Active Roles

DL Self Service

We have a Hybrid Exchange Set up, with Exchange 2013 Online and O365. We are looking to see if we can configure ARS  such that DL Owners can Manage their Own DLs and do not contact Service Desk for DL Modifications. If the solution exists, appreciate if you can point to the correct reference collateral.

  • Sync. Hybrid Exchange Set up, with Exchange 2013 both on-premises and Cloud / O365 will require PROD AD01 and Cloud AD02 Sync. (assumption) MSFT DirSync does the Sync. On one hand, it is industry standard configuration. Indeed. On other hand, in past, ARS did not support the situation with MSFT DirSync involved due limitations imposed by MSFT DirSync API side.
    Documentation: ARS package provides docs describing explicitly what support is/is not supported.
    I strongly recommend to ask ARS Product management to confirm current situation, with possibility that ARS started to support the very common scenario.
  • The issue here has to do with the "rules" around how Msft wants you to manage Hybrid environments. i.e. what operations may be performed on the local AD (and synced to the Cloud by Dirsync) vs. what must be done in the Cloud directly. Now in theory, from a purely AD perspective you could delegate your DL owners to manage the on-prem versions of their DLs via ARS. The question is whether or not this is acceptable from an Msft Hybrid perspective. This article suggests that it is:

    So basically, all you are doing is using ARS to grant group owners the ability to modify DL (group) memberships in the on-prem AD. There's nothing really "special" going on here - the DLs are just groups and you are using ARS Access Templates to grant the ability to manage their membership.
  • we can make ARS to manage on-premises AD01 the same way as AD ADmin team would do manually via ADUC.mmc.
    Will it be supported by MSFT DirSync (why not?)?
    (I expect) There will be certain actions/attributes (probably exchange related) on AD objects to be owned solely by MSFT DirSync and none should touch it? and the touch must be done via Exchange API/cmdlets, not AD ADSI API. Will ARS be aware of / support the limitation on ARS side?
  • Aidar, see my post above. I included an article that discusses the topic of on-prem management of Office 365 DLs.
  • I have the same problem with our DL Management.
    I have found an ARS template to give anyone the option to manage their DL membership but I only want the OWNER to manage the DL membership. I am new to ARS and we have just installed v7.2, thanks for your help.