<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Can Okta Workflows Be Used to Manage Office 365 Mail-enabled Security Groups and Distribution Groups
Nov 6, 2025
Workflows
Overview

Attempting to manage a Microsoft Entra ID Mail-enabled security group or Distribution group using the Okta workflows Azure Active Directory connector will fail with error:

 

400 Bad Request

 

This can occur with any of the action cards that attempt to manage Mail-enabled security or Distribution groups, such as Update Group, Add User to Group, etc.  

{
	"retry_count": 0,
	"flo": "office365admin:1.0.202:updateGroup",
	"method": "ZDkPkSsYrFKwr",
	"execution": "154faa80-d805-4f24-ab0b-91f3e446041c",
	"module": "control.spawn",
	"kind": "HTTP Request Error",
	"statusCode": 400,
	"headers": {
		"client-request-id": "f561b2fb-87ba-42e8-a377-e8ca431a7c38",
		"x-ms-resource-unit": "1",
		"date": "Wed, 05 Nov 2025 23:45:34 GMT",
		"content-type": "application/json",
		"transfer-encoding": "chunked",
		"strict-transport-security": "max-age=31536000",
		"x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"East US\",\"Slice\":\"E\",\"Ring\":\"5\",\"ScaleUnit\":\"007\",\"RoleInstance\":\"MN1PEPF0002F3DF\"}}",
		"request-id": "f561b2fb-87ba-42e8-a377-e8ca431a7c38",
		"cache-control": "no-cache"
	},
	"body": {
		"error": {
			"code": "Request_BadRequest",
			"message": "Cannot Update a mail-enabled security groups and or distribution list.",
			"innerError": {
				"date": "2025-11-05T23:45:34",
				"request-id": "f561b2fb-87ba-42e8-a377-e8ca431a7c38",
				"client-request-id": "f561b2fb-87ba-42e8-a377-e8ca431a7c38"
			}
		}
	},
	"message": "400 Bad Request",
	"description": "HTTP Request Error",
	"steps": 34,
	"source": {
		"flo": "office365admin:1.0.202:customAPIAction",
		"method": "pkazAoR_MaJQ0",
		"execution": "e05ca1f0-2a8f-4e7b-ab91-66279334bd1c",
		"module": "http.call"
	},
	"_fatal": null
}
Applies To
  • Workflows
  • Azure Active Directory connector
Cause

This is expected behavior. The Microsoft Graph API does not support managing Mail-enabled security groups or Distribution groups using the Microsoft Graph API.  The Azure Active Directory connector in Okta Workflows uses the Graph API, and therefore, it does not support managing these groups either. Microsoft recommends using O365 groups instead. Also note that since there is no Microsoft API that supports this, the Okta Workflows API connector cannot be used to manage Mail-enabled security groups or Distribution groups either.

For additional details, refer to the table in the Types of groups supported in Microsoft section of the Manage groups in Microsoft Graph documentation, which states that Mail-enabled security groups and Distribution groups cannot be managed via the Graph API and are read-only.

Solution

It may be possible to manage Mail-enabled security and Distribution groups from Okta Workflows using the Execute on-premises PowerShell with Okta Workflows template if PowerShell supports the required update operation. NOTE: Assistance with configuring and troubleshooting the setup for this workflow template is outside the scope of Okta Support. 

 

Related References

 

 

Recommended content

Still looking for help?
Loading
Can Okta Workflows Be Used to Manage Office 365 Mail-enabled Security Groups and Distribution Groups