Hello, everyone. Welcome back for another webinar brought to you by The Office 365 Groups Playbook. In today’s post, we get into the specifics about Office 365 Groups governance, administration, demo solutions to create Office 365 Groups within control, as well as highlight best practices for managing Groups.
With over 1000 live viewers and over 100 questions, our interactive webinar covered:
- Key considerations for deciding whether to activate and enable Office 365 Groups
- What happens when your users decide to create Office 365 Group
- How to manage the various Office 365 artifacts that come with Groups
- Tips for building a strong Groups governance strategy
- Solutions for regulating Groups creation, management, and end of life
By the end of this webinar, my goal is to help you understand key considerations when administering Office 365 Groups and how to stay in control with minimal business disruption.
Below you’ll find our on-demand Office 365 Groups video:
Please remember to continue the conversation on Twitter by reaching out to me @JohnConnected
“Use PowerShell if you want to use the new tech admin capabilities for #Office365 #Groups. Or this alternative.” https://ctt.ec/13JgN+
Get My Slides Here!
Interested in learning more about what happens after you create Office 365 Groups, check out these blogs for more information:
- Behind the Scenes of Office 365 Groups with Microsoft’s Christophe Fiessinger
- The Top 5 Questions and Answers about Office 365 Groups
- Office 365 Groups vs Teams: How to Successfully Deploy Both
- Office 365 Groups vs Yammer: How Microsoft has Combined the Two
And just in case you missed our first webinar with Microsoft, Hyperfish, and AvePoint experts, check it out below!
Full Webinar Transcript: Office 365 Group Creation Solutions and Administration Best Practices
Hello, everyone. Welcome back to our webinar series and campaign on Office 365 Groups. I hope all of you had a chance to tune in for our first webinar in this series. If you hadn’t, please go visit avepoint.com and you’ll find the initial webinar we did with Christophe Fiessinger from Microsoft, Jeremy Thake, and Dux from AvePoint.
My name is John Peluso and we’re going to go a little bit deeper today into some of the specifics of managing Office 365 Groups. Compared to the last webinar, the last webinar was really more about general awareness of Groups. We talked a lot the business proposition of an Office 365 Group, sort of why it exists. But we’ll go a little deeper today into both the architecture of Groups as well as some strategies for managing them.
So specifically today, we will do a very quick recap on the concept of a Group but we’ll look at it more from a perspective of an architecture thing, right? So we’ll geek out a little bit on how Groups are structured. We will talk about, sort of, what the worry is. So we’ll go to a few different places that you can join the conversation and we’ll look at what people are, sort of, fretting about a little bit with Groups.
The good news is, it’s problems that we all know but the bad news is there are certain times where we may not have a ton of tools to deal with this. Right? I’ll go into a little bit of depth on what Microsoft is doing. There’s a lot of resource out there so I’m not going to go super deep into what Microsoft is providing for Groups governance and management. And then what I’ll do is I’ll actually propose an alternative approach. One that we’re pursuing here at AvePoint and I think you know, might make a good example for you as well.
We’ll do a little bit of demo and show you some Office 365 Groups solutions. I’ll take you into Office 365, we’ll look at the admin console. We’ll look at some of the newer things that are in there and then we will take it out. Okay. So let’s get moving.
For those of you that don’t know AvePoint, I’m not going to spend a whole lot of time but we’ve been around for a long, long time and a very close partner with Microsoft. Obviously, spent a lot of time developing tools and resources for admins in the Microsoft stack, especially around Office 365 Groups vs. SharePoint. And really if you want to think about our approach to so what we bring to our customers is the ability to do better at migration of content, management of content and systems, and protection. So through governance, compliance, policy-driven approach to managing really now the entire Office 365 stack.
So, let’s talk a little bit about Microsoft office 365 groups, right? And so we’ll start off with a couple of slides that you may have seen from Microsoft. But I think it’s important to stress a couple of points because they will come up again throughout the webinar.
When we look at the challenges that Groups are really meant to face, it really does make sense. It really does make sense if we think about the old days and I’m going to do this a lot today. I’m going to sort of reflect back on the way we used to do things. And then compare them to the way that we do them now using the new tools that are available on Office 365.
A lot of times, you would spin up a SharePoint site because you were collaborating as a team let’s say. Well, as much as possible, SharePoint tried to incorporate all of those types of things. So it tried to incorporate the ability to be a social platform even though it wasn’t really, right? So we had communities. We had a little bit of investment there but really what happened is that people were having social engagement elsewhere. Like Yammer is an example, SharePoint tried to do all of your sites and your content management. Tried to do, you know, your calendaring and tasks but we know that there’s better ways to do these things.
So the short answer is a Group is a way for Microsoft to bring to bear, in this cloud platform, the best-of-breed services that they have, the Exchange service, the SharePoint service, the Yammer services, let’s say. Now, we have teams coming in. We’ll have usefulness for task management and things like planner. And those things are best of breed. So rather than trying to have SharePoint do all of those things, what Microsoft is providing in a team and a group really is the ability to have the best tools available for us.
Now, I think it’s really important to recognize… And let me just skip forward here to this slide because it’s really important. Office 365 Groups are, first and foremost, a membership service. Okay. They are not a product in and of themselves. And there’s a blessing and a curse for this. Right? The blessing is that we take as I said, those best-of-breed services, SharePoint, Exchange, Yammer, Planner. Increasingly new services like, you know, there’s Staff Hub now. So there’s all these services. The group is an identity mechanism that stitches them all together. Right and links the mailbox for my project team let’s say to the files directory from my project team. It creates that cohesive structure and that’s really the value of a group.
Now I said it’s a blessing and a curse because the curse part is this bottom right, this loose coupling, right? All of these services within Office 365 understand the Group concept but it may handle Groups slightly differently. It’s why we have sometimes frustration. For example, how come on my SharePoint page, I can get directly to My Planner. But from My Planner page, I can’t get directly to my SharePoint site?” Right? Because there’s a loose connection between those things.
So, if we think about the creation of Groups, let me just spin this slide back as well, right? In the past, a lot of these was manual. The spinning off of a group was very manual. The way we dealt with all of the artifacts that group needed was very manual. It required a lot of communicating with IT and so forth. And now, we have the ability for end users to create Groups by themselves, right?
