Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/CA using nested DDL

CA using nested DDL

/ 2024-10-01
CA using nested DDL
Microsoft
-I started off by creating a new DDL using the below command:
 
PS C:WINDOWSsystem32> New-DynamicDistributionGroup -Name “NewDG” -RecipientFilter “(RecipientTypeDetails -eq ‘UserMailbox’) -and (CustomAttribute1 -like ‘DGTEST*’)”
 
Name    ManagedBy
—-    ———
NewDG
 
-Checking the recipient filter the below is returned:
 
PS C:WINDOWSsystem32> Get-DynamicDistributionGroup -Identity “NewDG”|FL RecipientFilter
 
 
RecipientFilter : ((((RecipientTypeDetails -eq ‘UserMailbox’) -and (CustomAttribute1 -like ‘DGTEST*’))) -and (-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’)) -and (-not(RecipientTypeDetailsValue -eq
                  ‘MailboxPlan’)) -and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’))
                  -and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘AuxAuditLogMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘SupervisoryReviewPolicyMailbox’)))
 
-Members for the DDL show empty:
 
PS C:WINDOWSsystem32> Get-DynamicDistributionGroupMember -Identity NewDG
 
-Custom attribute for the user showing populated as below:
PS C:WINDOWSsystem32> Get-Mailbox User1 |FL CustomAttribute1
 
 
CustomAttribute1 : DGTEST
 
-Forced Refresh using PS as below
 
PS C:WINDOWSsystem32> Set-DynamicDistributionGroup -Identity NewDG -ForceMembershipRefresh
 
-Now showing members:
 
PS C:WINDOWSsystem32> Get-DynamicDistributionGroupMember -Identity “NewDG”
 
Name    RecipientType
—-    ————-
User1 UserMailbox
 
-When trying to check recipient filter/membership using the comman
 
PS C:WINDOWSsystem32> $FTE = Get-DynamicDistributionGroup -Identity “NewDG”
PS C:WINDOWSsystem32> Get-Recipient -RecipientPreviewFilter ($FTE.RecipientFilter)
 
-DDG was added as a member of DL, DL is added in a Conditional Access policy to enforce MFA, However, only direct members of the Group are enforced to use MFA, not nested DDL group members despite MS documentation stated that both DDL and nested memberships are supported.
 
-In Azure Sign in portal, MFA CA policy says not applied.

 

 
-Details show user assignment not matched i.e. not included in scope.

 

 
 

​-I started off by creating a new DDL using the below command: PS C:WINDOWSsystem32> New-DynamicDistributionGroup -Name “NewDG” -RecipientFilter “(RecipientTypeDetails -eq ‘UserMailbox’) -and (CustomAttribute1 -like ‘DGTEST*’)” Name    ManagedBy—-    ———NewDG -Checking the recipient filter the below is returned: PS C:WINDOWSsystem32> Get-DynamicDistributionGroup -Identity “NewDG”|FL RecipientFilter  RecipientFilter : ((((RecipientTypeDetails -eq ‘UserMailbox’) -and (CustomAttribute1 -like ‘DGTEST*’))) -and (-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’)) -and (-not(RecipientTypeDetailsValue -eq                  ‘MailboxPlan’)) -and (-not(RecipientTypeDetailsValue -eq ‘DiscoveryMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘PublicFolderMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘ArbitrationMailbox’))                  -and (-not(RecipientTypeDetailsValue -eq ‘AuditLogMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘AuxAuditLogMailbox’)) -and (-not(RecipientTypeDetailsValue -eq ‘SupervisoryReviewPolicyMailbox’))) -Members for the DDL show empty: PS C:WINDOWSsystem32> Get-DynamicDistributionGroupMember -Identity NewDG -Custom attribute for the user showing populated as below:PS C:WINDOWSsystem32> Get-Mailbox User1 |FL CustomAttribute1  CustomAttribute1 : DGTEST -Forced Refresh using PS as below PS C:WINDOWSsystem32> Set-DynamicDistributionGroup -Identity NewDG -ForceMembershipRefresh -Now showing members: PS C:WINDOWSsystem32> Get-DynamicDistributionGroupMember -Identity “NewDG” Name    RecipientType—-    ————-User1 UserMailbox -When trying to check recipient filter/membership using the comman PS C:WINDOWSsystem32> $FTE = Get-DynamicDistributionGroup -Identity “NewDG”PS C:WINDOWSsystem32> Get-Recipient -RecipientPreviewFilter ($FTE.RecipientFilter) -DDG was added as a member of DL, DL is added in a Conditional Access policy to enforce MFA, However, only direct members of the Group are enforced to use MFA, not nested DDL group members despite MS documentation stated that both DDL and nested memberships are supported. -In Azure Sign in portal, MFA CA policy says not applied.  -Details show user assignment not matched i.e. not included in scope.     Read More

Tags:

Related posts

Ignite 2024: Why nearly 70% of the Fortune 500 now use Microsoft 365 Copilot
2024-11-19

Ignite 2024: Why nearly 70% of the Fortune 500 now use Microsoft 365 Copilot

8080 Books, an imprint of Microsoft, launches, offering thought leadership titles spanning technology, business and society
2024-11-18

8080 Books, an imprint of Microsoft, launches, offering thought leadership titles spanning technology, business and society

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data
2024-11-14

From questions to discoveries: NASA’s new Earth Copilot brings Microsoft AI capabilities to democratize access to complex data

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch