365, groups won't appear in the left navigation pane in Outlook or Outlook on the web. To fix the issue, remove the mailbox from any groups of which it is a member, and re-add it to each group.
New groups don't appear in the on-premises Exchange global address list (GAL): When a new group is created in Microsoft 365 or Office 365, it won't appear in the on-premises GAL automatically. To fix this issue, open the Exchange Management Shell on an on-premises Exchange server and run the following command.
Update-Recipient -Identity "[group Distinguished Name]"If the Outbound to Office 365 Send connector is using an Edge transport server as the source server: Messages to Microsoft 365 Groups will end up in a loop, resulting in a non-delivery report. Check out Accepted domains in Exchange Server for more details.
On-premises users can't use links included in group message footers: On-premises users can't use the View group conversations or Unsubscribe links that are included in the footer of each group message sent to them. To unsubscribe from a group, on-premises users need to contact a group administrator.
Mail sent to a group's secondary SMTP address fails to be delivered: When multiple email addresses are added to a group, only the primary SMTP address is written back to your on-premises Active Directory. If an on-premises user tries to send a message to the secondary SMTP address of a group, the message will fail to be delivered. To prevent this issue, configure only one SMTP address on each group.
Delivery of external mail to a group fails if you've enabled centralized mail flow: If centralized mail flow is enabled, mail sent by an external user to a group fails to be delivered, even though the group allows email from external senders.
On-premises users can't send mail as a group: An on-premises user who tries to send a message as a Microsoft 365 Group will receive a permission denied error even if they're given Send As permissions on the group. Send As permissions on a group work only for Exchange Online mailbox users.
By default, when an email is sent from an on-premises mailbox to an Outlook group that the user is a member of, the user doesn't receive a copy of that email in their Inbox: The Exchange Online tenant admin can use the following Exchange Online shell command to ensure the on-premises mailbox user can receive a copy of the email in their Inbox:
Get-MailUser <MEU for On-Premises mailbox> | Set-MailboxMessageConfiguration -EchoGroupMessageBackToSubscribedSender $trueOn-premises users can't send mail as a group: An on-premises user who tries to send a message as a Microsoft 365 Group will receive a permission denied error even if they're given Send As permissions on the group. Send As permissions on a group work only for Exchange Online mailbox users.
Allowing on-premises users to manage a Microsoft 365 Group: On-premises users can be assigned as owners of a Microsoft 365 group. However, the on-premises users will have to use the Microsoft Entra web portal to manage the groups they own. The Microsoft Entra admin must enable self-service management in the Microsoft Entra admin center using steps provided in Set up self-service group management in Microsoft Entra ID.
Selecting a group from Outlook's left navigation pane doesn't open the group's mailbox for an Exchange Online user: Outlook uses the AutoDiscover URL to open a group mailbox. If a group's primary email address is in a domain that doesn't point to the Microsoft 365 or Office 365 AutoDiscover URL (autodiscover.outlook.com), Outlook won't be able to open the group's mailbox. To fix this issue, groups can be provisioned with a primary address in a domain that points to the Microsoft 365 or Office 365 AutoDiscover URL. You can configure an email address policy to add a primary email address on each group mailbox that points to that AutoDiscover URL. Check out Choose the domain to use when creating Microsoft 365 Groups for more details.
Follow in Inbox: Typically, a Microsoft 365 Group member can select whether to receive email sent to the group in their Inbox by selecting Follow in Inbox option in the settings of the group. However, users with on-premises mailboxes don't have access to the group setting to select the Follow in Inbox option. So, on-premises users that are added to Microsoft 365 Group are already configured to receive group email and calendars in their Inbox, regardless of the related setting on the group. Admins can turn off the subscription for on-premises users by running following command in Exchange Online PowerShell:
Remove-UnifiedGroupLinks -Identity <GroupIdentity> -LinkType Subscribers -Links <UserIdentity>For example:
Remove-UnifiedGroupLinks -Identity Dynamic2 -LinkType Subscribers -Links JohnR