Managing Distribution Lists in Hybrid Exchange Online/Office 365 Environments

Managing Distribution Lists in Hybrid Exchange Online/Office 365 Environments

How to give Exchange Online users the ability to manage their distribution lists

Microsoft has done a great job of ensuring that hybrid Exchange Online/Office 365 tenants have almost all of the features and functionality of on-premises Exchange Server deployments, without the need for running and maintaining their own servers. However, there is still one major gap companies consistently run into as they move to a hybrid Exchange Online/Office 365 environment: distribution list (DL) management.

In hybrid Exchange Online/Office 365 environments, DLs are created on premises and synchronized with Azure Active Directory (Azure AD) through DirSync so that users with mailboxes in Exchange Online can use those DLs. However, Exchange Online users can't manage their own DLs because DirSync doesn't support the write back of DLs from Office 365 to the on-premises Active Directory (AD) forest. Exchange has supported the delegation of DL management to users for several versions now, so it comes as a bit of a shock to IT departments when they find out that they have to manage DLs again.

There are several solutions for this problem, which fall into two categories:

  • Move DLs to Azure AD so that Exchange Online users can manage them through Outlook. This can be accomplished through DL migration.
  • Find a way for Exchange Online users to manage on-premises DLs. By using Forefront Identity Manager, DSQuery, or a Windows PowerShell script, you can provide a way for users to do so.

Although none of these solutions will get DL management to work the way it used to, I hope one of the solutions will fit your needs.

DL Migration

To move DLs to Azure AD, you can migrate your DLs from your on-premises AD forest to Azure AD. As I mentioned previously, users with mailboxes in Office 365 can't modify DLs that are synchronized with DirSync because DirSync doesn't support the write back of DLs from Office 365 to the on-premises AD forest. This solution solves that problem by creating new DLs in Azure AD that users with mailboxes in Office 365 will be able to modify.

If your organization is going to stay in a hybrid configuration, with some mailboxes in Office 365 and some mailboxes in the on-premises AD forest, there's a downside to this solution: The on-premises users won't be able to use and modify the migrated DLs. In addition, if you ever decide to move back to an on-premises Exchange environment from Office 365, there's no easy way to migrate those DLs back to your on-premises AD forest.

If you're moving all user mailboxes into Office 365 and you have a limited number of DLs to move, this might be a workable solution. If the plan is to maintain mailboxes on premises or if you have a large number of DLs, this solution turns into more trouble than it's worth.

Forefront Identity Manager

You can use Forefront Identity Manager to provide Exchange Online users the ability to manage their on-premises DLs. On the upside, Forefront Identity Manager gives users a nice graphical interface for managing DLs that's similar to the interface users have become accustomed to in Outlook. On the downside, Forefront Identity Manager is expensive to purchase. Depending on how you buy it, the licensing is going to be thousands of dollars. You also need to consider the cost of the server hardware and IT staff to configure and maintain the solution. As a result, few (if any) organizations are going to find user DL management important enough to justify a new deployment of Forefront Identity Manager. If your organization already has Forefront Identity Manager deployed, this is a nice added use for the solution.


DSQuery, a command-line tool that has been around for some time, can provide Exchange Online users the ability to manage on-premises DLs. However, most users won't find it easy to manage DLs with this tool. Here are a couple of commands that illustrate this point:

dsquery group -name "Sales - East" | dsget group -members –expand
dsquery * forestroot -filter "(&(samAccountType=268435457)(mail=*))" -limit 0

The first command shows the members of a DL named Sales - East. The second command shows all the mail-enabled DLs in an AD forest. Most Exchange Online users are going to be very unhappy if you tell them they need to run commands like this to manage their DLs.

PowerShell Script

The final option is to use a PowerShell script to allow Exchange Online users to manage their on-premises DLs. You can find a script I have written, Manage-DistributionLists, in the TechNet Gallery.

The Manage-DistributionLists script gives Exchange Online users an interface to manage on-premises DLs, without them having to deal with the complexities of DSQuery. In my opinion, this is the best option for DL management. It keeps all your organization's DLs homed in your on-premises AD forest, but still allows your Exchange Online users to manage those DLs themselves. This script requires an on-premises Exchange server, but if you're using DirSync with your Exchange Office 365 tenant, it's highly recommended that you maintain a hybrid Exchange server on premises.

Here's a quick walkthrough of how this script works. When you launch the script, it will ask for an Exchange server name, as Figure 1 shows.

Figure 1: Entering the Name of the Exchange Server
Figure 1: Entering the Name of the Exchange Server

If you want to make life a little easier for your Exchange Online users, you can modify the script. First, find the following lines at the top of the script:

$ExchangeServer = read-host "Enter the name of your Exchange server"
write-host "Connecting to $ExchangeServer"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchangeServer/PowerShell/ -Authentication Kerberos

Next, remove the first two lines. Finally, replace $ExchangeServer with the name of your hybrid server in the last line. With this modification, your users won't be prompted to enter an Exchange server name. Instead, they'll be automatically connected to it.

After the connection is completed, users will be presented with the menu shown in Figure 2.

Figure 2: Selecting the Task to Perform
Figure 2: Selecting the Task to Perform

As you can see, I tried to make the script as self-explanatory as possible. All the users need to do is select the option they want. For example, if they select the first option, they'll receive results that look like those in Figure 3.

Figure 3: Displaying a List of DLs
Figure 3: Displaying a List of DLs

If you have any suggestions on how to improve the script, please let me know.

Don't Overlook DL Management

There are many things to consider when planning a migration to Office 365, and DL management is one facet that's fairly easy to overlook. I hope that I've been able to clarify your options for DL management and make your migration a little bit easier.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.