BPOS Transitioned Customers with DGs Instead of SGs in Office 365

Posted on Updated on

As you may know, in BPOS using DirSync that Security Groups (SGs) are converted into Distribution Groups(DGs) as BPOS did not have Security Groups as a type.  Many administrators who needed SGs for use in Outlook Delegation and/or SharePoint groups (assign permissions to groups and manage users in the group for effective management) had to request BPOS Operations to make this conversion back to SGs on behalf of the customer/administrator.


Customers who Transitioned from BPOS into Office 365 may fall into the following scenario:

  1. Transitioned into Office 365 from BPOS
  2. Ran DirSync V2 against Office 365 and found that their on-premises Active Directory Security Groups (SGs) are STILL listed as Distribution Groups in the new Exchange Online 365 environment, effectively not able to be used for security purposes.


When BPOS DirSync converts SGs to DGs for use, when the BPOS to Office 365 Transition completed, the DGs are brought over as DGs because that is the groupType set.  Once you run Directory Synchronization V2 against Office 365, Directory Synchronization does not check the groupType setting and finds the group already in the cloud and as such will NOT convert the group back to a Security Group (SG).

Proposed Solution

To fix this issue without needing to delete the on-premises Active Directory groups (delete, recreate and start over), you can use Directory Synchronization Filtering to have these groups removed in the cloud, so they can be created as SGs instead of being stuck as a DG.  For more information on Directory Synchronization Filter, please refer to:

Configure Filtering for Directory Synchronization

Use the above approach to put the DGs into a separate OU and configure DirSync Filtering to NOT synchronize that OU.  This will instruct DirSync to tell O365 MSODS that the groups have been removed and to remove them from the cloud.  Once done and verified that the groups are no longer available, DirSync Filtering can be removed by putting the groups back into the normal OU container and run DirSync.  It will pick up these groups, find they are SGs and synchronize them into the cloud.

Once the above has been done you will have effectively replaced the old DGs (converted during the BPOS DirSync operation) with the proper groupType as Security Group(s).

Whatcha thinkin?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s