So what are we thinking about with the group, right? Well before we go any further, let’s actually take a look at what a group is from a structure standpoint, right? And that will help us understand.
So a group is really, again, leveraging the services that are available in Office 365 and this is just an example of a few services. We have the Skype for Business service, we have the Exchange Online service, we have the SharePoint online service, the Planner service, and the Yammer service.
What workloads actually run within those services? It’s kind of interesting and I can actually show you an example of this which is pretty cool. So if you notice, things like Team Chats, Microsoft Teams, right, the persistent chat applications out in preview right now. That’s really built off the backbone of Skype for Business and leverages the Skype for Business services. If I upload a file to my Microsoft Team, that file actually goes into the SharePoint library for that group, the “files” service for that group.
Same thing with Planner. If I upload a document to my Planner task, right, as an attachment, that document is actually stored in SharePoint in the SharePoint library for that group. So it’s pretty interesting what’s going on. What’s really concerning though is that these artifacts are really all over the place, right? And you don’t always know where things are, right? And it gets worse, right, it gets worse.
So, let’s actually take a look at this. I’m going to flip over to a screen share and we’ll do a little bit of a walk through an Office 365 tenant that I have here. Just wait for that screen share to come up. Okay.
So this is just a typical Office 365 tenant. I happen to be an administrator but that’s not really important, at the moment, and with what I can do here. Let’s go over to “people” and here in “people,” I’m just going to do a search and I’m going to search. I know there’s a group called “Big Wigs.” And sure enough, there it is. So here’s the Big Wigs group, right?
So let me go over to the Big Wigs group and let’s go check out the files for that group. Right? So here I am in my files and I’ve got some documents in here. We can see that I can go over to my Planner, right? I can get to Planner right from here so there’s this connection between the identity of the group and the resources that are available to the group.
And I have a task in there that I said this is my first task. And you see that there’s a document in there. And let me just go ahead into this thing and, “Need to get this task started.” I’m just commenting on that task. Okay. And I can have this threaded message about what’s going on with this task.
Now, Office 365 is being wonderful this morning. You can see that there’s some Exchange Online problems but that’s okay because I prepared for this in advance. Let’s go over to the mailbox for this group and see what we can see. Right? And I’m going to go over to “conversations.” And over here in “conversations,” essentially, what I’m accessing is the mailbox for that group, right? So that group is going to get messages. There are messages that go directly to the group mailbox. There’s a concept of subscribing. So subscribing would allow the message that’s sent to the group mailbox to also be sent to every individual member’s mailbox. And that’s a concept that you can either enable or not enable for the group as a whole or one by one.
But there’s one thing I want to show you about this Big Wigs group, and this is important. So if we come over here and we look at this group, we notice that Big Wigs is actually a public group., right? So there’s public groups and there’s private groups. What’s not always apparent, right, is the impact of what a public group is versus what a private group is. And so I’m going to do a little trick here. If we go over to the library for the group, now what we’re actually accessing if you follow the URL, I’m accessing the shared documents library for the team site that this group is in. Okay? So you can see the path here, it looks about just like a normal SharePoint path. And it functions very similar to a normal SharePoint path.
If we come in here, we can get into our library settings. Okay? And here’s where it gets interesting. We all recognize this page, right? This is a typical SharePoint document library page. If I come in to look at permissions for this library, again remember this is a public group, and I go into the members group, you can see the members group has edit permissions. Now edit permissions are fairly high for what a lot of people want to do day to day. Edit permissions and, again, this is the SharePoint world, right? So these folks can potentially make changes to libraries and library structure. They have more rights than contribute users, right?
And look who’s in here because this is a public group. Everyone in the internal Office 365 tenant. So everyone in my company has these edit rights. That’s a fairly high degree of oversharing for what most people are doing. And again, how would you even know that this is going on? So there some things when you start digging into groups that can be a little bit concerning, all right?
One other thing that’s useful if we go back to that slide, you remember the structure of the services along the top and then the artifacts within, kind of neat to just sort of poke in here. So I’m just going to take you into DocAve Online and the reason I’m taking you in here is because I want to show you the structure of the artifacts. And I’ll just use SharePoint and Exchange as an example. So I’m just going to go into DocAve Online backup application, because we want to just see the structure, right? So if I look here, here are all of my Office 365 Groups, Team sites. And here’s my Big Wigs group, right? And if I start to browse down this tree, this is really no different than any other SharePoint tree that we recognize. If we go into documents and into this group folder, you’ll see the documents that were in the files directory. That’s interesting.
Backup Office 365 Groups
Learn how to backup Office 365 Groups and restore files and conversations quickly with AvePoint.
Go beyond Microsoft SLAs with granular recovery of your Office 365 Groups files and conversations.
Protect your content from accidental deletion and corruption. Back up and restore your content in minutes.
If I go up here to site assets, right, and start to dig in there, you know that the group also has a notebook. So if we start to dig in there, we’ll find the notebook and we’ll find the pages of the notebook that exist. So everything is really somewhere, right? Everything is really in there somewhere, and it’s really just a matter of understanding what’s going on. So there’s the tactical detail. The tactical detail of what am I actually looking at and where is it stored.
But we also want to solve the big problems. The big problems are things like, “How do I handle issues that I know are going to happen like over sharing,” as a particular example, right? So if we take a look at… And if you guys haven’t visited yet, go take a look at the Microsoft tech community, right? So it’s techcommunity.microsoft.com. It’s fairly easy to find. And they’ve got a lot of discusses happening there.
But one of the things, and I’ve just extracted a few different quotes out of here, is that folks are really struggling with this idea of governance for Groups. So I had gone on and just out of curiosity posted a message about what are people doing in terms of self-service creation of Groups. Because it’s so easy to do the wrong thing when you create a group. Right? And not understand the impact of what you’re doing. This is something that we want to take a look at.
Now, Microsoft is going to provide some tools for us to control some of these things that people are worried about. So here’s a post about enterprise customers wanting the self-service creation of Groups turned off, right? Here’s another quote about planning to leave it open, right? The self-service creation open because you don’t want to deal with all the nonsense of getting these requests to create Groups.
