Office 365 Groups Governance and Best Practices [Webinar]

Post Date: 02/21/2017
feature image

Hello, everyone. Welcome back for another webinar brought to you by The Office 365 Groups Playbook. In today’s post, we get into the specifics about Office 365 Groups governance, administration, demo solutions to create Office 365 Groups within control, as well as highlight best practices for managing Groups.

With over 1000 live viewers and over 100 questions, our interactive webinar covered:

  • Key considerations for deciding whether to activate and enable Office 365 Groups
  • What happens when your users decide to create Office 365 Group
  • How to manage the various Office 365 artifacts that come with Groups
  • Tips for building a strong Groups governance strategy
  • Solutions for regulating Groups creation, management, and end of life

By the end of this webinar, my goal is to help you understand key considerations when administering Office 365 Groups and how to stay in control with minimal business disruption.

Check out the webinar on demand below!

Please remember to continue the conversation on Twitter by reaching out to me @JohnConnected

Interested in learning more about what happens after you create Office 365 Groups, check out these blogs for more information:

And just in case you missed our first webinar with Microsoft, Hyperfish, and AvePoint experts, check it out below!

Webinar Transcript: Office 365 Group Creation Solutions and Administration Best Practices

Hello, everyone. Welcome back to our webinar series and campaign on Office 365 Groups. I hope all of you had a chance to tune in for our first webinar in this series. If you hadn’t, please go visit and you’ll find the initial webinar we did with Christophe Fiessinger from Microsoft, Jeremy Thake, and Dux from AvePoint.

Office 365 Groups
Ask The Experts: Understanding Office 365 Groups with Microsoft, Hyperfish, and AvePoint

My name is John Peluso and we’re going to go a little bit deeper today into some of the specifics of managing Office 365 Groups. Compared to the last webinar, the last webinar was really more about general awareness of Groups. We talked a lot the business proposition of an Office 365 Group, sort of why it exists. But we’ll go a little deeper today into both the architecture of Groups as well as some strategies for managing them.


So specifically today, we will do a very quick recap on the concept of a Group but we’ll look at it more from a perspective of an architecture thing, right? So we’ll geek out a little bit on how Groups are structured. We will talk about, sort of, what the worry is. So we’ll go to a few different places that you can join the conversation and we’ll look at what people are, sort of, fretting about a little bit with Groups.


The good news is, it’s problems that we all know but the bad news is there are certain times where we may not have a ton of tools to deal with this. Right? I’ll go into a little bit of depth on what Microsoft is doing. There’s a lot of resource out there so I’m not going to go super deep into what Microsoft is providing for Groups governance and management. And then what I’ll do is I’ll actually propose an alternative approach. One that we’re pursuing here at AvePoint and I think you know, might make a good example for you as well.


We’ll do a little bit of demo and show you some Office 365 Groups solutions. I’ll take you into Office 365, we’ll look at the admin console. We’ll look at some of the newer things that are in there and then we will take it out. Okay. So let’s get moving.


For those of you that don’t know AvePoint, I’m not going to spend a whole lot of time but we’ve been around for a long, long time and a very close partner with Microsoft. Obviously, spent a lot of time developing tools and resources for admins in the Microsoft stack, especially around Office 365 Groups vs. SharePoint. And really if you want to think about our approach to so what we bring to our customers is the ability to do better at migration of content, management of content and systems, and protection. So through governance, compliance, policy-driven approach to managing really now the entire Office 365 stack.

Create Office 365 Groups with the expert.
AvePoint is the Microsoft Cloud Expert

So, let’s talk a little bit about Microsoft office 365 groups, right? And so we’ll start off with a couple of slides that you may have seen from Microsoft. But I think it’s important to stress a couple of points because they will come up again throughout the webinar.


When we look at the challenges that Groups are really meant to face, it really does make sense. It really does make sense if we think about the old days and I’m going to do this a lot today. I’m going to sort of reflect back on the way we used to do things. And then compare them to the way that we do them now using the new tools that are available on Office 365.


A lot of times, you would spin up a SharePoint site because you were collaborating as a team let’s say. Well, as much as possible, SharePoint tried to incorporate all of those types of things. So it tried to incorporate the ability to be a social platform even though it wasn’t really, right? So we had communities. We had a little bit of investment there but really what happened is that people were having social engagement elsewhere. Like Yammer is an example, SharePoint tried to do all of your sites and your content management. Tried to do, you know, your calendaring and tasks but we know that there’s better ways to do these things.


So the short answer is a Group is a way for Microsoft to bring to bear, in this cloud platform, the best-of-breed services that they have, the Exchange service, the SharePoint service, the Yammer services, let’s say. Now, we have teams coming in. We’ll have usefulness for task management and things like planner. And those things are best of breed. So rather than trying to have SharePoint do all of those things, what Microsoft is providing in a team and a group really is the ability to have the best tools available for us.

Create office 365 Groups for different team needs

Now, I think it’s really important to recognize… And let me just skip forward here to this slide because it’s really important. Office 365 Groups are, first and foremost, a membership service. Okay. They are not a product in and of themselves. And there’s a blessing and a curse for this. Right? The blessing is that we take as I said, those best-of-breed services, SharePoint, Exchange, Yammer, Planner. Increasingly new services like, you know, there’s Staff Hub now. So there’s all these services. The group is an identity mechanism that stitches them all together. Right and links the mailbox for my project team let’s say to the files directory from my project team. It creates that cohesive structure and that’s really the value of a group.

When you create office 365 groups you get a membership service
Office 365 Groups are, first and foremost, a membership service.

Now I said it’s a blessing and a curse because the curse part is this bottom right, this loose coupling, right? All of these services within Office 365 understand the Group concept but it may handle Groups slightly differently. It’s why we have sometimes frustration. For example, how come on my SharePoint page, I can get directly to My Planner. But from My Planner page, I can’t get directly to my SharePoint site?” Right? Because there’s a loose connection between those things.


So, if we think about the creation of Groups, let me just spin this slide back as well, right? In the past, a lot of these was manual. The spinning off of a group was very manual. The way we dealt with all of the artifacts that group needed was very manual. It required a lot of communicating with IT and so forth. And now, we have the ability for end users to create Groups by themselves, right?


So what are we thinking about with the group, right? Well before we go any further, let’s actually take a look at what a group is from a structure standpoint, right? And that will help us understand.


So a group is really, again, leveraging the services that are available in Office 365 and this is just an example of a few services. We have the Skype for Business service, we have the Exchange Online service, we have the SharePoint online service, the Planner service, and the Yammer service.

What workloads actually run within those services when you create Office 365 Groups?
What workloads actually run within those services when you create Office 365 Groups?

What workloads actually run within those services? It’s kind of interesting and I can actually show you an example of this which is pretty cool. So if you notice, things like Team Chats, Microsoft Teams, right, the persistent chat applications out in preview right now. That’s really built off the backbone of Skype for Business and leverages the Skype for Business services. If I upload a file to my Microsoft Team, that file actually goes into the SharePoint library for that group, the “files” service for that group.


Same thing with Planner. If I upload a document to my Planner task, right, as an attachment, that document is actually stored in SharePoint in the SharePoint library for that group. So it’s pretty interesting what’s going on. What’s really concerning though is that these artifacts are really all over the place, right? And you don’t always know where things are, right? And it gets worse, right, it gets worse.


So, let’s actually take a look at this. I’m going to flip over to a screen share and we’ll do a little bit of a walk through an Office 365 tenant that I have here. Just wait for that screen share to come up. Okay.


So this is just a typical Office 365 tenant. I happen to be an administrator but that’s not really important, at the moment, and with what I can do here. Let’s go over to “people” and here in “people,” I’m just going to do a search and I’m going to search. I know there’s a group called “Big Wigs.” And sure enough, there it is. So here’s the Big Wigs group, right?


So let me go over to the Big Wigs group and let’s go check out the files for that group. Right? So here I am in my files and I’ve got some documents in here. We can see that I can go over to my Planner, right? I can get to Planner right from here so there’s this connection between the identity of the group and the resources that are available to the group.


And I have a task in there that I said this is my first task. And you see that there’s a document in there. And let me just go ahead into this thing and, “Need to get this task started.” I’m just commenting on that task. Okay. And I can have this threaded message about what’s going on with this task.


