Chris Stegh / / Categories: Azure, Cloud

Sync’ing Existing AD Groups to Office 365

When first synchronizing your on-premises Active Directory (AD) to Azure AD, it’s important to understand what Groups can and cannot be synchronized from on-premises AD. The table belowprovides an at a glance view. This can save time and prevent duplication and re-work.  

The first column identifies the “Target” or new Office 365 entity that can be created, as defined by the second column. The third column identifies the current “source” group which can be re-used/sync’d, along with an explanation in the fourth column. The fifth and last column shows which entities can beconfigured for dynamic membership in Azure Active Directory, allowing group members to be added or removed automatically based on user attributes such as department, location, title, etc. 

O365 Entity


Corresponding on-prem AD group to sync

Comments / Recommendations

Configurable by Dynamic Membership?

Office 365 Groups

Collaboration between users, both inside and outside your company.

Distribution List (or Distribution Group)

MSFT provides a tool to convert on-prem distribution list to an O365 Group. That is a full group, and includes Planner, OneNote, etc. for that group, not just a distribution group.

Yes, or also could be manually assigned 

Distribution Lists

Sending notifications to a list of people.

Distribution List (or Distribution Group)

  • Can also receive external email if configured 
  • Permissions of on-premises owners of DLs don’t carry over 
  • Use this if you don’t want to enable Planner, OneNote, etc. 
  • Must be mail-enabled 

Security Groups

Granting access to resources like SharePoint.

Security Group


Yes, but also could be manually assigned. 

Mail-enabled Security Groups

Granting access to SharePoint resources, and emailing notifications to those users.

Mail-enabled Security Group

  • Can include users & devices (helpful for Intune) 
  • Display name (mail attribute populated if proxy address is empty)  
  • If proxyAddress is non-empty it must contain an SMTP value like  


Shared Mailboxes 

Used when multiple people need access to the same mailbox, such as a company information orsupport email address.


  • Like regular Security groups, except that they can’t be dynamically managed through Azure AD and can’t contain devices. 
  • Currently it's not possible to migrate a shared mailbox to an Office 365 Group.  



Built-in security groups 

Large security groups 

  • Built-in security groups will not sync 
  • Groups with more than 50,000 members will not sync 



The entire list of attributes that are synchronized by Azure AD Connect sync can be found at: 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Tags: Azure Cloud

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.


Search by Category or Author: