![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 98%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBC%3C/text%3E%3C/svg%3E)
Exchange | Other
A powerful email and collaboration platform developed by Microsoft, designed to support enterprise-level communication and productivity. Miscellaneous topics that do not fit into specific categories.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 84%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHN%3C/text%3E%3C/svg%3E)
Thank you for reaching out to the Q&A Forum.
Based on Microsoft documentation and my understanding, no native migration utility exists for Security Groups in the way mailbox migration tools operate. These groups synchronize from local Active Directory and remain read-only once visible in the cloud.
Conversion into cloud-only objects requires a manual process. The outline below reflects the standard approach.
Pre-Requisite Check
- Groups tied to on-premises file server permissions (NTFS/ACLs): migration not suitable. The Security Identifier (SID) changes during conversion, resulting in loss of access to local resources.
- Groups tied only to email, Teams, or SharePoint permissions: You may proceed safely.
Here is re step-by-step migration plan you can try:
Since you cannot convert the group while it is synced, the process involves exporting the current data, removing the On-Prem version to break the sync, and recreating it in the cloud.
Export Group Membership (On-Premises)
Run this PowerShell command on your local Domain Controller to save the current members to a CSV file.
$GroupIdentity = "YourGroupName"
Get-ADGroupMember -Identity $GroupIdentity | Select-Object SamAccountName, UserPrincipalName | Export-Csv "C:\temp\GroupMembers.csv" -NoTypeInformation
(Note: Also document the group's Primary SMTP and any Alias addresses)
Remove the On-Premises Group
- Open Active Directory Users and Computers.
- Delete the Security Group (or move it to an OU that is not synced by Azure AD Connect).
- Force a delta sync on your Azure AD Connect server:
Start-ADSyncSyncCycle -PolicyType Delta - Wait for the group to disappear from the Microsoft 365 Admin Center.
Recreate the Group in Exchange Online
- Log in to the Exchange Admin Center (admin.exchange.microsoft.com).
- Navigate to Recipients > Groups > Mail-enabled security.
- Click Add a group and create a "Mail-enabled security" group > Use the exact same Name and Primary Email Address as the old group to ensure mail flow continues. (If the old group had multiple email aliases, add them now under the group settings)
Restore Membership
You can now bulk-add the members back using Exchange Online PowerShell.
Connect-ExchangeOnline
$Members = Import-Csv "C:\temp\GroupMembers.csv"
$GroupName = "YourGroupName"
foreach ($Row in $Members) {
Write-Host "Adding user $($Row.UserPrincipalName)"
Add-DistributionGroupMember -Identity $GroupName -Member $Row.UserPrincipalName
}
Once completed, the group is fully migrated. You will now manage members and settings directly in the Microsoft 365 Admin Center, and it will no longer depend on your local server.
I hope this information helps and if you need any additional information regarding this matter. Please don’t hesitate to reach out!
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
