Role Group membership is now exposed in Outlook’s Address book cards

If you are using Office 365/Exchange Online, you might have noticed that the group membership tab (“Member of”) of the Address Book entry for a particular user now exposes the Role Groups said used is a member of. In other words, you might be seeing the following:

Role Groups in the Address book entry

The highlighted entries above, namely “Company Administrator” and “Security Administrator” represent the corresponding Role Groups in Exchange Online:

Get-RoleGroup | ft Name,DisplayName

Name                                              DisplayName
----                                              -----------
HelpdeskAdmins_02adb                              Helpdesk Administrator
TenantAdmins_c25d1                                Company Administrator
SecurityReaders_-2089696204                       Security Reader
ComplianceAdmins_-1672988522                      Compliance Administrator
SecurityAdmins_-417435872                         Security Administrator

Those Role Groups in turn are the ExO representation of the Azure AD’s role groups of the same name, as explained in the “Description” of each such group:

Membership in this role group is synchronized across services and managed centrally. This role group is not manageable through Microsoft Exchange. Members of this role group may include cross-service administrators, as well as external partner groups and Microsoft Support. By default, this group may not be assigned any roles. However, it will be a member of the Organization Management role group and will inherit the capabilities of that role group.

If you however try to look at the Group membership from another endpoint, for example the user entry in the EAC (EAC -> Recipients -> Mailboxes -> double-click the user -> Member of), those groups will not be listed. Another interesting fact is that none of the default address lists, the Offline Address Book one included, lists those entries, they are only visible in the “Member Of” tab. Yet another interesting bit is that Outlook uses the Dynamic DG icon to represent such entries in the Address List.

The groups aren’t new, what’s new is the fact that Outlook now displays them along any other group the user is a member of. As being able to see the admin roles a given user has been assigned to is usually viewed as sensitive information, this raises some concerns.

My guess on where this issue stems from is some recent changes with the Exchange Online cmdlets, which now better handle different recipient types as we discussed in a previous article. More precisely, it might be due to the fact that the Get-Group cmdlet returns Role Groups in its output by default. Thus, if you query the membership for a particular user via Get-Group, you will see something that resembles the following:

Get-Group -Filter "Members -eq 'CN=vasil,,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" | select Name,DisplayName, RecipientTypeDetails

Name                                          DisplayName            RecipientTypeDetails
----                                          -----------            --------------------
Discovery Management                                                 RoleGroup
Security Administrator                                               RoleGroup
TenantAdmins_c25d1                            Company Administrator  RoleGroup
DG                                            DG                     MailUniversalDistributionGroup
USG                                           USG                    MailUniversalSecurityGroup
Team688_f499e3c19a                            Team                   GroupMailbox
SecurityAdmins_-417435872                     Security Administrator RoleGroup
testvijay_e7690edf9f                          testvijay              GroupMailbox

where I have shortened the output a bit. The important thing to note is the presence of entries with RecipientTypeDetails value of RoleGroup. Now, if we repeat the same via the Get-Recipient cmdlet, which is what the EAC uses to populate the group membership for a given user under the “Member of” tab, those entries will be missing:

Get-Recipient -Filter "Members -eq 'CN=vasil,,OU=Microsoft Exchange Hosted Organizations,DC=EURPR03A001,DC=prod,DC=outlook,DC=com'" | select Name,Dis
playName, RecipientTypeDetails

Name                                          DisplayName   RecipientTypeDetails
----                                          -----------   --------------------
DG                                            DG            MailUniversalDistributionGroup
USG                                           USG           MailUniversalSecurityGroup
Team688_f499e3c19a                            Team          GroupMailbox
testvijay_e7690edf9f                          testvijay     GroupMailbox

That of course is just an educated guess on my side, the underlying reason might be completely different. Whatever the cause  though, either intentional or a bug, this is only observed in Exchange Online, on-premises Exchange mailboxes do not expose such Role Groups in Outlook.

4 thoughts on “Role Group membership is now exposed in Outlook’s Address book cards

  1. Arjan Kop says:


    I came across this post after we experienced this same behaviour in two on-prem exchange environments. What triggered it is still unknown, but the result was that the contact cards showed most, but not all, global security groups a user is a member of. I did the checks mentioned and I was a bit puzzeled by the fact that these groups apparently had a recipient type, since they were never mail enabled. The AD-attribute MSExchRecipientTypeDetails was empty for all groups. I compared a group that showed up with one that didn’t and noticed that in the one that showed up the attribute displayName had a value equal to that of the cn; likely something caused by the tool the servicedesk uses to create groups. Once the attribute diplayName was cleared, the group vanished from the contact card. I fetched all non-mail enabled global security groups in powershell and cleared the attribute and now only Distribution Groups show up, as they should.

  2. Gautam says:

    Is there a way to hide this? or complete list of the membership of user?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.