Office 365 Groups Support Mail Contacts as Guest Members

Groups support mail contacts

Solving a Problem with External Access

Microsoft added support for external people (guest users) to join the membership of Office 365 Groups last year. Because guest user access is based on SharePoint sharing, it works well in terms of letting external people get to the group document library and shared notebook. It does not support direct access to conversations in the group mailbox, but external people can receive copies of conversations via email.

Guest user access works by creating a guest user object in Azure Active Directory to allow the external person to identify themselves to the Office 365 tenant. Azure Active Directory uses the email address of the guest user to create a unique User Principal Name and stores the email address in the object’s OtherMails and ProxyAddresses attributes.

Although this is an effective approach, it runs into problems when tenants already have mail contacts defined with the same email address. If you attempt to add an email address for a guest user that already exists as a mail contact, youl see the following error:

You are trying to add a contact created by your admin. Contact your admin to add the user as a guest to this group

The Workaround and Some Problems

To solve the problem, administrators had to remove the mail contact and then add the user as a guest. This is the approach that I took when I explained how to convert distribution groups with many mail contacts in their membership to Office 365 Groups.

Although remove-and-replace works, the solution can cause other problems.

  • Removing a mail contact from the tenant removes them from all distribution groups and might disrupt communications with important external people like suppliers, legal advisors, and so on.
  • Tenants commonly create mail contacts in their directory to facilitate communication between those people and tenant users. Guest user objects are not included in any Exchange Online address list. They remain invisible to users, so when mail contacts are converted to guest users to be added to an Outlook group, the old mail contacts disappear from address lists and are not replaced by the guest user objects.
  • Exchange doesn’t allow multiple objects to have the same proxy address, so you can’t go and create a new mail contact that has the same SMTP address as a guest user.

Supporting Mail Contacts

Microsoft started to roll out an update (ID MC102024) to First Release tenants in mid-May to deliver the ability to add a mail contact to an Office 365 Group. The update will follow to non-First Release tenants afterwards.

The new code works seamlessly. You input the email address of the mail contact exactly like you would input the email address of anyone else. Figure 1 shows how the mail contact Jack Jones is added to a group. You can only add mail contacts to a group with OWA or the latest build (8201.2064 or later) of Outlook 2016. The other clients do not yet support this functionality.

Adding mail contact to Office 365 Group
Figure 1: Adding a mail contact to an Office 365 Group (image credit: Tony Redmond)

Accounts from all email domains can be guest users, including consumer email systems like Gmail and Tenant administrators sometimes worry about this aspect of external user access and want to block certain domains. This capability is not available, but you can use PowerShell to scan group membership to detect problematic domains if you want.

Behind the scenes, Office 365 creates a new guest user object using the properties of the mail contact. The mail contact is unaltered so that it continues to appear in address lists and keeps its membership in distribution groups. An edited version of the output of the object properties is shown below:

[PS] C:\> Get-AzureADUser -SearchString Jack.Jones | Format-List

ObjectType                     : User

AccountEnabled                 : True

CreationType                   : Invitation

DisplayName                    : [email protected]

Mail                           : [email protected]

MailNickName                   :

OtherMails                     : {[email protected]}

ProxyAddresses                 : {SMTP:[email protected]}

ShowInAddressList              : False

UserPrincipalName              :

UserType                       : Guest

Two objects with the same email address now exist in the tenant. Over time, when guest user objects offer the same functionality as mail contacts, you might be able to remove the mail contacts.

Distribution Group Conversions

As some of you might have noticed, Microsoft is keen that Office 365 tenants replace email distribution groups with Office 365 Groups. To help with the move, Microsoft offers several methods to convert DLs to Groups. One problem is that you cannot convert a DL if it contains anything other than cloud mailboxes.

Although Groups now support mail contacts, you still cannot convert a DL containing mail contacts. Microsoft has not yet upgraded New-UnifiedGroup, the key PowerShell cmdlet involved in DL conversion, to support mail contacts.

Likewise, the other cmdlets involved in membership management, like Add-UnifiedGroupLinks, do not support mail contacts either.

External Access for All

External access works well for Office 365 Groups but is not yet available for Microsoft Teams or Planner, both of which use Office 365 Groups to manage their membership. But remember that guest users can only access the SharePoint resources in an Office 365 group, so a different mechanism is needed for Teams and Planner.

Microsoft promises that Teams will support external access in June 2017, but there’s no word on when Planner will have similar access. The question now is whether these apps will support mail contacts too?

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle