Office 365 Groups in Education

Office 365 Groups are a powerful new tool to enable contextual collaboration across Office 365 products. Groups can be pre-provisioned or created as-needed by users in Exchange Online. Office 365 Groups have seen a high degree of adoption in Education since there is an immense need for ad-hoc collaboration. We have also received a lot of great feedback from our customers since the launch of Office 365 Groups which has been helpful in establishing current best practices and planning the product roadmap.


Office 365 Group Features:

Owner-based management, multi-ownership, threaded discussions, email distribution address, public/private designation, OneDrive for Business file storage, calendar, subscribe/unsubscribe to updates


Common Office 365 Groups scenarios:

Ad-hoc collaboration, work management, teams, v-teams, PLCs



User-driven creation and self-service management of Office 365 Groups enables them to become implemented at scale quickly and efficiently as needed within an organization without creating a massive backlog for IT. While this capability is highly beneficial in most cases the tension between the efficiency of distributed management and the challenge of effective centralized governance can be difficult to navigate.


Common governance considerations:

1. Student groups - Schools often want to limit group creation rights to Educators

2. GAL impact - Office 365 Groups are shown in the GAL by default since they also work like an email distribution group

3. Single ownership - Groups with a single owner require IT intervention to establish ownership after that individual leaves the organization


Recommended approaches to fulfill the above governance requirements:

1. The Azure Active Directory management portal allows for configuration of self-service group creation rights based controlled by group membership. Students can participate in Office 365 Groups but would be prevented from creating their own.

2. Office 365 Groups that are automatically provisioned can continue to display in the GAL while user-provisioned groups can be hidden. This approach prevents ambiguity that could arise from user-determined naming conventions when users select email recipients from the GAL. The tradeoff is that it makes user provisioned groups non-discoverable and instead rely upon group owners to add members to the group. Another solution that does not have this tradeoff is to prepend group names with an attribute of their owner such as "Department" using distribution group naming policies.

3. Detection of Office 365 Groups with single owners can generate an email to the owner, administrator, or helpdesk.


How-to samples:

Scenario #1 Limit Group Creators

If you have Azure Active Directory Premium, navigate to and select “Azure AD” under the “Admin” section.



Navigate to your Azure Active Directory utilized by Office 365 and select it.



Select “Configure” to view configuration options for Azure Active Directory.



Change Self-Service O365 Groups Users from “All” to “Some” and specify the group of users that should have rights to create O365 Groups.



If you do not have Azure Active Directory Premium you can accomplish the same result via PowerShell scripting of mailbox policies:

Set-OWAMailboxPolicy –Identity “OWAMaiboxPolicy-NoGroups” –GroupCreationEnabled $FalseSet-CASMailbox –Identity ‘Jeff Hey’ –OWAMailboxPolicy “OWAMailboxPolicy-NoGroups”

Visit the Office 365 Groups PowerShell guide for a list of available functionality.


Scenarios #2 & #3 Hide Groups and Audit Ownership

# --- Import Exchange Online PowerShell Cmdlets ---$credential = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $credential -Authentication Basic -AllowRedirectionImport-PSSession $Session# --- Setup variables ---# Admin to receive O365 policy violation notifications$notificationAdmin = ""# Account used to create O365 groups that should be listed in the GAL$groupProvisioningAlias = "admin"# Get all O365 groups$allGroups = Get-UnifiedGroup# --- GAL cleanup policy ---# Hide groups not managed by the group provisioning alias$needToHide = $allGroups | ?{ !$_.HiddenFromAddressListsEnabled -and $_.ManagedBy -notcontains $groupProvisioningAlias}$needToHide | %{ Set-UnifiedGroup -HiddenFromAddressListsEnabled $true -Identity $_.Identity }# --- Group ownership policy ---# Get groups that have less than two owners and any current owner of the group$needOwner = $allGroups | ?{ $owners = Get-UnifiedGroupLinks -Identity $_.Identity -LinkType Owners | Select -ExpandProperty PrimarySmtpAddress; $owners.Count -lt 2 } | %{ New-Object -Type PSObject -Property @{Owner=$owners;Group=$_.Alias} }# Add the notification admin as a recipient of the group ownership policy warning email$needOwner | %{ $recipients = @($_.Owner,$notificationAdmin); $_.Owner = $recipients }# Send the group ownership policy warning emails$needOwner | %{ Send-MailMessage -SmtpServer "" -Port 587 -UseSsl -From $credential.UserName -To $_.Owner -Subject "Office 365 Group Owner Required" -Body ("Organization policy requires Office 365 Group """ + $_.Group + """ to have at least two owners. Please add an owner or remove the group if it is no longer in use.") -Credential $credential }