testO365GroupSync is a tool that I built for a large global NGO, because AADConnect creates Read-Only objects in Office 365.

Read-Only objects cannot be edited in Office 365, thus users are unable to edit distribution lists in Office 365 even if they are managers of said lists.

O365GroupSync was built to take over the synchronisation and initial seeding of all distribution lists, both ways, to allow users to edit distribution lists while in a hybrid Office 365 Exchange Online scenario.


Free version: O365GroupSync_v0.56.ps1 (right click, save as)


  • all objects need to have an email address (’email’ attribute in AD)
  • all groups need to have their displayName attribute set in AD
  • a server to run it on as a user that has sufficient permissions to write/change ad group objects
  • sufficient disk space for caching (+/- 30MB/1000 Objects, including user objects)
  • an admin account in Office 365
  • ActiveDirectory powershell module
  • Powershell 3 or higher
  • 500MB memory / 1000 objects

Features / configuration options:

  • syncDirection parameter
    • useful if you only want to sync one way
  • domainsPresentLocally
    • if not specified this will be auto detected, you can use this to force the script to only accept these domains in email addresses that are synced to on prem groups
  • domainsPresentInCloud
    • if not specified this will be auto detected, you can use this to force the script to only accept these domains in email addresses synced to Office 365 groups
  • XGroupNamePrefix
    • If specified, only groups starting with this name will be considered for synchronisation, useful if you have multiple different AD’s syncing to 1 O365 tenant
  • XCustomAttributeValue
    • If specified, only groups with this custom attribute value will be considered for synchronisation
  • defaultDLAdminInO365
    • Office 365 Distribution Groups require an owner, this is mandatory, if the AD object does not have one the script will use the value of this parameter

It will process:

  • New groups, incl members, ManagedBy, hiddenfromaddresslist and requiresenderauth properties
  • Group renames
  • Membership changes
  • changes in the aliases the group has (proxyAddresses)
  • Initial authorized senders and changed authorized senders
  • groups where displayName does not match CN will have it set to their CN
  • Configurable notification emails with a summary

It will NOT process:

  • Changes to group Manager after initial sync (ManagedBy)
  • Group Type Conversion (security/distribution list)
  • Any type of Dynamic Distribution List or Office Group


  • pending



I’m not a real programmer, this code is meant as a Proof Of Concept. I do not guarantee this product will work in your setup, and I offer no dedicated support, I try to help everyone on a best-effort basis but also have to work for a living. So make sure you test well and understand the code before you use it.

Leave a Reply

5 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
0 Comment authors
GroupSync v0.56 available! | LiebensraumO365GroupSync v0.50 available! | LiebensraumO365GroupSync v0.43 available! | LiebensraumO365GroupSync v0.34 is out! | LiebensraumO365GroupSync v0.29 | Liebensraum Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of

[…] O365GroupSync […]


[…] O365GroupSync […]


[…] O365GroupSync […]


[…] O365GroupSync […]


[…] O365GroupSync […]

Office 365, Azure, Enterprise Mobility and DevOps