Plan for governance in Office 365 Groups
Office 365 Groups has a rich set of tools to implement any governance capabilities your organization might require. This article guides IT Pros to ask the right questions to determine their requirements for governance and how to meet them based on their organizational profile.
Why Office 365 Groups?
We know that organizations today are using a diverse toolset. There’s the team of developers using team chat, the executives sending email, and the entire organization connecting over enterprise social. Multiple collaboration tools are in use because every group is unique and has their own functional needs and workstyle. Some will use only email while others will live primarily in chat. If users feel the IT-provided tools do not fit their needs, they will likely download their favorite consumer app which supports their scenarios. Although this process allows users to get started quickly, it leads to a frustrating user experience across the organization with multiple logins, difficulty sharing, and no single place to view content.
This concept is referred to as “Shadow IT” and poses a significant risk to organizations. It reduces the ability to uniformly manage user access, ensure security, and service compliance needs. Office 365 Groups empowers users and reduces the risk of shadow IT by providing in a single step many of the tools needed to collaborate.
Office 365 Groups lets you choose a set of people with which you wish to collaborate, and easily set up a collection of resources for those people to share. Manually assigning permissions to resources is a thing of the past as adding members to the Group automatically grants the needed permissions to all assets provided by the group.
There are three main communication modalities supported by Office 365 Groups. Groups can be created within these experiences and used across the Office 365 suite:
- Outlook: collaboration through email with a shared group inbox and calendar
- Microsoft Teams: a persistent chat-based workspace where you can have informal, real-time, conversations around a variety of topics, organized by specific sub-groups
- Yammer: enterprise social experience for collaboration
Creating a new group via other teamwork applications - such as SharePoint, Planner or Stream - will create a Group with an Outlook communication modality with the ability to connect to Microsoft Teams.
Depending on where a Group is created, certain resources are provisioned automatically, such as:
- Inbox - For email conversations between your members. This inbox has an email address and can be set to accept messages from people outside the group and even outside your organization, much like a traditional distribution list.
- Calendar – For scheduling events related to the group
- SharePoint Team Site – A central repository for information, links and content relating to your group
- SharePoint Document Library – A central place for the group to store and share files
- OneNote Notebook – For gathering ideas, research, and information
- Planner – For assigning and managing project tasks among your group members
- Yammer Group – A common place to have conversations and share information
- Microsoft Teams – A chat-based workspace in Office 365
To learn more about which resources are created for each group, visit Learn about Office 365 Groups.
When a new Office 365 Group is created via Yammer or Teams, the group isn't visible in Outlook or the address book because the primary communication between those users happens in their respective clients.
When a new Yammer group is created, the Office 365 group does not create a group mailbox or calendar resource. Therefore, a Yammer group cannot be connected to Microsoft Teams. See Yammer and Groups
Where to start a conversation
There are multiple places to have a conversation within Office 365. Understanding where to start a conversation can help organizations define a strategy for communication.
Teams: chat-based workspace (high velocity collaboration) – inner loop
- Built for collaboration with the people you work with every day
- Puts information at the fingertips of users in a single experience
- Add tabs, connectors and bots
- Live chat, audio/video conferencing, recorded meetings.
Yammer: connect across the org (enterprise social) – outer loop
- Communities of Practice - Cross-functional groups of people who share a common interest or expertise but are not necessarily working together on a day-to-day basis
- Leadership connection, learning communities, role-based communities
Outlook Groups: modern DL (email-based collaboration)
- Ubiquitous for targeted communication
- Upgrade DLs to Office 365 Groups – Why you should upgrade?
SharePoint – Core content collaboration experience for all Office 365 Groups
- Every Group gets a connected SharePoint team site
- Share content, create customized pages and author news
- Connect existing SharePoint team sites to new Office 365 Groups
Managing and governing Office 365 at scale
Office 365 Groups has a rich set of tools to implement any governance capabilities your organization might require. The following section describes the capabilities, recommends best practices, and provides guidance to ask the right questions to determine the requirements for governance, and how to meet them.
In this section:
- Control who can create Office 365 Groups
- Group soft delete and restore
- Group naming policy
- Group expiration policy
- Group guest access
- Group policies & information protection
- Upgrade traditional collaboration tools
- Groups reporting
Control who can create Office 365 Groups
Groups can be created by end-users from multiple end-points including Outlook, SharePoint, Microsoft Teams, and other environments.
- Strongly consider self-service to empower group owners.
- Document and communicate how to request a group.
- Revisit who can create groups during your cloud journey.
- Consider using dynamic membership to configure Security group’s members to control group creation.
- Assess which groups scenarios can managed via a dynamic membership and allow self-service for the rest.
There are three primary models of provisioning in Groups: Open, IT-led or Controlled. The following table describes the advantages of each model.
|Open (default)||Users can create their own groups as needed without needing to wait for, or bother IT.|
|IT-led||Users request a group from IT. IT can guide them in selecting the best collaboration tools for their needs.|
|Controlled||Group creation restricted to specific people, teams or services. To learn more, see Manage who can create Office 365 Groups.|
Your organization might have specific requirements to implement strict controls on who can create groups. Use the following table to help make the decision on which provisioning model fits your organization.
Limiting group and team creation can slow users productivity because many Office 365 services require that groups be created for the service to function. To learn more, see Why control who creates Office 365 Groups?
- Manage who can create Office 365 Groups
- Populate groups dynamically based on object attributes
- How to change the default setting of Office 365 Groups for Outlook, to public or private
- Syncing Security Groups with team membership
Group soft delete and restore
If you've deleted an Office 365 group, by default it's retained for 30 days. This 30-day period is called "soft-delete" because you can still restore the group. After 30 days, the group and associated content is permanently deleted and cannot be restored.
- Communicate the restore process to your users.
- Train your helpdesk team.
- Track upcoming groups that will be deleted using PowerShell script.
During the "soft-delete" period if a user tries to access the site they will get a 403 forbidden message. After this period if the user tries to access the site they will get a 404 not found message.
- Restore a deleted Office 365 Group
- Restore a deleted Office 365 group in Azure Active Directory
- Delete groups using the Remove-UnifiedGroup cmdlet
Group naming policy
A naming policy can help you and your users identify the function of the group, membership, geographic region, or who created the group. The naming policy can also help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases.
- Use short strings as suffix.
- Use attributes with values.
- Don’t be too creative, total name length has a maximum of 264 characters.
- Upload your organization specific blocked words to restrict usage.
The naming policy is applied to groups that are created across all groups workloads (like Outlook, Microsoft Teams, SharePoint, Planner, Yammer, etc). It gets applied to both the group name and group alias. It gets applied when a user creates a group and when group name or alias is edited for an existing group.
- Office 365 Groups naming policy
- Enforce a naming policy for Office 365 groups in Azure Active Directory
- Azure Active Directory cmdlets for configuring group settings
- Preview Features for Group Naming
Group expiration policy
Administrators can specify an expiration period and any group that reaches the end of that period, and is not renewed, will be deleted. The expiration period begins when the group is created, or on the date it was last renewed. Group owners will automatically be sent an email before the expiration that allows them to renew the group for another expiration interval.
Once you set a group to expire:
- Owners of the group are notified to renew the group as the expiration nears
- Any group that is not renewed is deleted
- Any group that is deleted can be restored within 30 days by the group owners or the administrator
- Pilot with specific groups initially.
- Choose inactive groups based on the activity report in Microsoft 365 admin center.
- Communicate renewal process to group owners.
- Onboard your helpdesk team.
- Ensure groups have multiple owners and configure email for orphan groups.
When you change the expiration policy, the service recalculates the expiration date for each group. It always starts counting from the date when the group was created, and then applies the new expiration policy.
Group guest access
Admins can control whether to allow guest access to Office 365 Groups for their whole organization or for individual Office 365 groups. They can also control who can allow guests to be added to groups.
- Enable guest access at the tenant level. If needed, block for specific groups.
- Track guest user activity via audit logs.
- Manage guest access in Office 365 Groups
- Guest access in Office 365 groups
- Guest access in Office 365 groups – Admin Help
- Azure AD access reviews
- Google Federation
- Authorize guest access in Microsoft Teams
Group policies & information protection
Office 365 groups is built on the advanced security and compliance capabilities of Office 365 and supports classifications, auditing and reporting, compliance content search, e-discovery, Legal Hold, and retention policies.
- Configure classification, usage guidelines, and labels aligned with your organization's needs.
- Retention policies can be defined independently of labels.
- Audit groups activities: creation, deletion, etc.
- Manage group privacy and guest access based on classification.
- Link to your Office 365 Groups usage guidelines
- Create classifications for Office groups in your organization
- Configure Group settings
- Overview of retention policies
- Overview of sensitivity labels
- Overview of labels
- Search the audit log
- Create or remove an in-place legal hold
- Create a preservation policy
- Run a Content Search in the Office 365 Security & Compliance Center
- Bulk create and publish retention labels by using PowerShell
Upgrade traditional collaboration tools
For years organizations have relied on distribution groups to communicate and collaborate with groups of people both inside and outside the company. Now, however, Office 365 Groups in Outlook offer a more powerful solution for collaboration. In addition, being able to connect an Office 365 group to an existing SharePoint site is important if you want to modernize that site.
