If you are using Office 365/Exchange Online, you might have noticed that the group membership tab (“Member of”) of the Address Book entry for a particular user now exposes the Role Groups said used is a member of. In other words, you might be seeing the following:
The highlighted entries above, namely “Company Administrator” and “Security Administrator” represent the corresponding Role Groups in Exchange Online:
Get-RoleGroup | ft Name,DisplayName Name DisplayName ---- ----------- HelpdeskAdmins_02adb Helpdesk Administrator TenantAdmins_c25d1 Company Administrator SecurityReaders_-2089696204 Security Reader ComplianceAdmins_-1672988522 Compliance Administrator SecurityAdmins_-417435872 Security Administrator
Those Role Groups in turn are the ExO representation of the Azure AD’s role groups of the same name, as explained in the “Description” of each such group:
Membership in this role group is synchronized across services and managed centrally. This role group is not manageable through Microsoft Exchange. Members of this role group may include cross-service administrators, as well as external partner groups and Microsoft Support. By default, this group may not be assigned any roles. However, it will be a member of the Organization Management role group and will inherit the capabilities of that role group.
If you however try to look at the Group membership from another endpoint, for example the user entry in the EAC (EAC -> Recipients -> Mailboxes -> double-click the user -> Member of), those groups will not be listed. Another interesting fact is that none of the default address lists, the Offline Address Book one included, lists those entries, they are only visible in the “Member Of” tab. Yet another interesting bit is that Outlook uses the Dynamic DG icon to represent such entries in the Address List.
The groups aren’t new, what’s new is the fact that Outlook now displays them along any other group the user is a member of. As being able to see the admin roles a given user has been assigned to is usually viewed as sensitive information, this raises some concerns.
My guess on where this issue stems from is some recent changes with the Exchange Online cmdlets, which now better handle different recipient types as we discussed in a previous article. More precisely, it might be due to the fact that the Get-Group cmdlet returns Role Groups in its output by default. Thus, if you query the membership for a particular user via Get-Group, you will see something that resembles the following:
Get-Group -Filter "Members -eq 'CN=vasil,OU=michev.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" | select Name,DisplayName, RecipientTypeDetails Name DisplayName RecipientTypeDetails ---- ----------- -------------------- Discovery Management RoleGroup Security Administrator RoleGroup TenantAdmins_c25d1 Company Administrator RoleGroup DG DG MailUniversalDistributionGroup USG USG MailUniversalSecurityGroup Team688_f499e3c19a Team GroupMailbox SecurityAdmins_-417435872 Security Administrator RoleGroup testvijay_e7690edf9f testvijay GroupMailbox
where I have shortened the output a bit. The important thing to note is the presence of entries with RecipientTypeDetails value of RoleGroup. Now, if we repeat the same via the Get-Recipient cmdlet, which is what the EAC uses to populate the group membership for a given user under the “Member of” tab, those entries will be missing:
Get-Recipient -Filter "Members -eq 'CN=vasil,OU=michev.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" | select Name,Dis playName, RecipientTypeDetails Name DisplayName RecipientTypeDetails ---- ----------- -------------------- DG DG MailUniversalDistributionGroup USG USG MailUniversalSecurityGroup Team688_f499e3c19a Team GroupMailbox testvijay_e7690edf9f testvijay GroupMailbox
That of course is just an educated guess on my side, the underlying reason might be completely different. Whatever the cause though, either intentional or a bug, this is only observed in Exchange Online, on-premises Exchange mailboxes do not expose such Role Groups in Outlook.
Hi,
I came across this post after we experienced this same behaviour in two on-prem exchange environments. What triggered it is still unknown, but the result was that the contact cards showed most, but not all, global security groups a user is a member of. I did the checks mentioned and I was a bit puzzeled by the fact that these groups apparently had a recipient type, since they were never mail enabled. The AD-attribute MSExchRecipientTypeDetails was empty for all groups. I compared a group that showed up with one that didn’t and noticed that in the one that showed up the attribute displayName had a value equal to that of the cn; likely something caused by the tool the servicedesk uses to create groups. Once the attribute diplayName was cleared, the group vanished from the contact card. I fetched all non-mail enabled global security groups in powershell and cleared the attribute and now only Distribution Groups show up, as they should.
Is there a way to hide this? or complete list of the membership of user?
Afaik no.