Now, Office 365 is being wonderful this morning. You can see that there’s some Exchange Online problems but that’s okay because I prepared for this in advance. Let’s go over to the mailbox for this group and see what we can see. Right? And I’m going to go over to “conversations.” And over here in “conversations,” essentially, what I’m accessing is the mailbox for that group, right? So that group is going to get messages. There are messages that go directly to the group mailbox. There’s a concept of subscribing. So subscribing would allow the message that’s sent to the group mailbox to also be sent to every individual member’s mailbox. And that’s a concept that you can either enable or not enable for the group as a whole or one by one.


But there’s one thing I want to show you about this Big Wigs group, and this is important. So if we come over here and we look at this group, we notice that Big Wigs is actually a public group., right? So there’s public groups and there’s private groups. What’s not always apparent, right, is the impact of what a public group is versus what a private group is. And so I’m going to do a little trick here. If we go over to the library for the group, now what we’re actually accessing if you follow the URL, I’m accessing the shared documents library for the team site that this group is in. Okay? So you can see the path here, it looks about just like a normal SharePoint path. And it functions very similar to a normal SharePoint path.


If we come in here, we can get into our library settings. Okay? And here’s where it gets interesting. We all recognize this page, right? This is a typical SharePoint document library page. If I come in to look at permissions for this library, again remember this is a public group, and I go into the members group, you can see the members group has edit permissions. Now edit permissions are fairly high for what a lot of people want to do day to day. Edit permissions and, again, this is the SharePoint world, right? So these folks can potentially make changes to libraries and library structure. They have more rights than contribute users, right?


And look who’s in here because this is a public group. Everyone in the internal Office 365 tenant. So everyone in my company has these edit rights. That’s a fairly high degree of oversharing for what most people are doing. And again, how would you even know that this is going on? So there some things when you start digging into groups that can be a little bit concerning, all right?


One other thing that’s useful if we go back to that slide, you remember the structure of the services along the top and then the artifacts within, kind of neat to just sort of poke in here. So I’m just going to take you into DocAve Online and the reason I’m taking you in here is because I want to show you the structure of the artifacts. And I’ll just use SharePoint and Exchange as an example. So I’m just going to go into DocAve Online backup application, because we want to just see the structure, right? So if I look here, here are all of my Office 365 Groups, Team sites. And here’s my Big Wigs group, right? And if I start to browse down this tree, this is really no different than any other SharePoint tree that we recognize. If we go into documents and into this group folder, you’ll see the documents that were in the files directory. That’s interesting.

Backup Office 365 Groups

Learn how to backup Office 365 Groups and restore files and conversations quickly with AvePoint.

Go beyond Microsoft SLAs with granular recovery of your Office 365 Groups files and conversations.

Protect your content from accidental deletion and corruption. Back up and restore your content in minutes.

Learn more and try for 30 days! 

If I go up here to site assets, right, and start to dig in there, you know that the group also has a notebook. So if we start to dig in there, we’ll find the notebook and we’ll find the pages of the notebook that exist. So everything is really somewhere, right? Everything is really in there somewhere, and it’s really just a matter of understanding what’s going on. So there’s the tactical detail. The tactical detail of what am I actually looking at and where is it stored.


But we also want to solve the big problems. The big problems are things like, “How do I handle issues that I know are going to happen like over sharing,” as a particular example, right? So if we take a look at… And if you guys haven’t visited yet, go take a look at the Microsoft tech community, right? So it’s It’s fairly easy to find. And they’ve got a lot of discusses happening there.


But one of the things, and I’ve just extracted a few different quotes out of here, is that folks are really struggling with this idea of governance for Groups. So I had gone on and just out of curiosity posted a message about what are people doing in terms of self-service creation of Groups. Because it’s so easy to do the wrong thing when you create a group. Right? And not understand the impact of what you’re doing. This is something that we want to take a look at.


Now, Microsoft is going to provide some tools for us to control some of these things that people are worried about. So here’s a post about enterprise customers wanting the self-service creation of Groups turned off, right? Here’s another quote about planning to leave it open, right? The self-service creation open because you don’t want to deal with all the nonsense of getting these requests to create Groups.