- Easily upgrade all your eligible distribution lists in seconds via the Exchange admin center, or using PowerShell cmdlets.
- Connect existing SharePoint team sites to new Office 365 Groups.
- Upgrade Distribution Lists (DL) to groups in Outlook:
- Why you should upgrade your DL to groups in Outlook
- Upgrade with one click via Exchange admin center or via PowerShell scripts
- Migrate distribution lists to Office 365 Groups - Admin help
- Connect existing SharePoint sites to Office 365 groups:
- Analyze and use the scanner data
- SharePoint Modernization Scanner (a tool located on GitHub)
The Office 365 Reports dashboard shows you the activity overview across the Office 365 products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product.
- You can use the Groups activity reports to gain insights into the activity of Office 365 Groups in your organization and see how many Groups are being created and used. -The Office 365 groups report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days.
- Monitor group activity across group mailbox conversations, group site/files activity, details around group membership including external member counts.
- Monitor regularly to reach out to group owners of active groups to learn uses cases and amplify them internally.
- Leverage Power BI content packs for additional insights.
- Office 365 Reports in the admin center
- Office 365 Adoption content pack
- Azure AD content pack
- Microsoft Graph groups activity API
- Office 365 Groups Report (Unified Groups)
- Audit activity reports in the Azure Active Directory portal
- Microsoft Graph - Use delta query to track changes
Getting started based on your cloud adoption journey
Office 365 Groups provides a rich set of governance capabilities your organization might require. Consider the following organization profiles as guidance to understand best practices, ask the right questions to determine the requirements for governance, and how to meet them.
Consider the following organization profiles:
- Small Business
- Medium-sized Business
- Regulated or Enterprise
Consider an organization that has deployed Office 365 with at least Exchange Online and SharePoint Online licenses that includes the Business Essentials and Business Premium plans, and the Enterprise E1, E3 and E5 plans with no Azure Active Director Premium licensing.
In addition to the above recommendations consider the following for medium-sized business who has deployed Office 365 with at least an Enterprise E3/E5 with Azure Active Directory Premium P1 licenses.
Regulated or Enterprise
In addition to the above recommendations consider the following for highly regulated or large enter-prises such as government, financial services, or healthcare who has deployed Office 365 with at least an Enterprise E3/E5 with Azure Active Directory Premium P1/P2 licences.
Groups Management Capability Planning Checklist
A number of groups-related controls can be administered through Azure Active Directory. To learn more about configuring group settings, see Azure Active Directory cmdlets for configuring group settings.
Use the following table to determine which capabilities you will need to deploy your organizations requirements. It will help you determine which licenses you need so you can plan ahead.
|Capability||Details||Azure AD Premium license required||Decision|
|Group naming policy||Use Prefix-Suffix–based, Custom Blocked Words.||P1||TBD|
|Group classification||Assign classifications to teams.||P1||TBD|
|Group guest access||Allow or prevent guests from being added to groups.||No||TBD|
|Group creation||Limit team creation to administrators.||No||TBD|
|Group creation||Limit team creation to security group members.||P1||TBD|
|Group usage guidelines||Set a link the Group Usage Guidelines which will be visible on all group creation endpoints.||P1||TBD|
|Hidden membership||Hide the members of the Office 365 Group from users who aren't members of the group||No||TBD|
|Expiration policy||Manage the lifecycle of Office 365 groups by setting an expiration policy.||P1||TBD|
|Group activity reports||Gain insights into the activity of Office 365 Groups in your organization and see how many Office 365 Groups are being created and used.||No||TBD|
|Retention policy||Retain or delete data for a specific time period by setting retention policies for Office 365 Groups in the Security & compliance center. Note: Using this feature requires licensing of Office 365 Enterprise E3 or above.||No||TBD|
|Data loss prevention policy||Identify sensitive information across Office 365 group connected sites and prevent the accidental sharing. Note: Using this feature requires licensing of Office 365 Enterprise E3 or above.||No||TBD|
|Archive and restore||Archive a team when it’s no longer active but you want to keep it around for reference or to reactivate in the future.||No||TBD|
|Access Reviews||Perform reviews to efficiently manage group memberships for both internal and guest users||P2||TBD|