Office 365 groups are a critical element of any Microsoft cloud environment. But exactly what is an Office 365 group? What is the difference between a group and a team? How are groups created, and what are the best strategies for managing them?
This blog post answers all these questions, and many more.
A little context
To understand Office 365 groups, it helps to step back and consider the purpose of groups in the first place. Since back before the cloud even existed, Active Directory has had two types of groups:
- Security groups, which help secure items like file shares and SharePoint lists. By making a user a member of a security group, you grant them all the permissions assigned to that group, such as the ability to read or edit certain files or to run specific applications. Active Directory includes several built-in security groups, such as Enterprise Admins and Domain Admins, and you can also create your own.
- Distribution groups, which give people a convenient way of sending email to an established set of recipients — such as all company employees or just the Marketing team — without having to type every individual email address each time.
When the Microsoft cloud was created, there was still a need for this functionality, so Azure Active Directory also has both security and distribution groups. But Microsoft also introduced a new type of group: the Office 365 group — which has been renamed Microsoft 365 group. I will use these terms interchangeably here because you’ll see both of them in documents from both Microsoft and third parties.
What is an Office 365 group?
At its core, an Office 365 group is an object in Azure Active Directory. What makes it especially powerful is that it’s kind of a jack of all trades: It can secure items like a security group does, and it can function as a distribution list like a distribution group does, and it can also act as a data repository for SharePoint, shared mailboxes and Microsoft Teams.
The best way to understand this broad functionality is through an example. As you probably know, Microsoft Teams is a platform that provides a workspace for collaboration, with features like chat, meetings, and notes. What you may not know is that when you create a team, the Teams application automatically creates a Microsoft 365 group for you behind the scenes and populates that group with all the members of the team. It’s membership in the group that enables team members to access the team’s SharePoint content, participate in the team’s chats, get the team’s email messages and so on.
How do I create an Office 365 group and add members to it?
As we just saw, some Microsoft 365 groups are created automatically by Microsoft Teams. Other applications also spin up groups under the covers; for instance, a new group gets created whenever someone creates any of the following:
- A new SharePoint site collection
- A new group in Outlook
- A new plan in Planner
- A new Power BI workspace
In those cases, you don’t manage and use the Microsoft 365 group directly; instead, the application uses the group on your behalf, as illustrated in the Teams example above.
Other Microsoft 365 groups are created explicitly by users and admins. In fact, by default, anyone in your organization can create up to 250 of these groups. End users usually use Outlook, Outlook on the Web or Outlook Mobile. In Outlook 2016, for instance, you simply select Home > New Group and then specify a name, description and other requested details. Once you’ve created a group, you can add members to it.
Administrators can use the Office 365 Admin Center and the Exchange Admin Center to create and populate groups. Alternatively, they can use PowerShell, which provides certain advanced settings not available in the administrative portals.
What types of members can a group have?
Group members can have any of the following roles:
- Owner— By default, the person who created the group is the group owner. But other users can be added as additional (or replacement) owners; in fact, a group can have as many as 100 group owners! Here are some of the actions group owners can perform:
- Add and remove members and guests
- Promote group members to the owner role
- Rename the group
- Modify the group’s description or picture, and change various group settings
- Delete conversations from the shared inbox
- Delete the group
- Member— Members can access all the group’s resources, such as email and SharePoint content, but they can't change group settings. They can also nominate guest members, but only a group owner can add guests.
- Guest— A guest is a person from outside your organization, such as a partner, vendor, supplier or consultant. Guests can access the group’s conversations, files, calendar invitations and notebook. Guests can't directly access the group's inbox, but they can send messages to it, and any messages sent to the group by other members will appear in each guest’s inbox. Similarly, guests can't directly access the group calendar, but they receive invitations to any events created on the group calendar, which they add to their own calendars.
Who can manage and delete an Office 365 group? How can they do it?
As we just saw, management of a group falls to its owners. Basic group management capabilities are provided natively by the application used to create the group. For instance, owners can use Outlook to add and delete members, change the name of the group, and modify its setting. Applications that create and use groups under the covers, such as Teams, provide similar management functionality.
It’s important to note that when you delete an Office 365 group, all the resources tied to that group — emails, files, OneNote and SharePoint documents, Planner tasks, and so on — get deleted with it. Moreover, Azure AD groups and group membership are not moved to the Azure AD Recycle Bin when they are deleted, so they cannot be recovered with native tools. Therefore, delete with care, and consider investing in a comprehensive backup and recovery solution.
What about overall governance of Office 365 groups?
All the types of groups mentioned in this blog require careful management. Otherwise, over time, things can get very messy. Without a coherent policy for naming groups, you can easily end with multiple groups that serve similar needs, which can lead to confusion and workflow issues. As group owners change roles or leave the organization, group membership can spiral out of control and groups can become orphaned. Group sprawl is also exceedingly common when no one is paying proper attention to group creation and ensuring that groups are deleted when they’re no longer needed. These issues can lead to both minor annoyances and serious security, compliance and business continuity problems, from an Exchange Global Address List (GAL) that’s so crowded with defunct entries that it’s difficult to use, to overprovisioned users with unwarranted access to critical data and other resources.
Responsibility for how Microsoft 365 groups are used across the organization falls not to individual group owners but to administrators. For example, by default, groups can have guest members, but administrators can choose to disable this functionality for all groups or for a specific group. Admins can also restrict who can create groups. However, a blanket prohibition on group creation will seriously limit the usefulness of the Microsoft 365 platform to your organization. A better option can be to provide training on your business standards and allow only the users who have completed it to create groups.
One way to reduce the administrative overhead of adding and removing group members is to create attribute-based rules that make group membership dynamic. When any attribute of a user is changed, the system automatically re-evaluates the dynamic group rules and adjusts group membership accordingly. Note that this feature requires you to purchase as many Azure AD Premium P1 licenses as you have unique users who are members of one or more dynamic groups.
However, the native tools give administrators limited ability to keep tabs on what Microsoft 365 groups exist and who their members are. There are two options: the GUI methods (the Office 365 Admin Portal or the Exchange Admin Center) and PowerShell. However, both options involve substantial manual work, so they don’t scale well. Therefore, it’s wise to invest in third-party tools that simplify Microsoft 365 group management.
Where can I learn more?
This blog post answers many of the basic questions about Office 365 groups, but only dips its toe into the more complex issues of group management and governance. To learn more, check out this FAQ.