Office 365 Groups provide an easier way for your end users to work together by connecting people and the applications they use to create and collaborate. With an Office 365 Group, your end users receive an array of Office 365 artifacts. These include a shared:
- Document library on SharePoint Online
- Mailbox, distribution list, and calendar powered by Exchange
- Planner for organizing and assigning tasks, and keeping up to date with project progression
- OneNote notebook for taking project and meeting notes
On the end user side, Office 365 Groups are quite easy to spin up. This makes Office 365 Groups something of a sweet spot, as Groups are much less confusing to configure than SharePoint sites and provide more robust collaboration than a OneDrive or distribution list.
But what does creation and management look like on the IT administrator’s side? Today, I will walk through the building blocks of Office 365 Groups and evaluate how to manage Office 365 Groups using native functionality.
Office 365 Groups Architecture and Native Provisioning
Before jumping into how to manage Office 365 Groups, it’s important to understand how they are structured and how they are created in the first place.
Architecture: Office 365 Groups leverage a standard definition for Group membership and permissions across Exchange, SharePoint, Skype for Business, Yammer, and the rest of Office 365 managed through Azure Active Directory.
Provisioning: There are a number of different ways that Groups can be created – some of them are accessible only by administrators, whereas others are easily accessible by end users.
- For End Users: Groups can be intentionally created through a number of interfaces:
- Microsoft Outlook
- Office 365 Outlook Web Client
- “Groups” Mobile Client
End users may also automatically create a Group if they create an Office 365 SharePoint Site, a shared Planner, a Yammer Group, or a Microsoft Team.
- For Administrators: There are only two methods for creating Groups that are unique to administrators.
- Office 365 Administration Portal
- PowerShell: New-UnifiedGroup -DisplayName ie. “AvePoint TAM” -Alias TAM
Ease of End User Usability – Pros and Cons
The ease and versatility with which end users and information workers can create a Group is great because it enables them to build new Groups easily without waiting for the IT department. They can start collaborating instantly with their coworkers.
During the creation of a Group, they just need to select a name, Group ID, and whether the Group should be public (meaning everyone in the organization can read its content) or private (only members can see the contents).
However, this can also cause some headaches for administrators because there is no limitation on who creates Groups and for what reason. By default, Office 365 users can create up to 250 Office 365 Groups each, and Office 365 administrators have no limit on the number of Office 365 Groups that they can create. The default maximum number of Office 365 Groups that an Office 365 organization can have is currently 500,000.
Also, even though you might assume that someone who is not a member of a private group cannot post to it, that’s not actually the case. Anyone who belongs to the tenant can send an email to that private group, subsequently beginning a conversation within that Group.
“Users can create up to 250 #O365 Groups each & admins have no limit on the number of Groups that they can create.” https://ctt.ec/DSJac+
How to Manage Office 365 Groups Natively
There are a number of places and ways administrators can centrally manage the usage of Groups inside of an Office 365 tenant.
- Office 365 Admin Center: Starting point for administering and reporting
- Office 365 Admin app: similar to admin Center
- Azure AD Admin Portal: Directory management like dynamic membership
- Exchange Admin console: Starting point if you come from Exchange and want to migrate from distribution groups
- PowerShell: There are a lot of the settings only available via Shell. For instance, if you want to disable Groups completely:
- Connect remote PowerShell to Exchange Online:
- Get-OwaMailboxPolicy | FL Name
- Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -GroupCreationEnabled $false
- Get-OwaMailboxPolicy | FL Name, GroupCreationEnabled
What can be controlled:
- Naming Policies
- Blocked words
- Pre / Postfixes based on Active Directory attributes
- Creation restriction (not everybody should create new Groups)
- Dynamic membership rules. (i.e. all Marketing users should be member of “Marketing” Office 365 Group)
- Group Policies
- Show and inform users about the orgs “Groups usage guidelines”
- Data Classification
- Labels such as internal, external or confidential
- Hidden Memberships where only members can see other members
Security and Compliance for Office 365 Groups
As a company IT administrator it is important not only to enable users to create new Office 365 Groups but also to make sure the data keeps safe and is used in the way it is meant to.
For this problem there are different options provided by Microsoft:
- Configure guest access to Groups:
- Enable or disable guest users completely
- Allow addition of guests to any Group or only to specific Groups
- Information Protection
- Use eDisovery features of O365
- Preservation policies and deletion policies are not yet supported but should be available soon.
- eDiscovery and in-place hold is available from the Exchange Admin Center using the Office 365 compliance center. For detailed information you should read this TechNet article.
- Reporting through the Azure AD Admin Portal
- Audit Log Search in O365 Admin Center
- PowerShell “Get-UnifiedGroup”
- The Azure Management Portal exposes group management events (creation, updates, membership changes, etc.) in the group audit report.
Manage Office 365 Groups with Third Party Solutions
It is easy for anyone to provision Office 365 Groups. There are a few options to control the usage of Office 365 Groups in your company’s tenant and I strongly suggest making use of them, as the problem of over-sharing data, creating redundant Groups, and even creating Groups by accident can quickly cause performance issues and raise compliance concerns.
If you are looking for more robust control over Groups from creation, change management, and end-of-life, as well as a single pane of glass through which you can visualize all the Groups in your tenant third party tools provide a broader scope of features, and scalable management. To learn more about AvePoint’s Office 365 Groups governance and administration solution that provides these capabilities, check out this blog post my colleague Hunter put together!
Learn more about Office 365 Groups
- The Office 365 Groups Playbook
- [Upcoming Webinar] Office 365 Groups: Best Practices and Solutions
- Managing Office 365 Groups with Governance Automation Online
- Backup and Restore Office 365 Groups with DocAve Online
- Ask an Admin: Day to Day Office 365 Groups Management
- Behind the Scenes: Office 365 Groups with Microsoft’s Christophe Fiessinger