Office 365 Universal Sync and Dynamic Distribution Groups Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmi3qai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jordan NolanJordan Nolan 

Office 365 Universal Sync and Dynamic Distribution Groups

When we had Exchange 2010 onsite we had serveral Distribution Groups that would contain a Dynamic Distribution Group that was hidden from the GAL that would help automatically keep the DG up to date and would also contain individual users that might not meet the dynamic criteria, but would need to be in the group.  For example, all users from Boston and also Tom Smith and Bob Jones:

Boston
  • DynBoston (all mailboxes with City=Boston)
  • Smith, Tom
  • Jones, Bob
I would like to do as much management as possible in AD.  I know I can add Tom and Bob easy enough to the Boston Distribution Group in AD and I can also create a Dynamic Distribution Group called DynBoston in Office 365 to handle the automation of all the employees with the city property as Boston.  However if I make changes to the Boston Distibution Group in AD, will that cause the DynBoston group to drop off the Boston Distribution Group when changes sync?
Adrian MocanuAdrian Mocanu (Okta, Inc.)
Thank you for reaching out to Okta Support, my name is Adrian and I'll be handling your case.
Making changes to the Boston Distribution Group in AD will cause the DynBoston group to drop off the Boston DG when syncing. 
Jordan NolanJordan Nolan
Hi Adrian,

Do you know if there is a delay in processing the sync. I also assumed that this would cause the DynBoston group to fall off, however objects that were created in the cloud do not appear to be affected by changes from the local AD.

It appears that I can creat the desired effect if I do the following:
  1. Create a DG in Office 365 called Boston with an email address boston@mycompany.com
  2. Create a Dynamic DG called DynBoston with a email address dynboston@mycompany.com (mailto:dynboston@mycompany.com)
  3. Add DynBoston to Boston
  4. Create an DG in the local AD called Boston with the matching email address boston@mycompany.com
  5. Sync AD
I created a couple of test groups this way and I am able to add users to the test groups and remove them with AD.  They Dynamic groups do not get stripped off from O365 and I can change the queries on the Dynamic groups.

The one issue I see is that once I sync the AD Distribution Group to the Office 365 Distribution Group I can no longer add O365 objects to the DG from within Office 365.  So for example if I had a DG called Califorina and I already setup a couple of Dynamic DGs called DynLA and DynSanJose before I synced California I cannot add DynOakland.

I do not know how nested Dynamic DG will work so I am not sure if you can Create a DynCalifornia and just add other groups to that as needed.  I would say to be safe you should plan on a strategy where you only need one Dynamic DG witin a synced DG.