But at the same time, the concept of “sprawl” is one we hear all the time. This is a familiar one because we know this, right? We know this from the SharePoint days. The easier it is for a user to provision their own things, the more we’re going to get this kind of “sprawl,” right?
So the problems are really fairly common and that’s where while they’re a little concerning, they’re the same problems that we’ve known for a long time because we handle them in SharePoint. We handle in file shares and it’s really no different, right? There’s balance of agility and control.
So what do we do if we want to have some ability to manage Office 365 Groups at scale? Well, Microsoft has been investing here. And we’ll talk a little bit about what they’re building and some of the controls that they’re going to want to help you put in place. Right?
A lot of these things, by the way, are in the road map for Office 365. So there’s some things we’re doing now and there are some things in the future. When I go back to my screen share, I’ll pull up the site that you can keep track of what they’re working on. There’s two sites in particular that you want to be aware of. One is called “user voice” and that’s where anyone can go on and make request for features. Kind of interesting to pop on to “user voice” and just review what other people are asking about. That’s kind of neat.
And then there’s the tech community, the Microsoft technology community. That has replaced the public Yammer Group. And there’s a lot of discussions in there about folks who are trying to come to terms with how to deliver Office 365 as a sustainable service within their offering. So how do I enable group usage because it’s really valuable? The tools are great, but I need to do it safely?
So some of the things that Microsoft delivering here are things like dynamic membership. So dynamic membership is the ability to decide who does and doesn’t be part of a group. Now, one thing that’s of concern for a lot of folks, once they start to get deep is that right now, Groups are only allowed to contain users. You can’t nest let’s say an AD Group inside of an Office 365 Group. So how do you have a functional Group but make sure that new users are constantly added there? That’s really the concept of what dynamic membership is all about.
Privacy type conversion is simply the ability to convert a group from public to private. We have multi-domain support for your large tenants that are out there in Office 365. There are creation policies. I’ll talk a little bit about creation policies and what Microsoft is doing. One of the things, and I’ll take you in when I set up my next demo, is a lot of the controls. Because Office 365 Groups really started as an initiative from the Exchange Team. The Exchange Online team was where we start to see these features first. You’ll still have to go to the Exchange admin console to do some of these settings.
Additionally, there are some aspects of the services in Office 365 that still look to the Exchange Outlook Web Access mailbox policy to determine things like who can and who can’t create Groups. So there are some controls that are left in Exchange but what Microsoft is moving to is this much more centralized Azure-AD-based policy mechanism for Groups and we’ll talk a little bit about that. Right?
So there are some investments and you can keep up via checking the road map. I’ll take you into that site as we move along. We do have some tools that are on the end user side, right? So we know that there’s self-service for some of these things like the ability to create a group and add and remove some members. There’s some admin tools. Sadly, a lot of the tools that you would want to use are going to require you getting your hands dirty with some powershell. So running some remote powershell is what you’re going to need to do if you want to use some of these new technical management capabilities for Groups.
“Use PowerShell if you want to use the new tech admin capabilities for #Office365 #Groups. Or this alternative.” https://ctt.ec/13JgN+
But I’ll take you into the website and show you that there are a few things that we can do directly through the UI as well. And Microsoft has also been investing in some of the reporting. Although, again, we’ll kind of go in here and we’ll talk a little bit about what’s going on. The short answer is that, again, if you think about the Group being a set of services and workloads within those services that are loosely stitched together with this idea of an identity or a membership. What you’ll see is that you don’t always get everything, right? So, for example, group activity reports right now are showing group activity with mail, right, or with a SharePoint site. But not if the Planner board for that group is very active. So, you know, things are evolving and it’s a fast-moving space.
Good. So I’ll take you in and show you this live but basically, what Microsoft is giving us is the ability to do a naming policy, right? So for all the groups that get created in the tenant, we can have a naming policy. The problem if you enable self-service group creation is that users get to pick the name that they want. If they get to pick the name that they want, then there’s nothing to stop them, unless you put a policy in place for example from creating a group called IT. Right?
Now you couple this with the idea that SharePoint online only offers two paths, right? They have the sites path and the teams path. You can’t really create any other ones. And so you could have a user create a group and all of a sudden, you have a group that’s owned by you know, an end user that’s called Site/IT or Team/IT. Not ideal. So naming policies help with this. The downside of the naming policies that Microsoft gives us is that it’s one size fits one. I get one naming policy and that has to work across my whole tenant.
Other things that you can do in Azure AD is set group creation permission. So one strategy that a lot of organizations are using and you have to do this through PowerShell. But you can go in you can search or you can actually create a template, right, a policy template that says, “Only select groups of people,” right, and you use security groups for this. “Only select groups of people are allowed to create Office 365 Groups.”
Now, again, this is an evolving space. This is a setting we used to make through the Outlook Web Access mailbox policy. It’s migrating into this Azure AD policy. Because, for example, a service like Planner didn’t really know anything about an OWA mailbox policy. So again, evolving space. But this ability to limit who can create groups is one of the most important things that you can do. If you go on that tech community and you look at the thread that I had in one of the previous slides. You’ll see that what a lot of organizations have opted to do is limit who in their organization can create groups, right? And bind that down to a select few. Either resolve it buy saying that only admins can create, you know, or help desk, or an operations team can create Groups. Or we do a lot of training for a very small group of users and we allow them to, sort of, be the group champions.
Now what does that sound like? That sounds a little bit like what I remember from site owners and site admins in SharePoint, right? Same ideas, same concepts.
So, let’s talk a little bit more about these things. Before I do though, let me take a quick scan through the Q&A. And please do put some Q&A in here if you have questions as we go along. I’m going to take the majority of the questions at the end but I do want to make sure that if there’s questions that are topical that we call them out, especially if they take us where we wanted to go anyway. Some questions about controlling the creation of Groups. You don’t want the Groups spread all over the place, totally makes sense.
