First let us start with: What is Office 365 (O365)?
O365 is a suite of applications hosted online by Microsoft. These applications are productivity tools for the business. One of these applications hosted in O365 is SharePoint.
An Office 365 group is a set of users that can be used across Office 365 applications. This means it can be used for SharePoint as well as other applications such as Outlook, Teams, Planner, Stream etc.
In contrast, SharePoint groups apply only to SharePoint and cannot be leveraged in other O365 applications.
All O365 groups can be managed in Active Directory where you can view members and owners as well as manage settings.
When you create an O365 group, it will automatically create an associated workspace for the group. Depending on where you create the group, a different collection of tools will automatically be created.
Every time you create an O365 group, no matter where you create the group, you always get:
You can use an existing O365 group for any of the following applications:
O365 groups can be created from almost all applications. Depending on where you create the group
Depending on the purpose of the group, and the applications they will need will determine where you create the group.
For the most part, you can create the group anywhere and then later apply additional applications to the group as needed. The only exception is O365 groups for Yammer. These groups are limited in their integration with O365.
The image below, outlines the services that are automatically created based on where you create the group. The services in light blue are created with every group, the others are not.
When you created an O365 group, a Modern SharePoint Team site is created as well. The O365 group owners are put in the SharePoint Owners group and the O365 group members are put in the SharePoint members group.
The O365 group does not replace SharePoint groups. The O365 acts like a distribution list or AD group, you add the group name as an object and that will give all the users access. Using the O365 group, you are adding the users in bulk.
In a simple straight forward team scenario, using the O365 group to give everyone the same level of access is enough.
Yet, many times, there are other users involved. For example, other users outside the team may need only read access to the SharePoint content (not the Team conversations and other related applications content). For this, we would give the users access to the content via the SharePoint interface by adding the user to the visitors group for example.
Hence, O365 groups does not replace SharePoint groups. You would need both the manage your modern SharePoint sites.
When rolling out or allowing Office 365 groups, here is what to consider:
By default, anyone can create an O365 group. For most organizations, allowing everyone to create groups will turn your environment into the wild west. In most cases, you will want to restrict the group creation to some extent. The question is who are your group creators. Perhaps there is a training users must attend before they can create groups. You may want to limit the creation to your IT teams so they can monitor and determine if the group is needed. You can limit to a specific group using PowerShell, see how here.
Further more, you can implement a self provisioning process that includes an approval process. Users would submit a request for a new group, upon approval the group would automatically get created. The process can be created using a SharePoint list and flow. Here is an example of provisioning teams via flow.
Create a governance plan on what are the criteria for creating new O365 groups.
Here are some questions you may want to address in your plan:
Naming conventions are always helpful in easily identifying and maintaining groups. In Azure, you can enforce naming policies by requiring a prefix and/or suffix. The prefix/suffix can either be a string or an attribute. Attributes include: Department, Company, Office, StateorProvince, CountryorRegion and Title.
You can also reserve or block keywords. For example, you can block the keywords for each department. This way when you create a group for a specific department, it is the entire department being called Marketing and not a subset of the group calling themselves marketing. The teams with in marketing would have to use a more specific name for their groups.
Note: Administrators are exempt from the policies so they would be able to use blocked and reserved keywords and go outside of the rules as needed. See more information here.
Create groups dynamically based on user or device attributes. This allows groups to be self-maintained without the need to constantly add and remove users. This is great for managing large groups such as Department or Location based groups. See more information here
When a group is deleted, all the content related to the group gets deleted. The O365 group owners can delete their groups. You may want to consider making IT the owners of groups so then users cannot delete accidentally delete all the content related to the group.
An admin can restore a deleted group and its content up to 30 days from when it was deleted. In order to avoid missing this window, you may want to set up Alert Policies so that you are notified when O365 groups get deleted.
You can set a date for when the group will expire. If the group is active, it will automatically renew itself. Otherwise, if the group is not renewed, the groups and all its resources are deleted. The group can be restored up to 30 days from when it was deleted. Owners will get renewal notifications 30, 15 and 1 day before the group expiration if not renewed it will be deleted. See more information here.
Expiration policies are great way to get rid of teams that are inactive but what if you need to retain these inactive groups. For that, we can use retention policies. If a group is set to expire but it is classified as content that needs to be retained, the retention policy wins and the content is kept.
Retention policies are set in the Security and Compliance admin center. Retention policies are applied to a specific locations: SharePoint, Exchange, OneDrive, O365 groups, Skype and Teams. Based on your retention policy, content will be retained or deleted. See more information here.
Sensitivity labels can be used across O365 to label content based on their sensitivity. Once content is labeled, the label can just be there for awareness purposes or you can then implement measures to protect your data. You can mark the content, enforce encryption, protect content in O365 and 3rd party apps or blocking guest access. See more information here.
Access reviews allow you to periodically force group owners and/or members to review the group’s membership. Reviews can be trigger on an ad-hoc basis or set to run as a recurrence. You can determine who can is being reviewed, Everyone or Guests Only, and are the reviewers that are responsible for reviewing the group. See more information here.
With PowerShell, you can create classifications for your groups for users to fill out when they create a group. Classify your groups to help clearly organized and identify the groups. For example, you want to use them to classify the group’s purpose with choices like Project, Team, Org-wide. Once you have set the choices for your classifications, the choices will appear in the classification drop-down menu. See how to add the classification choices via PowerShell here.
In summary, O365 groups are great for collaboration and productivity across the the O365 suite of applications. Ensuring the right governance and controls are in place will make managing and maintaining these groups a lot easier.