The Groups Dilemma – post migration
Today a client that we had previously migrated off Lotus Notes asked us about applying Groups to their Shared Mailboxes in Office 365 but ensuring that the Shared Mailbox Owners had the ability modify those Groups to provide access.
This blog very much goes hand in hand with this blog I wrote on Shared Mailboxes, https://www.neroblanco.co.uk/2015/04/the-shared-mailbox-dilemma/ it’s not a one-pager, but I would suggest having a read all the way through. (It’s fairly easy reading)
Now, what they had described is a Notes Group being placed into the ACL of a Lotus Notes Mail-In Database mailfile ACL. Then that same (ACL Only or Multipurpose) Group in the Domino Directory having the Administration Tab set with an Owner/Administrator. So that those users that are Group Administrators can go to the NAB, add the new user to the group and hey presto – access is granted.
The same logic does apply for Office 365 Shared Mailboxes. You can create (or Sync) a Mail-Enabled Security Group then add the Group initially via PowerShell / GUI with Full Access and SendAs. Afterwards, you can then edit the Group – but it all depends on where the group is created first as to where you should edit it. The trick here though is also CAN a user edit the Group or only Administrators – and that would potentially be via unnecessary Helpdesk Tickets.
Where Domino is involved and concerned, unless you have really actually stripped out IBM Domino reliance then chances are you started with and still have Groups in Domino.
So, if you used the SAME groups that were in Domino and they had been synced via Binary Tree Directory Sync Pro to On-Premises Active Directory AND then AAD Connect synchronizes them to Office 365 – then you are golden – provided of course that they are email-enabled Security Groups.
If they were ACL Only Groups in Domino and had an email address, and we’re in scope for Binary Tree Directory Sync Pro, then they would be there.
Now, you can still do this and then your Admins could simply update the Groups in IBM Domino and let it flow – would take a couple of hours (can also be manually forced)
Where should I create and Manage Groups Going Forward though?
Going forward though, it does depend on the thinking of where you want to create and manage Groups (Security and Distribution)
- On-Premise AD / Exchange On-Premises
- Office 365
Email-enabled Security Groups could just be created directly in the On-Premise Active Directory – but then how would basic users update this group (it can be done of course with the right permissions and tools)
Likewise, Groups can be created DIRECTLY in Office 365, but again how would users update this group (they can – with the right tools),
but do you really want a disjointed proliferation and management of groups starting in multiple places, or would you prefer a single strategy for Groups? So that they appear everywhere correctly for users and administrators to see and use. E.G. A Group created directly in Office 365 would not be seen by Domino users and Applications and Exchange On-Premise users without a proper write-back solution and bi-directional sync. Groups should only EVER be edited in the Source, but what if a Domino User doesn’t know this and simply edits the Group in place. Now you have the same Group out of Sync.
The same question can, of course, be leveled at where do you create new Shared Mailbox’s themselves (and ultimately new users themselves)
In my opinion, for clients with respect specifically to Shared Mailboxes, they should:
- First, be created in Domino as a placeholder Mail-In Database Document with the routing information flipped. Let them flow to AD as an (AD Disabled) Mail-Enabled User. Let them sync to Office 365, then Mailbox Enable it as a Shared Mailbox.
- Create the associated Groups in Domino as ACL Only Groups with an email address. Let them sync to AD via Binary Tree Directory Sync Pro as Email Emailed Security Groups.
- Let AAD Connect Sync those Groups to Office 365
- Then add them as Full Access and SendAs
- Let the Owners / Admins modify the Group Membership in Domino – as they have always done, until further notice and allow DirSync to flow the memberships
When a decision is made to one day in the future sever the Domino Connection, then have a re-think about how users should edit groups. I’m pretty sure the Owner/Admin attribute flows AD to Office 365 but have not checked at time of writing (will revert)