When configuring mailbox permissions for a group, the following error may occur:
The user "testgruppe" was found in Active Directory but isn't valid to use for permissions. Try an SMTP address
instead.
Authorizations for groups can only be assigned if the group is a security group. For a security group, the values for MemberJoinRestriction and MemberDepartRestriction are normally set to Closed, which means that users cannot join or leave the group independently. This setting also makes sense so that users cannot assign themselves authorizations:
However, it can happen that MemberJoinRestriction or MemberDepartRestriction are also set to Open for a security group. In my case, this happened when the group type in the Active Directory was changed from Distribution to Security:
In this case, Exchange also adopts the values for MemberJoinRestriction and MemberDepartRestriction for the converted distribution group to a security group. However, member management can then no longer be configured via the Exchange Admin Center, but only via the shell:
Set-DistributionGroup testgroup -MemberDepartRestriction Closed
Once MemberJoinRestriction and MemberDepartRestriction have been set to Closed, the group can be used for authorizations again.