But at the same time, the concept of “sprawl” is one we hear all the time. This is a familiar one because we know this, right? We know this from the SharePoint days. The easier it is for a user to provision their own things, the more we’re going to get this kind of “sprawl,” right?


So the problems are really fairly common and that’s where while they’re a little concerning, they’re the same problems that we’ve known for a long time because we handle them in SharePoint. We handle in file shares and it’s really no different, right? There’s balance of agility and control.


So what do we do if we want to have some ability to manage Office 365 Groups at scale? Well, Microsoft has been investing here. And we’ll talk a little bit about what they’re building and some of the controls that they’re going to want to help you put in place. Right?


A lot of these things, by the way, are in the road map for Office 365. So there’s some things we’re doing now and there are some things in the future. When I go back to my screen share, I’ll pull up the site that you can keep track of what they’re working on. There’s two sites in particular that you want to be aware of. One is called “user voice” and that’s where anyone can go on and make request for features. Kind of interesting to pop on to “user voice” and just review what other people are asking about. That’s kind of neat.


And then there’s the tech community, the Microsoft technology community. That has replaced the public Yammer Group. And there’s a lot of discussions in there about folks who are trying to come to terms with how to deliver Office 365 as a sustainable service within their offering. So how do I enable group usage because it’s really valuable? The tools are great, but I need to do it safely?


So some of the things that Microsoft delivering here are things like dynamic membership. So dynamic membership is the ability to decide who does and doesn’t be part of a group. Now, one thing that’s of concern for a lot of folks, once they start to get deep is that right now, Groups are only allowed to contain users. You can’t nest let’s say an AD Group inside of an Office 365 Group. So how do you have a functional Group but make sure that new users are constantly added there? That’s really the concept of what dynamic membership is all about.


Privacy type conversion is simply the ability to convert a group from public to private. We have multi-domain support for your large tenants that are out there in Office 365. There are creation policies. I’ll talk a little bit about creation policies and what Microsoft is doing. One of the things, and I’ll take you in when I set up my next demo, is a lot of the controls. Because Office 365 Groups really started as an initiative from the Exchange Team. The Exchange Online team was where we start to see these features first. You’ll still have to go to the Exchange admin console to do some of these settings.


Additionally, there are some aspects of the services in Office 365 that still look to the Exchange Outlook Web Access mailbox policy to determine things like who can and who can’t create Groups. So there are some controls that are left in Exchange but what Microsoft is moving to is this much more centralized Azure-AD-based policy mechanism for Groups and we’ll talk a little bit about that. Right?


So there are some investments and you can keep up via checking the road map. I’ll take you into that site as we move along. We do have some tools that are on the end user side, right? So we know that there’s self-service for some of these things like the ability to create a group and add and remove some members. There’s some admin tools. Sadly, a lot of the tools that you would want to use are going to require you getting your hands dirty with some powershell. So running some remote powershell is what you’re going to need to do if you want to use some of these new technical management capabilities for Groups.

[ctt template=”1″ link=”13JgN” via=”no” ]”Use PowerShell if you want to use the new tech admin capabilities for #Office365 #Groups. Or this alternative.”[/ctt]

But I’ll take you into the website and show you that there are a few things that we can do directly through the UI as well. And Microsoft has also been investing in some of the reporting. Although, again, we’ll kind of go in here and we’ll talk a little bit about what’s going on. The short answer is that, again, if you think about the Group being a set of services and workloads within those services that are loosely stitched together with this idea of an identity or a membership. What you’ll see is that you don’t always get everything, right? So, for example, group activity reports right now are showing group activity with mail, right, or with a SharePoint site. But not if the Planner board for that group is very active. So, you know, things are evolving and it’s a fast-moving space.


Good. So I’ll take you in and show you this live but basically, what Microsoft is giving us is the ability to do a naming policy, right? So for all the groups that get created in the tenant, we can have a naming policy. The problem if you enable self-service group creation is that users get to pick the name that they want. If they get to pick the name that they want, then there’s nothing to stop them, unless you put a policy in place for example from creating a group called IT. Right?


