0

Introduction
For one of my clients, the following problem occured.

We have a distribution group setup in Active Directory that contains all members and is automatically added when we create a new user.

The distribution group is synced to Office365 and the client uses it to send emails to all users. The client wants to prevent people from outside of the company to email this distribution group. In Office365, the distribution group is set to allow both local and external emails, but the setting cannot be changed because the group is managed from AD through sync.

I did my research and the Attribute msExchRequireAuthToSendTo needs to be set to TRUE in Active Directory, then synched to Office365 to alter the setting in Office365.

I went to the distribution list in Active Directory, went to the attribute editor (tried ADSI too) but the setting was missing. Research lead me that a basic Exchange installation is required. My boss did not want to perform an exchange install, but manually added the files required to get the exchange attributes in ADSI.

He used the method described in this link, 2nd solution, but skipped the exchange install part, and did the manual part as described further in that article.

The Problem
I have the settings now in Active Directory, and I altered it as it should work, but Azure AD Connect does not sync these specific properties. It does not throw me any error either.

If I open the Azure AD Connect settings tool, I see that the settings are indeed checked to be synchronized. I have refreshed the directory scheme too, but no avail.

ldap shows that the setting is indeed set to TRUE, so everything indicates that the attributes are really there.

When I go to the Azure AD Synchronization Service, and I go to the Multiverse Search, and I open the distribution list, I can see exactly what it syncs, but the msExchRequireAuthToSendTo is not listed here.

I tried it with msExchHideFromAddressList but that doesn't work either.

I created a new distribution list with no members in it, set the msExchRequireAuthToSendTo to TRUE and synchronized, and in the Metaverse Search, the object is synchronised but again, without the msExchRequireAuthToSendTo setting.

enter image description here
This image is from the original group

I tried IdFix, but that only lists members, not distribution lists.

What am I missing here? Any tips of what I can try?

LPChip
  • 333
  • 2
  • 12
  • How exactly did your boss add the Exchange schema extensions to AD? Like, what was the exact method or command? Also, the IDFix tool has nothing to do with which attributes are or are not synced to Azure AD. – joeqwerty Jun 04 '21 at 14:28
  • @joeqwerty I'll ask him monday, and post the link to the site he used as reference. – LPChip Jun 04 '21 at 18:16
  • My suggestion would be to make sure he used the process described at the link. Once that's been completed or confirmed as already having been done, I would suggest running the Azure AD Connect configuration wizard again. Failing that, you can open a support case with Office 365 to help resolve the issue. Office 365 support is always free. - https://docs.microsoft.com/en-us/exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019 – joeqwerty Jun 04 '21 at 18:34
  • Hi @joeqwerty thank you. I'll pass this on to my boss monday. :) – LPChip Jun 05 '21 at 11:33
  • @joeqwerty I asked my boss and he gave me the method he used to add the exchange properties. (see edit in my question) He basically skipped the install part as you mentioned and added it manually. Is it really necessary to do the install, though, or should this work too? – LPChip Jun 07 '21 at 08:15
  • @lpchip did you actually run `setup /PrepareSchema`? That's the *only* supported way to get the Exchange attributes in Active Directory; extending the schema manually is a quite... "creative" suggestion which I wouldn't recommend to my worst enemy. – Massimo Jun 07 '21 at 10:41

1 Answers1

1

When you make changes to the Active Directory schema (such as extending it for Exchange), you need to run the AD Connect configuration wizard and select the option to refresh the AD Schema, which exists precisely for this purpose.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Hi, thank you for your answer. Unfortunately, as stated in my question `If I open the Azure AD Connect settings tool, I see that the settings are indeed checked to be synchronized. I have refreshed the directory scheme too, but no avail.` that didn't work. – LPChip Jun 07 '21 at 09:05
  • Did you enable Exchange Hybrid in AD Connect settings? – Massimo Jun 07 '21 at 09:31
  • No, that is set to disabled. Anything I need to keep in mind if I enable that setting? Actually that setting is grayed out. – LPChip Jun 07 '21 at 09:53
  • I presume that is because you don't actually have Exchange installed. – Massimo Jun 07 '21 at 10:38
  • 1
    I'm diving more into this, and I'm currently leaning into having an older version of Azure AD Connect installed. I'm upgrading that to newest first and see if refreshing the directory scheme will do the trick then. I'll keep you posted. – LPChip Jun 07 '21 at 11:32
  • As I said in my other comment, make sure to use the Exchange setup to extend the AD schema (`setup /PrepareSchema`); the article you linked seems to suggest otherwise, and doing it in any other way is *not supported*. – Massimo Jun 07 '21 at 11:40
  • Yes, I've read what you posted. I have to give my Boss a really good reason to go that route and I must have exhausted every other option. If upgrading Azure AD Connect to a newer version doesn't solve it, then we'll likely go the setup /prepareschema route, but at that point its not my call. Currently we are running Azure AD Connect 1.4.18.0, not 1.6.4.0 so yeah... – LPChip Jun 07 '21 at 12:01
  • +1 in the meanwhile for all the help. :) – LPChip Jun 07 '21 at 12:05
  • @LPChip the "really good reason" is that *it's the only supported way to extend the AD schema to include Exchange attributes*. I never actually heard of anyone doing it by hand, and that article your found should be nuked from orbit for suggesting such a thing. – Massimo Jun 07 '21 at 12:26
  • Agreed. Updating didn't work. I'll talk with my boss to do the `setup /PrepareSchema` method. I'll mark this as solved because I'm not sure if and when he'll do this. – LPChip Jun 07 '21 at 12:31
  • With the new updated Azure AD Connect, I can actually select the attribute now to be synched, and in MultiVerse Search, I see that it actually synched the attribute. Office365 however does not sync it and Hybrid Exchange is grayed out too. Any ideas I can check? – LPChip Jun 07 '21 at 14:25
  • @LPChip Open a support case with Office 365. It's free. They'll help you fix this, if it's fixable and supported. – joeqwerty Jun 08 '21 at 13:14
  • Thanks for the suggestion. :) – LPChip Jun 08 '21 at 13:26