In a cloud-only Azure AD & Office 365 setup (in other words, no AD DS and no ADConnect), I have several security groups with assigned membership. I would like to mail-enable these.
The users who are members of the groups all have Office 365 licenses assigned to them and can send and receive mail fine.
I can create a new mail-enabled security group in the Office 365 portal but I can't see any way to mail-enable existing groups.
There is no way to mail-enable an existing security group in AzureAD. you would need to recreate the group as mail-enabled through the Office365 Portal. Exchange ECP, or PowerShell. The latter can help you transfer settings and members.
If the security group is dynamic, you would lose this capability when converting. You can have a dynamic distro group (but it's not security group), or dynamic security group (that is not a distro group).
This should have been in place years ago. Is this just Microsoft trying to phase out ME Azure Exchange groups to promote Office groups? How are we supposed to be prudent and minimize the number of overall groups when we need to keep creating different types with the same membership?
You can mail enable security group synchronized from local AD by putting email address to Email field of it in your local AD.
If AzureAD Connect is able to upgrade a SecurityGroup to a Mail-enabled just by adding an email property to the object in AD, there must be a way to do it too. AzureAD should be using the same APIs published by the Exchange or Office365 team.