Now you couple this with the idea that SharePoint online only offers two paths, right? They have the sites path and the teams path. You can’t really create any other ones. And so you could have a user create a group and all of a sudden, you have a group that’s owned by you know, an end user that’s called Site/IT or Team/IT. Not ideal. So naming policies help with this. The downside of the naming policies that Microsoft gives us is that it’s one size fits one. I get one naming policy and that has to work across my whole tenant.

As a takeaway, we’ve put together a one-sheet of things to consider when rolling out Teams.
As a takeaway, we’ve put together a one-sheet of things to consider when rolling out Teams.

Other things that you can do in Azure AD is set group creation permission. So one strategy that a lot of organizations are using and you have to do this through PowerShell. But you can go in you can search or you can actually create a template, right, a policy template that says, “Only select groups of people,” right, and you use security groups for this. “Only select groups of people are allowed to create Office 365 Groups.”


Now, again, this is an evolving space. This is a setting we used to make through the Outlook Web Access mailbox policy. It’s migrating into this Azure AD policy. Because, for example, a service like Planner didn’t really know anything about an OWA mailbox policy. So again, evolving space. But this ability to limit who can create groups is one of the most important things that you can do. If you go on that tech community and you look at the thread that I had in one of the previous slides. You’ll see that what a lot of organizations have opted to do is limit who in their organization can create groups, right? And bind that down to a select few. Either resolve it buy saying that only admins can create, you know, or help desk, or an operations team can create Groups. Or we do a lot of training for a very small group of users and we allow them to, sort of, be the group champions.


Now what does that sound like? That sounds a little bit like what I remember from site owners and site admins in SharePoint, right? Same ideas, same concepts.


So, let’s talk a little bit more about these things. Before I do though, let me take a quick scan through the Q&A. And please do put some Q&A in here if you have questions as we go along. I’m going to take the majority of the questions at the end but I do want to make sure that if there’s questions that are topical that we call them out, especially if they take us where we wanted to go anyway. Some questions about controlling the creation of Groups. You don’t want the Groups spread all over the place, totally makes sense.


There’s questions about how do we make the permission that happens when a group is a created? Like you saw in my group there that because it was public, everyone except the external users had the edit rights. So there’s a question. What if I didn’t want to give them edit rights? That’s something that you would need to do right now retroactively. You can do it through PowerShell. There’s a little way to go in as you saw and adjust the permissions through the UI. Unfortunately, right now, it is retroactive. Or you could use a tool like the policy enforcer tool in DocAve Online and what that would do is sit around and watch the group. And as soon as the group is created, it could go ahead and change that permission for you. So there’s a lot of ways that you could do it but right now, they’re all going to be retroactive.


There are some questions about retention and retention policies. Microsoft’s message is that they’re coming so let’s continue on through what Microsoft’s doing. And we will go through.


Now, if you haven’t already one so, please do review this blog post. It’s by one of our team members out in Germany named Mario. And he wrote a great post about how to use some of these native tools, where they fit, which ones are available through the UI, which ones are available through PowerShell.

With most controls left to your end users, how can IT manage Office 365 Groups? Here are the admin methods that are available natively in Office 365.
With most controls left to your end users, how can IT manage Office 365 Groups? Here are the admin methods that are available natively in Office 365.

So if you haven’t already done so, please make a note. Just go right on Upper right, there’s a link for blog. And you’ll be able to find a whole series of blogs posts around Office 365 and group management.


We’ll go through very briefly though. In where Microsoft is coming, right, or rather is going, we have the naming policies today. But the naming policies only apply if the group is created from particular points of origin. If you create the group from within Exchange, for example, the naming policy will apply. Because the naming policy today as you’ll see, is still stuck in the Exchange set of controls. They haven’t fully migrated it out into Azure AD. And so once they do that, then all of the services like Planner will be able to leverage it. But right now, if you created a group through Planner, the naming policy would not apply. If you created it through Exchange or Outlook interface, it would. So these are some of the gotchas that are causing people to have a little bit of pause and really think about how they’re going to deliver this Groups service within their organization in a way that’s predictable and make sense.


