How to Manage Office 365 Groups Using Native Admin and Governance Capabilities

Post Date: 01/18/2017
feature image

Office 365 Groups provide an easier way for your end users to work together by connecting people and the applications they use to create and collaborate. With an Office 365 Group, your end users receive an array of Office 365 artifacts. These include a shared:

  • Document library on SharePoint Online
  • Mailbox, distribution list, and calendar powered by Exchange
  • Planner for organizing and assigning tasks, and keeping up to date with project progression
  • OneNote notebook for taking project and meeting notes

On the end user side, Office 365 Groups are quite easy to spin up. This makes Office 365 Groups something of a sweet spot, as Groups are much less confusing to configure than SharePoint sites and provide more robust collaboration than a OneDrive or distribution list.

But what does creation and management look like on the IT administrator’s side? Today, I will walk through the building blocks of Office 365 Groups and evaluate how to manage Office 365 Groups using native functionality.

Office 365 Groups Architecture and Native Provisioning

Before jumping into how to manage Office 365 Groups, it’s important to understand how they are structured and how they are created in the first place.

Architecture: Office 365 Groups leverage a standard definition for Group membership and permissions across Exchange, SharePoint, Skype for Business, Yammer, and the rest of Office 365 managed through Azure Active Directory.

manage office 365 groups
Diagram – What Powers Office 365 Groups

Provisioning: There are a number of different ways that Groups can be created – some of them are accessible only by administrators, whereas others are easily accessible by end users.

  • For End Users: Groups can be intentionally created through a number of interfaces:
  1. Microsoft Outlook
manage office 365 groups
Creating a Group through Microsoft Outlook
  1. Office 365 Outlook Web Client
manage office 365 groups
Creating a Group through the Office 365 Outlook Web Client
  1. “Groups” Mobile Client
manage office 365 groups
Creating a Group through the Groups mobile client

End users may also automatically create a Group if they create an Office 365 SharePoint Site, a shared Planner, a Yammer Group, or a Microsoft Team.

  • For Administrators: There are only two methods for creating Groups that are unique to administrators.
    1. Office 365 Administration Portal

      manage office 365 groups
      Creating a Group through the Office 365 Administration Portal
    2. PowerShell:  New-UnifiedGroup -DisplayName ie. “AvePoint TAM” -Alias TAM

Ease of End User Usability – Pros and Cons

The ease and versatility with which end users and information workers can create a Group is great because it enables them to build new Groups easily without waiting for the IT department. They can start collaborating instantly with their coworkers.

During the creation of a Group, they just need to select a name, Group ID, and whether the Group should be public (meaning everyone in the organization can read its content) or private (only members can see the contents).

manage office 365 groups
Edit an Office 365 Group – End User View

However, this can also cause some headaches for administrators because there is no limitation on who creates Groups and for what reason. By default, Office 365 users can create up to 250 Office 365 Groups each, and Office 365 administrators have no limit on the number of Office 365 Groups that they can create. The default maximum number of Office 365 Groups that an Office 365 organization can have is currently 500,000.

Also, even though you might assume that someone who is not a member of a private group cannot post to it, that’s not actually the case. Anyone who belongs to the tenant can send an email to that private group, subsequently beginning a conversation within that Group.

[ctt template=”1″ link=”DSJac” via=”no” ]”Users can create up to 250 #O365 Groups each & admins have no limit on the number of Groups that they can create.” https://ctt.ec/DSJac+[/ctt]

How to Manage Office 365 Groups Natively

There are a number of places and ways administrators can centrally manage the usage of Groups inside of an Office 365 tenant.

Administrative Controls

  • Office 365 Admin Center: Starting point for administering and reporting
manage office 365 groups
Manage Office 365 Groups through the Office 365 Admin Center
  • Office 365 Admin app: similar to admin Center
how to manage office 365 groups
Manage Office 365 Groups through the Office 365 Admin app
  • Azure AD Admin Portal:  Directory management like dynamic membership
how to manage office 365 groups
Manage Office 365 Groups through the Azure AD Admin Portal
  • Exchange Admin console: Starting point if you come from Exchange and want to migrate from distribution groups
manage office 365 groups
Manage Office 365 Groups through the Exchange Admin console
  • PowerShell:  There are a lot of the settings only available via Shell. For instance, if you want to disable Groups completely:
    1. Connect remote PowerShell to Exchange Online:
    2. Execute:
    3. Get-OwaMailboxPolicy | FL Name
    4. Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -GroupCreationEnabled $false
    5. Get-OwaMailboxPolicy | FL Name, GroupCreationEnabled

What can be controlled:

  1. Naming Policies
    • Blocked words
    • Pre / Postfixes based on Active Directory attributes
  2. Creation restriction (not everybody should create new Groups)
  3. Dynamic membership rules. (i.e. all Marketing users should be member of “Marketing” Office 365 Group)
  4. Group Policies
    • Show and inform users about the orgs “Groups usage guidelines”
    • Data Classification
      • Labels such as internal, external or confidential
    • Hidden Memberships where only members can see other members

Security and Compliance for Office 365 Groups

As a company IT administrator it is important not only to enable users to create new Office 365 Groups but also to make sure the data keeps safe and is used in the way it is meant to.

For this problem there are different options provided by Microsoft:

    1. Configure guest access to Groups:
      • Enable or disable guest users completely
      • Allow addition of guests to any Group or only to specific Groups

        manage office 365 groups
        Configure Guest access to Groups
    2. Information Protection
      • Use eDisovery features of O365
      • Preservation policies and deletion policies are not yet supported but should be available soon.
      • eDiscovery and in-place hold is available from the Exchange Admin Center using the Office 365 compliance center. For detailed information you should read this TechNet article.
    3. Auditing
      • Reporting through the Azure AD Admin Portal
      • Audit Log Search in O365 Admin Center
      • PowerShell “Get-UnifiedGroup”
      • The Azure Management Portal exposes group management events (creation, updates, membership changes, etc.) in the group audit report.
manage office 365 groups
Azure Management Portal Audit Report

Manage Office 365 Groups with Third Party Solutions

It is easy for anyone to provision Office 365 Groups. There are a few options to control the usage of Office 365 Groups in your company’s tenant and I strongly suggest making use of them, as the problem of over-sharing data, creating redundant Groups, and even creating Groups by accident can quickly cause performance issues and raise compliance concerns.

If you are looking for more robust control over Groups from creation, change management, and end-of-life, as well as a single pane of glass through which you can visualize all the Groups in your tenant third-party tools provide a broader scope of features, and scalable management. To learn more about AvePoint’s Office 365 Groups administration and governance solution that provides these capabilities, check out this blog post my colleague Hunter put together!

Learn more about Office 365 Groups

manage office 365 groups

Share this blog

Subscribe to our blog