Skip to content

How to convert Distribution List to Security Group

In Microsoft 365, you can’t convert a distribution list into a mail-enabled security group. With a PowerShell script, there is a way to copy the same members from the distribution list to the security group. In this article, you will learn how to convert a distribution list to a mail-enabled security group and vice versa.

Distribution vs. Security Group

Before we convert a distribution list to a mail-enabled security group in Microsoft 365, it’s important to understand their differences.

  • Distribution groups are used to send email notifications to a group of people.
  • Mail-enabled security groups are used to send emails to all the group members and grant them access to resources such as SharePoint.
Convert Distribution List to Mail-enabled Security Group

We can use both the distribution list and mail-enabled security group for sending email notifications to each member.

The main difference between these groups is that we can only use a security group for assigning permissions. This means that we can’t use a distribution list group for assigning permission. Distribution groups are not security-enabled, meaning they cannot be listed in Discretionary Access Control Lists (DACLs).

The table below shows the differences between a distribution list and a mail-enabled security group.

Distribution ListMail-enabled Security Group
Assign permissionsYesNo
Send an email to the groupYesYes

If you Assign permission to a security group, all the group members automatically inherit the permission that was assigned to the group.

  • When you add a new user to the security group, it will automatically inherit the permissions that were assigned to the security group.
  • Removing a user from the security group will automatically remove the permissions that were assigned to the group member.

Connect to Exchange Online PowerShell

To be able to run PowerShell commands, you must Connect to Exchange Online PowerShell. Open Windows PowerShell as administrator, run the below cmdlet, and sign in with your admin credentials.

Connect-ExchangeOnline

Copy members from Distribution List to Security Group

There is no option to convert an existing distribution list to a mail-enabled security group in Exchange Online. Therefore, we need to make use of PowerShell to copy all the members from the distribution list to an existing security group.

Convert Distribution List to Security Group

We will show you the steps to copy the distribution list into a security group:

  1. Create a new mail-enabled security group

First, you need to have an existing security group or create a new one. In our example, we will create a new mail-enabled security group (FinanceUK@m365info.com).

Run the below Powershell example to create a new security group.

New-DistributionGroup -Name "Finance UK" -PrimarySmtpAddress "FinanceUK@m365info.com" -ManagedBy "Brenda.Smith@m365info.com" -Type Security
  1. Copy all the members from the existing distribution list to the new security group

The next step is to convert the members of the distribution list to the new mail-enabled security group.

See the below PowerShell example syntax.

$Members = Get-DistributionGroupMember -ResultSize Unlimited -Id "Distribution Group"
foreach ($Member in $Members) {
    Add-DistributionGroupMember -Identity "Security Group" -Member $Member.name
}

We want to copy the same members of the (Sales UK) distribution list to the mail-enabled security group (Finance UK).

  • Specify the distribution list primary SMTP address in line number 1
  • Specify the mail-enabled security group primary SMTP address in line number 3
  • Run the below PowerShell script

Note: To copy members from a mail-enabled security group to a distribution list, you need to reverse the order of the groups in the PowerShell script.

$Members = Get-DistributionGroupMember -ResultSize Unlimited -Id "SalesUK@m365info.com"
foreach ($Member in $Members) {
    Add-DistributionGroupMember -Identity "FinanceUK@m365info.com" -Member $Member.name -BypassSecurityGroupManagerCheck
}

You transferred all the distribution list members to the mail-enabled security group.

  1. The last step is to delete the distribution group

Run the below PowerShell command to Delete the distribution group.

Remove-DistributionGroup "SalesUK@m365info.com" -BypassSecurityGroupManagerCheck -Confirm:$false

Choose the next option if you want to automate the distribution list conversion to a mail-enabled security group with PowerShell.

Convert Distribution List owners and members to Security Group

To copy all the owners and members from the distribution list to a newly created security group, we need to use a different approach.

We created a PowerShell script that will:

  • Create a new mail-enabled security group
  • Copy owners and members from an existing distribution list to the newly created security group
  • Delete the original distribution list

Note: You can’t create another group with the same primary SMTP address.