Banned word and profanity checking is something that’s coming. This is just a kind of a no-brainer. We want to make sure that Groups don’t have names that are offensive.


Soft delete or deletion recovery is what Microsoft is calling it. Again, you got to think about this, right? Think about and, you know, for most of you that are on the call, you’ve probably had some experience with SharePoint in the past. The thing that we want to remember here is that the ownership role… Being an owner of the group is like being the owner of a site, right, in SharePoint or the owner of a file share. You have a lot of privilege. One of the things that you can do is decide, “I don’t need this anymore. I want to delete it.” Now, I talk to a lot of customers, right? And one of those requirements that comes up all the time especially in regulated industries is things like maybe It’s not enough for the end user to say, “It’s okay to delete this.” That should go through some kind of approval, right?


So, while Microsoft is working on this idea of a soft delete or an “oops button” for Groups, pretty much, what it doesn’t really factor in is a managed process around group deletion and group expiration. And that’s really where it’s falling short for some folks. So there are some investments being made but at the end of the day, if we look in here, the benefits of Groups are great, right? The ability to provision by anyone, any time is very agile, right? But agility leads to sprawl, that’s the problem right?


Also, too much is really left top the end user to decide do they want a public group or a private group. Unless you get in and configure some of these advanced settings that Microsoft is offering, you’re not going to be able to automate policy. So you’re going to have to do a lot of training and a lot of trusting. So these are pretty common and, again, if you go through that tech community, you’ll see these thigs mentioned over and over again. Right?


So at AvePoint, I’ve mentioned DocAve Online a few times. And so it’s important if we go back to this slide to think about how we are approaching the idea of Groups, right? It’s really taking a holistic approach and this is what we’re doing by the way, for our internal deployment as well. Because like you, we turn the group functionality on and very quickly, hide hundreds of numbers of Groups right? Many of them with the word “test” in it. So there’s about 150 test groups out there. Who knows if they’re being used or not?


So what we need to do is we need to provide a mechanism and a framework that offers Groups as a managed service. And what I mean by managed service is the creation, provisioning of that group is managed, right? I want to maintain the agility for the business user but at the same time, what I want to do is put some control around it, right? I want to bring some of those policies that Microsoft is providing make them easier to use. And then I want to add policies that Microsoft is not providing, right? Like for example, the need to put a group creation request through an approval process, let’s say. Or to create a level of ownership that doesn’t give away the farm but still implies who is responsible for what.


Once the group is provisioned, we want to make sure that we have ongoing policy enforcement. So the question is the question came in before about the permission level in SharePoint. Can that be set to a custom level? Well, if you want to put a policy around it, right? You can use a tool like Policy Enforcer because Policy Enforcer is going to sit there and watch over what’s happening with that group. And make sure that your policies that defined, like for example, the members group gets contribute instead of edit rights. Right? That’s something that you can enforce. And that’s what we mean by ongoing policy enforcement.


Re certification is a core value, right, for a lot of folks. And if we go back to some of those tech community posts, there was one from a large manufacturing company who said that what was really important is that they’re subject to regulations that require a periodic review and acceptance of permissions and access, right? It’s fairly common but how do you do that when it comes to Groups? Right?


So re-certification of membership, re-certification of ownership, re-certification of permissions and metadata, and classification, all that is really, really important. And then finally, when it comes to looking at how we deal with the life cycle of a group, this is where we have to get into topics like, “Is it okay if certain types of Groups are deleted, right? Are there regulated Groups and non-regulated Groups and do we treat those differently? What are the rules of engagement around Group deletion? Can it be done? Who can do it? Does anyone need to say it it’s okay?”


John Peluso is AvePoint’s Chief Product Officer. In this role, he aligns product strategy with business strategy, leading the conception and design of software solutions with a focus on product market-fit and optimal customer value. Prior to this role, John has held several leadership roles over his 10+ year tenure at AvePoint, including SVP of Product Strategy, Director of Education, and Chief Technology Officer, Public Sector. Before coming to AvePoint, John held a variety of technology and business roles at New Horizons Northeast and New Horizons of Central and Northern NJ. He earned his undergraduate degree from The New School.

View all posts by John Peluso

Subscribe to our blog