It's necessary to protect your organization and have strong security to prevent MFA fatigue. That's…
How to convert Distribution List to Security Group
In Microsoft 365, you can’t convert a distribution list into a mail-enabled security group. With a PowerShell script, there is a way to copy the same members from the distribution list to the security group. In this article, you will learn how to convert a distribution list to a mail-enabled security group and vice versa.
Table of contents
Distribution vs. Security Group
Before we convert a distribution list to a mail-enabled security group in Microsoft 365, it’s important to understand their differences.
- Distribution groups are used to send email notifications to a group of people.
- Mail-enabled security groups are used to send emails to all the group members and grant them access to resources such as SharePoint.
We can use both the distribution list and mail-enabled security group for sending email notifications to each member.
The main difference between these groups is that we can only use a security group for assigning permissions. This means that we can’t use a distribution list group for assigning permission. Distribution groups are not security-enabled, meaning they cannot be listed in Discretionary Access Control Lists (DACLs).
The table below shows the differences between a distribution list and a mail-enabled security group.
Distribution List | Mail-enabled Security Group | |
---|---|---|
Assign permissions | Yes | No |
Send an email to the group | Yes | Yes |
If you Assign permission to a security group, all the group members automatically inherit the permission that was assigned to the group.
- When you add a new user to the security group, it will automatically inherit the permissions that were assigned to the security group.
- Removing a user from the security group will automatically remove the permissions that were assigned to the group member.
Connect to Exchange Online PowerShell
To be able to run PowerShell commands, you must Connect to Exchange Online PowerShell. Open Windows PowerShell as administrator, run the below cmdlet, and sign in with your admin credentials.
Connect-ExchangeOnline
Copy members from Distribution List to Security Group
There is no option to convert an existing distribution list to a mail-enabled security group in Exchange Online. Therefore, we need to make use of PowerShell to copy all the members from the distribution list to an existing security group.
We will show you the steps to copy the distribution list into a security group:
- Create a new mail-enabled security group
First, you need to have an existing security group or create a new one. In our example, we will create a new mail-enabled security group (FinanceUK@m365info.com).
Run the below Powershell example to create a new security group.
New-DistributionGroup -Name "Finance UK" -PrimarySmtpAddress "FinanceUK@m365info.com" -ManagedBy "Brenda.Smith@m365info.com" -Type Security
- Copy all the members from the existing distribution list to the new security group
The next step is to convert the members of the distribution list to the new mail-enabled security group.
See the below PowerShell example syntax.
$Members = Get-DistributionGroupMember -ResultSize Unlimited -Id "Distribution Group"
foreach ($Member in $Members) {
Add-DistributionGroupMember -Identity "Security Group" -Member $Member.name
}
We want to copy the same members of the (Sales UK) distribution list to the mail-enabled security group (Finance UK).
- Specify the distribution list primary SMTP address in line number 1
- Specify the mail-enabled security group primary SMTP address in line number 3
- Run the below PowerShell script
Note: To copy members from a mail-enabled security group to a distribution list, you need to reverse the order of the groups in the PowerShell script.
$Members = Get-DistributionGroupMember -ResultSize Unlimited -Id "SalesUK@m365info.com"
foreach ($Member in $Members) {
Add-DistributionGroupMember -Identity "FinanceUK@m365info.com" -Member $Member.name -BypassSecurityGroupManagerCheck
}
You transferred all the distribution list members to the mail-enabled security group.
- The last step is to delete the distribution group
Run the below PowerShell command to Delete the distribution group.
Remove-DistributionGroup "SalesUK@m365info.com" -BypassSecurityGroupManagerCheck -Confirm:$false
Choose the next option if you want to automate the distribution list conversion to a mail-enabled security group with PowerShell.
Convert Distribution List owners and members to Security Group
To copy all the owners and members from the distribution list to a newly created security group, we need to use a different approach.
We created a PowerShell script that will:
- Create a new mail-enabled security group
- Copy owners and members from an existing distribution list to the newly created security group
- Delete the original distribution list
Note: You can’t create another group with the same primary SMTP address.
The below script will automatically create a new security group with the same name as the distribution group. But we need to temporarily add -New at the end of the primary SMTP address of the newly created security group. As of last, the script will remove the original distribution group and -New from the primary SMTP address of the mail-enabled security group.
- Specify the admin UPN in line number 1
- Specify the distribution list group primary SMTP address in line number 2
- Run the below PowerShell script
Note: To convert a mail-enabled security group to a distribution list, you need to delete -Type Security on line number 25 in the below PowerShell script.
$Admin = "admin@m365info.com"
$DistributionGroup = "SalesUK@m365info.com"
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline
# Get distribition group
$DG = Get-DistributionGroup -ResultSize Unlimited -Identity $DistributionGroup -ErrorAction SilentlyContinue
# Check if group exist
if ($DG -eq $null) {
Write-Host "The distribution group '$DistributionGroup' does not exist." -ForegroundColor Red
}
else {
# Get all the members of the distribution group
$Members = Get-DistributionGroupMember -ResultSize Unlimited -Identity $DistributionGroup
$Owners = $DG.ManagedBy
# Split the distribution group address
$GroupName = $DG.DisplayName
$SplittedAddress = $DG.PrimarySmtpAddress -split "@"
$PrimarySmtpAddressNew = "$($SplittedAddress[0])-New@$($SplittedAddress[1])"
# Create a new security group with a name based on the distribution group
$null = New-DistributionGroup -Name $GroupName -PrimarySmtpAddress $PrimarySmtpAddressNew -Type Security
Write-Host "Created NEW security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green
# Loop through each owner of the original group
Write-Host "Adding owners to security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green
foreach ($Owner in $Owners) {
# Add the owner to the new security group
Set-DistributionGroup -Identity "$PrimarySmtpAddressNew" -ManagedBy @{Add = $Owners } -BypassSecurityGroupManagerCheck -ErrorAction Stop
}
# Loop through each member of the original group
Write-Host "Adding members to security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green
foreach ($Member in $Members) {
# Add the member to the new security group
Add-DistributionGroupMember -Identity "$PrimarySmtpAddressNew" -Member $Member.Identity -BypassSecurityGroupManagerCheck -ErrorAction SilentlyContinue
}
# Remove admin from new security group
Set-DistributionGroup -Identity "$PrimarySmtpAddressNew" -ManagedBy @{Remove = $Admin } -BypassSecurityGroupManagerCheck -ErrorAction Stop
Write-Host "Removed admin $($Admin) from security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green
# Remove the original distribution group
Remove-DistributionGroup -Identity "$DistributionGroup" -BypassSecurityGroupManagerCheck -Confirm:$false
Write-Host "Removed Distribution Group $($DistributionGroup)." -ForegroundColor Green
# Remove the -New from the security group
Set-Distributiongroup -Identity $PrimarySmtpAddressNew -PrimarySmtpAddress $DistributionGroup
Write-Host "Updated security group primary SMTP address to $($DistributionGroup)." -ForegroundColor Green
}
The PowerShell output result shows the transfer of the members and owners of the distribution list to the new security group. It deleted the original distribution list, and the primary SMTP address of the new security group is now identical to the original distribution list.
Created NEW security group Sales UK (SalesUK-New@m365info.com).
Adding owners to security group Sales UK (SalesUK-New@m365info.com).
Adding members to security group Sales UK (SalesUK-New@m365info.com).
Removed admin admin@m365info.com from security group Sales UK (SalesUK-New@m365info.com).
Removed Distribution Group SalesUK@m365info.com.
Updated security group primary SMTP address to SalesUK@m365info.com.
That’s it!
Read more: How to assign Full Access mailbox permission »
Conclusion
You learned how to convert a distribution group to a security group. First, the PowerShell script will create a new mail-enabled security group. Next, it will convert the owners and members of the distribution list to the newly created mail-enabled security group. As of last, it will delete the distribution list.
Did you enjoy this article? You may also like Manage user mailbox with PowerShell. Don’t forget to follow us and share this article.
This Post Has 0 Comments