There’s questions about how do we make the permission that happens when a group is a created? Like you saw in my group there that because it was public, everyone except the external users had the edit rights. So there’s a question. What if I didn’t want to give them edit rights? That’s something that you would need to do right now retroactively. You can do it through PowerShell. There’s a little way to go in as you saw and adjust the permissions through the UI. Unfortunately, right now, it is retroactive. Or you could use a tool like the policy enforcer tool in DocAve Online and what that would do is sit around and watch the group. And as soon as the group is created, it could go ahead and change that permission for you. So there’s a lot of ways that you could do it but right now, they’re all going to be retroactive.
There are some questions about retention and retention policies. Microsoft’s message is that they’re coming so let’s continue on through what Microsoft’s doing. And we will go through.
Now, if you haven’t already one so, please do review this blog post. It’s by one of our team members out in Germany named Mario. And he wrote a great post about how to use some of these native tools, where they fit, which ones are available through the UI, which ones are available through PowerShell.
So if you haven’t already done so, please make a note. Just go right on avepoint.com. Upper right, there’s a link for blog. And you’ll be able to find a whole series of blogs posts around Office 365 and group management.
We’ll go through very briefly though. In where Microsoft is coming, right, or rather is going, we have the naming policies today. But the naming policies only apply if the group is created from particular points of origin. If you create the group from within Exchange, for example, the naming policy will apply. Because the naming policy today as you’ll see, is still stuck in the Exchange set of controls. They haven’t fully migrated it out into Azure AD. And so once they do that, then all of the services like Planner will be able to leverage it. But right now, if you created a group through Planner, the naming policy would not apply. If you created it through Exchange or Outlook interface, it would. So these are some of the gotchas that are causing people to have a little bit of pause and really think about how they’re going to deliver this Groups service within their organization in a way that’s predictable and make sense.
Banned word and profanity checking is something that’s coming. This is just a kind of a no-brainer. We want to make sure that Groups don’t have names that are offensive.
Soft delete or deletion recovery is what Microsoft is calling it. Again, you got to think about this, right? Think about and, you know, for most of you that are on the call, you’ve probably had some experience with SharePoint in the past. The thing that we want to remember here is that the ownership role… Being an owner of the group is like being the owner of a site, right, in SharePoint or the owner of a file share. You have a lot of privilege. One of the things that you can do is decide, “I don’t need this anymore. I want to delete it.” Now, I talk to a lot of customers, right? And one of those requirements that comes up all the time especially in regulated industries is things like maybe It’s not enough for the end user to say, “It’s okay to delete this.” That should go through some kind of approval, right?
So, while Microsoft is working on this idea of a soft delete or an “oops button” for Groups, pretty much, what it doesn’t really factor in is a managed process around group deletion and group expiration. And that’s really where it’s falling short for some folks. So there are some investments being made but at the end of the day, if we look in here, the benefits of Groups are great, right? The ability to provision by anyone, any time is very agile, right? But agility leads to sprawl, that’s the problem right?
Also, too much is really left top the end user to decide do they want a public group or a private group. Unless you get in and configure some of these advanced settings that Microsoft is offering, you’re not going to be able to automate policy. So you’re going to have to do a lot of training and a lot of trusting. So these are pretty common and, again, if you go through that tech community, you’ll see these thigs mentioned over and over again. Right?
So at AvePoint, I’ve mentioned DocAve Online a few times. And so it’s important if we go back to this slide to think about how we are approaching the idea of Groups, right? It’s really taking a holistic approach and this is what we’re doing by the way, for our internal deployment as well. Because like you, we turn the group functionality on and very quickly, hide hundreds of numbers of Groups right? Many of them with the word “test” in it. So there’s about 150 test groups out there. Who knows if they’re being used or not?
So what we need to do is we need to provide a mechanism and a framework that offers Groups as a managed service. And what I mean by managed service is the creation, provisioning of that group is managed, right? I want to maintain the agility for the business user but at the same time, what I want to do is put some control around it, right? I want to bring some of those policies that Microsoft is providing make them easier to use. And then I want to add policies that Microsoft is not providing, right? Like for example, the need to put a group creation request through an approval process, let’s say. Or to create a level of ownership that doesn’t give away the farm but still implies who is responsible for what.
Once the group is provisioned, we want to make sure that we have ongoing policy enforcement. So the question is the question came in before about the permission level in SharePoint. Can that be set to a custom level? Well, if you want to put a policy around it, right? You can use a tool like Policy Enforcer because Policy Enforcer is going to sit there and watch over what’s happening with that group. And make sure that your policies that defined, like for example, the members group gets contribute instead of edit rights. Right? That’s something that you can enforce. And that’s what we mean by ongoing policy enforcement.
Re certification is a core value, right, for a lot of folks. And if we go back to some of those tech community posts, there was one from a large manufacturing company who said that what was really important is that they’re subject to regulations that require a periodic review and acceptance of permissions and access, right? It’s fairly common but how do you do that when it comes to Groups? Right?
So re-certification of membership, re-certification of ownership, re-certification of permissions and metadata, and classification, all that is really, really important. And then finally, when it comes to looking at how we deal with the life cycle of a group, this is where we have to get into topics like, “Is it okay if certain types of Groups are deleted, right? Are there regulated Groups and non-regulated Groups and do we treat those differently? What are the rules of engagement around Group deletion? Can it be done? Who can do it? Does anyone need to say it it’s okay?”
So these are the kinds of things that we want to approach. And so, you don’t have to do all of this with AvePoint, right? These are fairly generic things that you want to think about. The question is “do you have a need for a policy in one of these four areas”, right, or all of these four areas. And if so, how are you going to put that into place?
Now, a low-tech approach might be that you turn off self-service group creation, right? And you limit it down to a particular team that would handle this first one. It creates a manual process, no doubt, right, on your end. But, at least, you don’t have to worry about provisioning being out of control.
You can use some of the reporting that’s available to do reviews of group activity and what’s happening within those Groups. There’s lots of schemes that had been put together and organizations that are subject to this may already have re-certification, sort of, processes that they have. So they just have to think about how to integrate those into this new world of Office Groups. Right?
Now, automated site life cycle and content life cycle is something that you’re going to have to think about. Because if you’re using the native approach and you’re allowing end users to be group owners, there’s, unfortunately, not a lot that you can do to limit their ability to expire or delete that group.
Now, I did see a question in the chat earlier and it is an area that Microsoft is going to be investing in. With respect to having some kind of retention on the files that get created by a Group. So if you have, let’s say, a Group that’s being used by a team engaged in some regulated business, you could down the road… This is not here yet but Microsoft is working on it. You could set a classification for that group that is mapped to a retention. Documents have to live for a year, right, after they’re last modified.
Down the road, you will be able to do this but, again, it’s going to be fairly limited to certain of the workloads like for example the files folder. And the reason why Microsoft is able to do this is because they’re going to leverage the same technology that they’re using to do this in SharePoint and OneDrive, right? So if we go back to that slide and think about all those artifacts that are spread all over, this will protect some of them but not all of them.
So, a few things we can do here. What I’ll do is take you into some software and show you basically what our approach is. What we’re up to is really trying to get this provisioning of Groups, right. So we’re going to propose a strategy that does a few things. The first thing is we don’t want the native provisioning options for Groups to be available widely to most of our users. We’re going to provide an alternative mechanism for creating Groups, right? Just as agile, just as easy. However, what we’ll do is be able to put our controls in place so that only the right things are done and we are in adherence with policies that we have.
So the governance of that group creation is really important. And as you already saw, we have the ability to do some basic and tactical things. Like the backing up of the group and the moving of group contents from one place to another. God knows you’re going to have to do a lot of merging of group artifacts for Groups that were created with really the same purpose. But potentially different Groups were created by different people. So those are some of the tactical things that you’re going to need to do.
Where we’re heading is to expand on this with more single pane of glass management for Groups. Because that’s one of the big challenges that most people have today is that creating and managing Groups is really an experience that’s all over the place. Some things you can do in Exchange admin center; some things are PowerShell on the Azure AD side. So it can be very, very difficult.
The other thing that we’re doing is we’re offering today the concept of a lease duration for Groups. I’ll show you that in the software how that works. So a group can live for X amounts of days, weeks, months. And then when the group is no longer relevant, we can expire the Groups. So I can talk you through what we’re doing there.
The enhancement that we’re looking to do, down the road, is actually base some of these decisions on activity within the group. So maybe I allow all Groups, my contract with my users is that they can have a group for a year and then they have to tell me if they still need it or not. They need to re-certify the need for that group after a year.
But I don’t want to wait a year if there was a test group that got created and never used, right? Maybe I want to wait only a few weeks and if the Group hasn’t been touched in a few weeks, then we’ll make a decision about potentially prompting the owner of that group. And saying, “Hey, this doesn’t some to be co-share, what do you want to do with this group?” All right so that kind of expanded life cycle is important. And then the other thing we’re doing is we’ll be delivering the ability for you to have a structured and managed process for re-certification, right? And re-certification is key because re-certification is where I do my validation of ownership, membership, and so forth, and so on. Right?
So that’s a little bit about our strategy and what I’ll do then is take you in and show you the approach that we’re using to manage our own internal deployment of Groups. Not necessarily because you need to do it the same way but I think it’s important, as you sit down and build a policy for how Groups services are going to be delivered within your organization, the concepts are all going to be the same. You may to choose to implement your strategy one way or another. You may choose to use tools or not use tools but it’s important to look at every step of the process.
So that’s where we’ll go to. So let me go ahead and reestablish my screen share and we’ll take a look at this. And I’ll talk you through this scheme and the scenario that we’re looking at.
So we’ll just get this fired up. Okay. It looks like it’s firing up. There you go, a little buffering and life is good.
Okay. So what I’ll do first is take you in here as an administrator, again, and we’re over here in… again, it’s Office 365. And some of the native functionality that you can configure is over in the Exchange admin center. So where did I go? I went down here to admin and then went to the Exchange admin center. Okay? Once I’m here, I can configure the naming policy for the tenant. So if I come in here, I can create a naming policy. Right? And Office 365 has been very slow. Here we go.
Now, the office 365 groups naming policy, it’s important to know that it’s going to go across your entire tenant. If you’re going to use this technology, you’re going to have to come up with a scheme that makes sense for the entire tenant and that everyone can live with. And so what often happens is, you’ll find organizations that are doing this by department name or region name as a prefix or a suffix, and things like that.
And remember, I’m in the Exchange admin center here, so anything I do won’t necessarily be honored by services that don’t know anything about the Outlook Web access policies and the Exchange configurations. So if I were to create a group in Planner, as an example, it would not allow me to use the same naming convention. It wouldn’t honor this naming convention. That’s coming. That’s coming down the road and Microsoft will be delivering that.
Now having that said that, let’s actually take you over here. This is fastrack.microsoft.com/roadmap, okay? And this is a great place to keep up with what Microsoft is doing. So what I’ll do regularly is I’ll just type like “Groups” in the search box here and that’s cool because it will show me just the features I’m interested in about Groups. So you can see that there’s some features that have been launched about some of the things in Groups, group creation policies in Azure Active Directory as an example. And that’s where you could limit who is allowed to create a group.
And if I come down here to rolling out, you’ll see some more stuff, right? Plan creation, restriction, and naming policies. And then, you can see some things that are on the longer term road map for them. Right? So this is just a great place to keep up with what’s been going on and what Microsoft is doing as far as Groups go. It’s a great place to find information about Office 365 groups roadmap.
Now, it looks like I can’t get this interface to launch which is not a big deal. Basically, I’ll show you an interface which is very similar, actually in our software, and I’ll talk a little bit about how things are slightly different.
So there’s some basic Groups tools that we can use in the admin center, right? Here, this was one from the Exchange admin center. There’s also some usage reporting that I could do from the admin center. But I’m more interested in this. So let me just take you here and let’s go over to AvePoint Online Services. So I’m going to take you into a tour right now called “Governance Automation Online. And Governance Automation Online is the platform that we use to manage the provisioning and life cycle of Office 365 Groups.
Forget trying to disable Office 365 Groups and scripting Office 365 Groups PowerShell commands to block end users. Strike the balance between enforcing governance over Groups, and getting your users what they need quickly. With Governance Automation Online, use simple service request forms to streamline approval processes and ensure every Office 365 Group is set up in accordance with your governance policies and business needs.
And so if we go to an end user’s experience, which is basically this, right? This is Adelle, she’s in her Office 365 mailbox. Now, if we’ve allowed Adelle to create new Groups, she would be allowed to simply create a group without any restriction from me. right? she’d be able to come here and click on new group. and notice that the default is public. there’s not really much setting here. so the governance strategy that we’re pursuing is we’re not going to let Adelle do that, right? I’m not going to let Adelle create that group.
and if you turn group creation off, what’ll happen is this interface element for group will still be there when Adelle clicks but she’ll taken to a message that says, “you’re not allowed to create a group. you don’t have the right privilege to create a group.”
Well, again, if I take something away, I’ve got to give something back. And so one of the things I can do is give Adelle the ability to actually request a group. So if I come in here, what Adelle is being taken to right now is actually a request for a new group that’s being serviced not by the native Office 365 capability but by Governance Automation.
Now, as I go through this, you can see that there are certain things that I’ve mandated. I’m not allowing Adelle to create a public group because my policy is that I don’t allow the creation of public groups, right, for security reasons. Also, notice that we’re mapping this group back to a department. That’s used for tracking purposes, right? Right now, the only way that you can really keep Groups organized is through a naming policy. But we’re giving you other mechanisms, right? So I’m giving myself an ability to define this as metadata. Similarly, if you come down here, you’ll notice that there’s some other information as well like purpose. Why are you creating this group? For what purpose? Now, again, this is just metadata that we’re applying against the group and you’ll see later where this comes to pass.
So real quickly, let’s just fill this out. So “I need a group to plan the picnic.” Picnic sounds good in the middle of winter, right? And this is just a note to approvers, right? So if this request is subject to approval, after I submit it, this is where I sort of plead my case. Right?
Now, I can’t pick anything other than a private group and when it comes to primary and secondary group context, this is a really important concept. So in our implementation we are not allowing the end users to be the owners of the group, right? If they’re owners, then they have a lot of control which I don’t want them to have.
Now again, what happens if I take away this group ownership concept, right, and I maintain ownership out of the IT department? Does that mean that IT has to be petitioned every time someone wants to join the group or leave the group? Well, not in our case because it’s just like they have a group provisioning service, I also have a group membership service where I can request to join a group for myself, for others, and vice versa. I can request the people be removed. Again, those things can happen with a managed process in place for approvals and things like that.
So our concept of this primary and secondary group contact essentially are the users that are going to be the accountable parties right, the accountable parties for this group. Now, one of the cool things is… If I spell my name right… One of the cool things is that because these are now roles that are mapped to this group, I can now involve Adelle, right, as the person who can make decisions in the approval processes for things like group membership changes or when the group expires. These are the accountable parties that I’m going to go talk to. Right? And I’ve got them mapped. So this is really no different than what a lot of folks did in SharePoint by creating custom roles that were lower privileged but still implied the ownership.
Get in there, okay? Now, the group members, I can add anyone that I want. You can see this is just like the native capability here. And notice that I also have a Groups policy. So in my Groups policy, one of the things that I can do is define how long this group should live. So, this group can live for a year under our standard policy, right? And I can say a year from today, or a year from a particular date, right?
And then I have to say what the purpose of the group is. So let’s say that this one is for a project, so a picnic is a project. I can have additional stakeholders here named if I want to. Notice here that we’ve got our own implementation of the naming convention that we’ve delivered today. And because all group creation goes through this process, this will apply to all Group requests. Right?
So it doesn’t matter. We’ve shut down the ability for them to create Groups directly through Office 365. So now, this is their only mechanism. Because it’s their only mechanism, now I can make sure my naming policy is enforced. And so, we’ll call this “Picnic.” Notice though that the group is going to be called marketing_picnic_emia [SP]. Because in the back-end, what we’ve got and I’ll show you the design of this service. We’ve got this configured so that the user’s department is appended as a prefix, and the user’s region is appended as a suffix when they’re creating a group. So this is now very clear what’s going on.
So, this is an example of that sort of that managed provisioning of the group and you can see that my request has been submitted. And if this required approval, it would now be sitting in someone’s queue for approval. If this was an activity I wanted to make available to everyone, I could simply auto approve these so that there’s no wait. If we look in the back-end of what created that configuration, we can come in here and I can go to my settings. This is the back-end or the admin interface of Governance Automation. And I can go over here to my services and you’ll see that I have quite a few services available to me. And these are services across SharePoint and Office 365.
But let’s go ahead and actually, let’s show just the Group Services so I want to see Create Group, Change group settings, Group Life Cycle Management, okay. Good, good, good. Okay. So here we go. These are my services for creating Groups. And you can see I have a self-service request for group membership changes, group deletion, again requiring approval and so forth. But the one we just walked through was this one. And so, if I just quickly pull up the settings, you’ll see that essentially what we’re providing out of the box here is a policy interface. That lets you say what options are available to users, what options are not available to users. What can they and what can’t they do?
So again, there’s no requirement here that you use software to solve this problem or at least our software to solve this problem. But take a look at some of these options on here. These are the kinds of things that you want to think about. Who is allowed to create Groups? What is the process? How do I make sure that the right policies are in place? And you can see here all of those settings are defined.
If I deactivate this service, I’ll be able to go in and actually edit it. And you can see how easy it is to create these things. It’s really kind of point and click. All right. So again, mapping back to department, who is allowed to request this service. So I can still target who’s allowed to request a group but the impact of these requests is now less. They don’t automatically get fulfilled, right? Unless, I want that to be the behavior. You can see here the privacy settings, right? So privacy is set to private. I assigned it. I didn’t let the business user decide that but I did decide to show them on the form. Right?
Questions that really confuse business users like outside senders, I can simply define a setting and then not even tell the business user that it’s happening, right? So all these kinds of things. And again, we have our naming policies and our life cycle policies. Here’s what created that naming policy of department_ name of the group and then the suffix of the country or region.
And the cool thing is I can have as many of these service definitions as I want. I could have a standard group creation service. I could have a group creation service that only is available to certain segments of the population that is configured differently. Maybe there’s a reason for some departments to create public groups like the communications team within the organization. Okay. I can create a differently configured service and make it available just for to the marketing team as an example. So again, does this require an approval process? If so, who? And all the services work like that.
So, that’s one view of how to take this thing from a really unstructured, very end-user-driven process. And apply a layer of governance and management, in this case, of the group creation. Now, is this going to be right for everyone? No, certainly not, right? If there’s no problem, if you’re not worried about sprawl, if you’re not worried about these Groups. And you just want a very easy sharing environment, go for it. Right? Go for it. But if you are limited your user’s ability to use Groups, because you’re afraid you can’t control them we know that they’re going to find a way. They’re going to get to another service, potentially one that you don’t manage, to do their collaboration.
So, this is the challenge we find a lot of our customers facing right now. Users wants Groups. They don’t really understand them. The creation is easy but a little complex to know what’s going on. And so, one way to balance that is to have a managed and sustainable process.
So we have a few minutes left, about 10 minutes left. And what I’ll do is I will pause the demo here and we’ll go into look at some of the questions that you guys have.
And I know some of our folks have been on trying to answer as well as we’ve gone through because there’s a very large group here. But let’s go ahead and pull up the Q&A and take a look. See if there’s stuff we didn’t hit.
Okay. So “Does Governance Automation Online have the ability to search existing groups to see one if one exists?” Yes. So there’s a find capability. You saw the metadata. I didn’t show you a report. Let me go ahead and actually show you a report that we can pull here. So in Governance Automation, in addition to being able to define these provisioning services, one of the other things that’s really valuable is the ability to pull reports. So if I come over here at settings, and I come over to my “group report.” You’ll notice that I’m able to sort of collect and report on groups based on a lot of different things, right?
So remember all that metadata put on the group? Things like what was the purpose of the group, who the primary stakeholder is, who the primary and secondary contacts are. We can have any metadata that we want on here. Now, the more metadata we put on a group, the better find-ability of that group will be.
So the question, “Can Governance Automation Online help you understand that group exists already and reduce the duplication?” During the group creation process, we can offer the user the ability to say, “Hey go find, similar groups or similar sites, right?” Because there may already be a SharePoint site that is serving that functionality. So yeah, and we search not only the title but we’ll also search that metadata. So the more metadata you have, the better that search is going to be. So that’s great.
“Can we do the same with this editor for Teams and are Teams managed the same as Groups?” We have a couple of questions out there. So a lot of questions about Teams. So Teams are still in their early stage, right? It’s still in preview so all the plumbing and architecture isn’t really there yet. But the way it works right now is that if I create a new team, I get a group, right? I can either associate a team with an existing group or I can create one. The way that the provisioning works today is that if I create a group… if I create a team in the Microsoft Teams interface, in the back-end the group will get created. If I create a group in the Office 365 interface, a team will not be automatically created.
So the first thing is if you want a new team, you got to do it right now from the Teams interface. That’s a little bit confusing for people as well. So the short answer to the story is the functionality that you saw does not yet work for Teams because essentially, again, the plumbing is not all there yet. As we got closer to general availability, and these things come out of preview, then, yeah, we’ll be looking to full provisioning of Teams into the same process.
Free Webinar: We all love Microsoft Teams and you should too.
We were very, very privileged to have had the opportunity to present an hour long webinar with two of my colleagues and friends from the industry, Matt Berg from Microsoft and Wictor Wilén from Avanade.
There is a question about, “What if someone quits, what happens when or if Adelle quits or gets fired?” That’s a great question. And that’s why re-certification is so important. So if you remember in my walk-through, Adele was the primary contact for that group. And sure that’s great but what happens if she leaves? Who’s going to approve request? Who’s going to speak for that group?
That’s what re-certification is useful for. So re-certification of ownership simply says on a periodic basis we can go out and ping the current “owners,” right? In this case, the current contacts and ask them they’re still willing to take responsibility. If they don’t reply or if they reply in the negative, we go find someone else to be the owner. So there is a proactive, ongoing process. But, of course, if you know that Adelle is quitting, you could initiate one of those changes automatically. Good, good, good.
So “The two ways that users create Groups in Exchange and Outlook and Planner? If so can you turn off Groups in Planner?” So, again, remember that there are some of these services which require a group. So a Planner requires a group. Right? Planner requires a group. Why? Because you need someplace to put the files, right, that get attached to Planner tasks. You need some place to put the messages that are the conversations about tasks. Right?
So a group gets provisioned in the background. If you use the Azure Active Directory mechanism for a group creation policy, right? Not the Outlook Web Access one, but the Azure AD one. It’s a PowerShell-based one. That will have an effect in Planner. It wouldn’t have an effect if you did it through the mailbox policy but it does and it’s the reason why they’re centralizing things there.
“Can all this Governance Automation functionality work for SharePoint sites as well?” Of course, that’s actually where it came from. So there’s a little bit of benefit to these problems that we’re seeing with Groups is that they’re exactly the same problems that we had in SharePoint. Sprawl, ownership, permissions, over sharing, life cycle, and expiration, right? They’re all the same problems. So we have already solved them for SharePoint. We’re simply extending that now to work across the group concept as well.
For more information about Governance Automation for SharePoint:
Learn how DocAve Governance Automation gets users what they need quickly while standardizing settings and configurations to align with policies – all without burdening IT, for SharePoint Governance & Governance Automation.
“Currently, there are two ways that users…” We talked about that one. “Teams and Planner ignore the limitation of who can create Groups. How do we address this?” Yeah, again, I would say that take a look at the Azure AD policy. If that’s not working for you, then, yeah, take a look at the Azure AD policy because that’s the way you’re going to have to do it. Doing it through the Exchange mechanism, the Outlook Web Access Mailbox Policy won’t work for you in Planner and Teams because they don’t understand what that is, that Outlook mail policy.
Fore more information about what happens when you create Office 365 Groups and Microsoft Teams:
Our good friend and community evangelist, Loryan Strant, Cloud CTO at Generation-e and Microsoft MVP, wrote a guest blog for us talking about Microsoft Teams vs Office 365 Groups.
Pitting Office 365 Groups vs Teams has become a common misconception. Learn how to deploy and use Microsoft Teams and Office 365 Groups together to power collaboration in the cloud!
“How to handle external users which is a major need to include vendor and partners. Isn’t this prohibited by a private group policy?” So, yeah, can external members become part of Groups? The answer is yes. Right? External users can become part of Groups. There are certain things which they can do. There’s a concept of guest access as well. A lot of those controls are in the PowerShell world and in the Azure AD world. So you’re going to need to brush up on some PowerShell and some Azure AD. And again, it’s a fairly reactive process right now. So we’ll be incorporating. As time goes on, we’ll be incorporating more and more of those kinds of settings into or group policy, right? And when I say group policy, that’s the Governance Automation policy that defines things like life cycle of a group and so forth and so on.
“Share content with non-group members.” Yes, that’s a great question. So share content with non-group members in a SharePoint site, the site may be open to everyone and then specific content is restricted.” I’m not sure. “How would you do that with Office 365 Group?”
Great question. So when Microsoft surfaced the Group Team site, right, which they’ve started to do now. If you go to a group, here I am at a group, right, I can go to the site for that group now. So, here’s my Big Wig site and I’m actually at the SharePoint site. Now, by default, you’ll still be taken to this files area. So this is what we’ve always had access to. It just looks like the library. But this sneaky little guy over here allows you get to the homepage. Now, because this is a full-on SharePoint site or technically a full-on SharePoint site, you do have some control about what you can do here. You can, for example, come in here and look at site permissions.
Now, if we look at group members, you’ll notice that… The group members are in the ability to edit, right, and the group owners have full control. But I could, if I wanted to, right, get into… And for those of you that are familiar with SharePoint, there’s a path that you can type in here where you can actually alter the permissions of this SharePoint site. There are some things that you can do. There’s differing wisdom about whether it makes sense to open that can of worms but certainly, this is right now your only way.
If you wanted, for example, some people to have a view access to the documents but no edit rights at all, and no other access to anything else in the group shares. Technically what you could do is you could go to this site, right and either at the site level, or at the library level, you could alter the permissions.
So I’m going to do it here at the library level. I’ll come over here. I ‘ll do “library settings.” And look at that “permissions for this document library.” What I could do is I could either break the inheritance which would be scary. I probably wouldn’t want to do that. right? No telling what that’s going to break beyond this and you can get yourself in trouble. Take a look at Big Wig members and Big Wigs is actually the Azure AD group object. So you certainly don’t want to take that out. But nothing is to stop you from adding someone else as a visitor, potentially with the ability to read only. So yeah the exposing of the SharePoint team site does create a situation where sharing documents with people outside of the group with more limited access is possible.
Okay. There’s a question about changing consistently between group creation depending upon where you do it. And yup, that’s what we were talking about before. There’s an Azure Active Directory policy that you can state and that is where you really want to do your work. Because all of the Office 365 services will adhere to that. The current mechanism to do this is through the Outlook Web Access mailbox policy but you don’t want to do that. That was the old method and certain services like Planner don’t understand it. So if you’re going to limit self-service creation, that’s not the way to do it.
Is there a way to receive an alert when a group is created? Not through the native mechanism. In the DocAve sort of group request, one of the Governance Automation group request. One of the things you can do is you can fire off…and let me just pull that back up. One of the things you could is you can fire off scripts or additional outside functions at various points in time. So what you could do is you could go in and in your service, you would simply say, “Hey, after the group has been created, go call this script or run this operation to update someone that a group got created.” So natively no. I’m sure you could write some PowerShell for it or you could just use the built-in functionality in the Governance Automation Online to do that.
“Can you have two documents libraries for an Office 365 Group?” Again, remember, a group has a site. So you can certainly create another library in that site. The question is why would you right? In some cases, maybe you want a secure library and a standard library. So certainly, you could create a second library in there.
You’re going to miss out a little bit on some of the interface, right? So Files in a group really is about getting to that shared documents library. But if the group was aware of and knew about that second library then sure, you can create it just like you could normally in SharePoint, for sure.
“What is the access required to alter the permissions, the site permissions of a group?” You need to be an owner to change the membership of a group. You need to be an owner right. And, again, the owner role is one where if you limit that down, the way we’re doing in our implementation, you’re going to have to provide an alternate mechanism to do it and that’s why we do the group membership request to add or remove group members.
“Any information around Yammer Groups now being Office Groups?” Oh, we could go for hours on that one. Short answer is that the Yammer is now connecting, sort of, with Groups. So it’s a slow path. The good news is you can now have a Yammer group that is connected to an Office 365 Group. It is a little bit confusing though because you will still get the conversations interface, that’s the Exchange/Outlook-hosted conversation view, which is different than the conversations that you’re having in Yammer.
Also, at this stage, the documents that you upload into Yammer as attachments, do not go into the SharePoint document library as you would expect them to. They stay in the file repository that Yammer uses. So it’s yes, but it’s a little bit weird at that moment.
If you do it, just do a search. Microsoft did an FAQ on Groups with Yammer when they announced this connection between the two. And there’s a lot of, sort of, branches of “If this works this way then you do this. If this works this way, then you do that.” You can completely decouple Yammer from Groups if you wanted to. But now, you could have them also connected if you wanted a Yammer feed for every group, you could do that.
Okay. So we are a little bit over time, I think, here. And what I think we’ll do is we will take all the questions that we didn’t get to during the session. And we’ll get you out answers to them, right? So hang in there with us. Definitely take a look at our site for Groups averpoint.com/office-365-groups. Lots of information on that site about what happens when you create Office 365 Groups. This is where you can review the webinars that were in the past. You’ll also be getting you access to blogs through that site and everything else. And as I said, we will be doing a sort of an FAQ for you where all of these questions if we didn’t address them on the call, will be there.
So thanks, guys. Appreciate your attendance. Hopefully, this was valuable and feedback would be appreciated. So if you just want to jot some feedback into that Q&A as well, we’ll see that and take note and use it in planning further the sessions. Thanks, everyone. Have a great day.