Groups in Microsoft 365 for IT Architects What IT architects need to know about groups in Microsoft 365 Microsoft 365 includes five types of groups that are used to manage Many groups are created by members of your organization for access to resources and for communication. Group membership is collaboration using Teams, SharePoint, and other collaboration based on Azure Active Directory accounts. As an admin, your team tools. While membership in these groups can be highly dynamic, you creates some groups to manage conditional access, devices, and still manage the underlying Azure AD accounts, including enforcing other resources. conditional access, using Azure AD Identity Protection, and other controls to protect your organization. Identity-based security perimeter Identity and access managed and secured centrally for all Microsoft 365 groups users in the environment Security groups Groups in Membership and access control across Mail-enabled security groups Microsoft 365 Microsoft 365 Teams, Outlook, Yammer, SharePoint, Planner, Stream, Distribution groups Forms, Dynamics CRM, Power BI, Project for the web Shared mailboxes Centrally managed and governed Single identity across Managed across Microsoft 365 admin center, Azure AD Microsoft 365 resources admin center, and Exchange admin center Types of groups and where they are created Groups can be created in several of the admin centers and by users from within apps. Security group Microsoft 365 Mail-enabled Distribution Shared mailbox group security group group Used for granting access Used for collaboration. Includes the ability to send Used for sending Used when multiple to resources and for Includes a group email mail to a group. Cannot be notifications to a group of people need to access the managing devices. and shared workspaces. dynamically managed. people. same mailbox, such as a Type group Type of Cannot contain devices. support email address. Azure AD Microsoft 365 admin center Exchange admin center Outlook Teams SharePoint Planner Yammer Stream Where groups can be groups Where created Power BI (classic) Roadmap Project for the web Continued on next page Managing groups Groups can be managed across admin centers. Controls vary The Exchange admin center provides the most controls for depending on the scope of the admin center. For example, Azure AD managing mail associated with groups. provides control over dynamic group membership and licensing. Manage all group types Manage most groups types Microsoft 365 admin center Azure AD admin center Exchange admin center • Sort on group type • Manage all group types, except shared • Manage all group types, except security • Manage group members and owners mailbox groups groups • Create a friendly email address when • Manage group members and owners • Manage group members and owners creating mail-enabled groups • Manage dynamic group membership • Manage where messages are accepted • Edit the email address for distribution • Assign licenses and applications and rejected from groups and mail-enabled security groups • Assign Azure resources • Allow delegates to send mail from the • Edit name and description • Review activity (access reviews, audit logs) group • Edit privacy and subscription settings • Change the language for group • Allow or prevent outside senders notifications • Delete groups • Manage additional mail settings for mail- enabled groups. Governance for admin-created groups Conditional Use Azure AD to manage access to Device Create security groups in Azure AD to Microsoft 365 groups access to Microsoft manage devices. access management 365 services and other SaaS applications. Group-based Create security groups in Azure AD to Azure Create security groups in Azure AD for assign licenses based on groups. managing access to Azure resources. licensing resources Collaboration spaces for Microsoft 365 groups Collaboration spaces for Microsoft 365 groups differ based on where While users can create Microsoft 365 groups in Outlook, other the Microsoft 365 group is created. Note that Teams and Yammer apps create them behind the scenes when users create Teams, cannot be connected to the same group. SharePoint team sites, Planner plans, and Yammer groups. Services provisioned Where the group is Inbox and Power BI SharePoint site Stream Planner Teams Yammer created calendar workspace and OneNote notebook Azure AD Admin created Microsoft 365 admin Admin created Outlook User created Teams App created SharePoint App created Planner App created Yammer App created Stream App created Power BI (classic) App created Project for the web App created Roadmap App created Auto-provisioned Auto-provisioned, but hidden Not auto-provisioned, but can be added Not available May 2020 © 2020 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected]..