The below script will automatically create a new security group with the same name as the distribution group. But we need to temporarily add -New at the end of the primary SMTP address of the newly created security group. As of last, the script will remove the original distribution group and -New from the primary SMTP address of the mail-enabled security group.

  1. Specify the admin UPN in line number 1
  2. Specify the distribution list group primary SMTP address in line number 2
  3. Run the below PowerShell script

Note: To convert a mail-enabled security group to a distribution list, you need to delete -Type Security on line number 25 in the below PowerShell script.

$Admin = "admin@m365info.com"
$DistributionGroup = "SalesUK@m365info.com"

# Connect to Exchange Online PowerShell
Connect-ExchangeOnline

# Get distribition group
$DG = Get-DistributionGroup -ResultSize Unlimited -Identity $DistributionGroup -ErrorAction SilentlyContinue

# Check if group exist
if ($DG -eq $null) {
    Write-Host "The distribution group '$DistributionGroup' does not exist." -ForegroundColor Red
}
else {
    # Get all the members of the distribution group
    $Members = Get-DistributionGroupMember -ResultSize Unlimited -Identity $DistributionGroup
    $Owners = $DG.ManagedBy

    # Split the distribution group address
    $GroupName = $DG.DisplayName
    $SplittedAddress = $DG.PrimarySmtpAddress -split "@"
    $PrimarySmtpAddressNew = "$($SplittedAddress[0])-New@$($SplittedAddress[1])"

    # Create a new security group with a name based on the distribution group
    $null = New-DistributionGroup -Name $GroupName -PrimarySmtpAddress $PrimarySmtpAddressNew -Type Security
    Write-Host "Created NEW security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green

    # Loop through each owner of the original group
    Write-Host "Adding owners to security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green
    foreach ($Owner in $Owners) {
        # Add the owner to the new security group
        Set-DistributionGroup -Identity "$PrimarySmtpAddressNew" -ManagedBy @{Add = $Owners } -BypassSecurityGroupManagerCheck -ErrorAction Stop
    }

    # Loop through each member of the original group
    Write-Host "Adding members to security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green
    foreach ($Member in $Members) {
        # Add the member to the new security group
        Add-DistributionGroupMember -Identity "$PrimarySmtpAddressNew" -Member $Member.Identity -BypassSecurityGroupManagerCheck -ErrorAction SilentlyContinue
    }

    # Remove admin from new security group
    Set-DistributionGroup -Identity "$PrimarySmtpAddressNew" -ManagedBy @{Remove = $Admin } -BypassSecurityGroupManagerCheck -ErrorAction Stop
    Write-Host "Removed admin $($Admin) from security group $GroupName ($PrimarySmtpAddressNew)." -ForegroundColor Green

    # Remove the original distribution group
    Remove-DistributionGroup -Identity "$DistributionGroup" -BypassSecurityGroupManagerCheck -Confirm:$false
    Write-Host "Removed Distribution Group $($DistributionGroup)." -ForegroundColor Green

    # Remove the -New from the security group
    Set-Distributiongroup -Identity $PrimarySmtpAddressNew -PrimarySmtpAddress $DistributionGroup
    Write-Host "Updated security group primary SMTP address to $($DistributionGroup)." -ForegroundColor Green
}

The PowerShell output result shows the transfer of the members and owners of the distribution list to the new security group. It deleted the original distribution list, and the primary SMTP address of the new security group is now identical to the original distribution list.

Created NEW security group Sales UK (SalesUK-New@m365info.com).
Adding owners to security group Sales UK (SalesUK-New@m365info.com).
Adding members to security group Sales UK (SalesUK-New@m365info.com).
Removed admin admin@m365info.com from security group Sales UK (SalesUK-New@m365info.com).
Removed Distribution Group SalesUK@m365info.com.
Updated security group primary SMTP address to SalesUK@m365info.com.

That’s it!

Read more: How to assign Full Access mailbox permission »

Conclusion

You learned how to convert a distribution group to a security group. First, the PowerShell script will create a new mail-enabled security group. Next, it will convert the owners and members of the distribution list to the newly created mail-enabled security group. As of last, it will delete the distribution list.

Did you enjoy this article? You may also like Manage user mailbox with PowerShell. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *