Categories
Microsoft 365 Microsoft Azure

How to: Make an Azure AD Security Group MailEnabled

To get straight to the point, an Azure AD security group cannot be made MailEnabled. In this blog I will explain how to get members of an AAD SG automatically get up and down scaled in an EXO DG with the magic of PowerShell and Azure Automation.


The question behind the question

A company I work for requested an AAD SG to be MailEnabled. This group is connected to an Enterprise Application and access to this group is managed with an Access Package by Identity Governance in Azure AD. The request is that all members of this group can by contacted by one email address.

On the ‘New-AzureADMSGroup’ or ‘Set-AzureADMSGroup’ there is a MailEnabled object, but only for GroupType “unified” (M365 group). It could be working with a M365 group, because this GroupType is fully working on both sides Azure AD and Exchange Online. But for this purpose a little to extra having a M365 group with all the features you get from it, even when Teams is turned off. All you want is to email all the members of an AAD SG.

Things that also don’t fill the needs:

  • An EXO MSG, because you cannot use this type of group within Access Packages (the members of an EXO group cannot be up- and down scaled in AAD).
  • An EXO DDL, because the users in the requested AAD SG, do not have the same criteria to filter on. The only thing the users have in common, is the membership of the requested AAD SG.

So, I was thinking how to complete this request, users needs to be up and down scaled automatically to an assigned DL in EXO and we don’t want to get the ServiceDesk involved.

The magic of PowerShell with Azure Automation

I created a script that compares the members of an AAD SG to an EXO DG. Missing members will added to this DG and members that do not exist in the AAD SG will be removed from the EXO DG. I have this script running in a runbook in Azure Automation, that runs every day. There is only one requirement before you begin: the EXO DG need at least one member to make de Compare-Object in PowerShell to work.

Okay, let’s start, make a new runbook in Azure Automation and paste the following script into the runbook (change the objectID of your AAD SG, EXO DG and your automation credentials to your own groups and values).

#Connect EXO with Runbook:
. .\Login-EXO.ps1

#Connect Azure AD with Runbook:
. .\Login-AzureAD.ps1

#Azure AD: Get AAD SG
$AzureADGroup = "xxx-xxxx-xxx-xxx-xxx-xx-x-xxxx"
$AzureADGroupMembers = (Get-AzureADGroupMember -ObjectId $AzureADGroup -All $true).Mail

#EXO: Get EXO DG (EXO DG group cannot be empty, please fill atleast with one member)
$DG = "DG1@vand3rlinden.nl"
$DGMembers = (Get-DistributionGroupMember -identity $DG -ResultSize Unlimited).PrimarySmtpAddress


# SideIndicator: "<=" = NOT IN EXO DG - ADD AAD SG GROUPMEMBER TO EXO DG THAT ARE NOT IN THE EXO DG
Compare-Object -ReferenceObject $AzureADGroupMembers -DifferenceObject $DGMembers | Where-Object {$_.SideIndicator -eq "<="} | ForEach-Object {
    Add-DistributionGroupMember -Identity $DG -Member $_.InputObject -Confirm:$false
    Write-Host -ForegroundColor Green $_.InputObject "is added"
}

# SideIndicator: "=>" = NOT IN AAD SG - REMOVE EXO DG GROUPMEMBER THAT ARE NOT IN AAD SG
Compare-Object -ReferenceObject $AzureADGroupMembers -DifferenceObject $DGMembers | Where-Object {$_.SideIndicator -eq "=>"} | ForEach-Object {
    Remove-DistributionGroupMember -Identity $DG -Member $_.InputObject -Confirm:$false
    Write-Host -ForegroundColor Red $_.InputObject "is removed"
}

Write-Host -ForegroundColor Green "Script is finished!"

Get-PSSession | Remove-PSSession

Set this runbook in a schedule where you don’t exceed the maximum allowed connections of three to EXO.

Outcome

You now have an Azure AD MailEnabled Security Group, or well, something similar with some magic!


Share this: