Office 365 Dynamic Distribution Groups by On-Premise Organization Unit (OU)
I have been asked a number of times if it is possible to create Dynamic Distribution Groups in Office 365 filtered by the On-Premise Organization Unit (OU).
Essentially we need to create an inbound synchronization rule in Azure AD Connect to send the Distinguished Name from On-Premise Active Directory up to Office 365 as custom attributes.
First, we will need to know how your full Distinguished Name looks like, for this on your Domain Controller server run this command:
get-aduser lprevensie -properties distinguishedname
Let's take the position of the attribute in the Path of the user object which the OU that is going to be the attribute to filter the Dynamic Distribution Group in Office 365. If you want to filter by the OU=Sales, the position will be 2, if you want to create the filter for 'O365 Users' lets take the position 3, to include all the domain users the position will be 4 (Narnia).
Steps to create the rule
From the AADConnect server click start, and type sync you should see the 'Synchronization Rules Editor'. We will use this tool to create the rules.
Click add new rule, complete the first page as below. Pay close attention to these settings, Link Type for example defaults to Provision which is incorrect this in scenario.
Scoping filters left blank.
Join rules also left blank.
The real work happens under Transformations.
In the first expression I am synchronising the full Distinguished Name from On-Premise AD to extensionAttribute10. This is customAttribute10 in Exchange Online.
In the second expression I am synchronizing the 2nd component in the Distinguished Name from On-Premise to extensionAttribute11. This is customAttribute11 in Exchange Online.
Need something else maybe? Use this article: Azure AD Connect sync: Functions Reference
There is no need to do both, I am just showing the possibilities. Perhaps you only need the the second expression example to create your DDG.
Click on Add and close the window.
My observations after making these changes
After changes to the rules, the new values are not seen in the custom attributes until:
- A value on the individual object is updated and a delta sync runs or
- An initial sync is run.
So make sure to run a full sync after creating a rule. Start-ADSyncSyncCycle -PolicyType initial
Once an initial sync is run after the rule creation, delta syncs send updates to the OU path just fine.
Connect to Office 365 and run this command to get the attributes that are being sync:
get-mailbox lprevensie | FL *te10, *ute11, *ute12, *ute13
I am now ready to setup a Dynamic Distribution group based off of CustomAttribute11 with a value of 'sales'.
I put the full OU in CustomAttribute13 wich a value of 'narnia' in case you want to create a dynamic distribution list to include all your domain users.