Plan for governance in Office 365 Groups

Office 365 Groups has a rich set of tools to implement any governance capabilities your organization might require. This article guides IT Pros to ask the right questions to determine their requirements for governance and how to meet them based on their organizational profile.

Why Office 365 Groups?

image desc

We know that organizations today are using a diverse toolset. There’s the team of developers using team chat, the executives sending email, and the entire organization connecting over enterprise social. Multiple collaboration tools are in use because every group is unique and has their own functional needs and workstyle. Some will use only email while others will live primarily in chat. If users feel the IT-provided tools do not fit their needs, they will likely download their favorite consumer app which supports their scenarios. Although this process allows users to get started quickly, it leads to a frustrating user experience across the organization with multiple logins, difficulty sharing, and no single place to view content.

This concept is referred to as “Shadow IT” and poses a significant risk to organizations. It reduces the ability to uniformly manage user access, ensure security, and service compliance needs. Office 365 Groups empowers users and reduces the risk of shadow IT by providing in a single step many of the tools needed to collaborate.

Office 365 Groups lets you choose a set of people with which you wish to collaborate, and easily set up a collection of resources for those people to share. Manually assigning permissions to resources is a thing of the past as adding members to the Office 365 Group automatically grants the needed permissions to all assets provided by the group.

Technical Architecture

There are three main communication modalities supported by Office 365 Groups. Groups can be created within these experiences and used across the Office 365 suite:

  • Outlook: collaboration through email with a shared group inbox and calendar
  • Microsoft Teams: a persistent chat-based workspace where you can have informal, real-time, conversations around a variety of topics, organized by specific sub-groups
  • Yammer: enterprise social experience for collaboration

Note

Creating a new group via other teamwork applications - such as SharePoint, Planner or Stream - will create an Office 365 Group with an Outlook communication modality with the ability to connect to Microsoft Teams.

Depending on where an Office 365 Group is created, certain resources are provisioned automatically, such as:

  • Inbox - For email conversations between your members. This inbox has an email address and can be set to accept messages from people outside the group and even outside your organization, much like a traditional distribution list.
  • Calendar – For scheduling events related to the group
  • SharePoint Team Site – A central repository for information, links and content relating to your group
  • SharePoint Document Library – A central place for the group to store and share files
  • OneNote Notebook – For gathering ideas, research, and information
  • Planner – For assigning and managing project tasks among your group members
  • Yammer Group – A common place to have conversations and share information
  • Microsoft Teams – A chat-based workspace in Office 365

To learn more about which resources are created for each group, visit Learn about Office 365 Groups.

Note

When a new Office 365 Group is created via Yammer or Teams, the group isn't visible in Outlook or the address book because the primary communication between those users happens in their respective clients.

Important

When a new Yammer group is created, the Office 365 group does not create a group mailbox or calendar resource. Therefore, a Yammer group cannot be connected to Microsoft Teams. See Yammer and Groups

Where to start a conversation

There are multiple places to have a conversation within Office 365. Understanding where to start a conversation can help organizations define a strategy for communication.

image desc

  • Teams: chat-based workspace (high velocity collaboration) – inner loop

    • Built for collaboration with the people you work with every day
    • Puts information at the fingertips of users in a single experience
    • Add tabs, connectors and bots
    • Live chat, audio/video conferencing, recorded meetings.
  • Yammer: connect across the org (enterprise social) – outer loop

    • Communities of Practice - Cross-functional groups of people who share a common interest or expertise but are not necessarily working together on a day-to-day basis
    • Leadership connection, learning communities, role-based communities
  • Outlook Groups: modern DL (email-based collaboration)

  • SharePoint – Core content collaboration experience for all Office 365 Groups

    • Every Office 365 Group gets a connected SharePoint team site
    • Share content, create customized pages and author news
    • Connect existing SharePoint team sites to new Office 365 Groups

image desc

Managing and governing Office 365 at scale

Office 365 Groups has a rich set of tools to implement any governance capabilities your organization might require. The following section describes the capabilities, recommends best practices, and provides guidance to ask the right questions to determine the requirements for governance, and how to meet them.

In this section:

Control who can create Office 365 Groups

Groups can be created by end-users from multiple end-points including Outlook, SharePoint, Microsoft Teams, and other environments.

image desc

Tip

  • Strongly consider self-service to empower group owners.
  • Document and communicate how to request a group.
  • Revisit who can create groups during your cloud journey.
  • Consider using dynamic membership to configure Security group’s members to control group creation.
  • Assess which groups scenarios can managed via a dynamic membership and allow self-service for the rest.

There are three primary models of provisioning in Office 365 Groups: Open, IT-led or Controlled. The following table describes the advantages of each model.

Model Advantages
Open (default) Users can create their own groups as needed without needing to wait for, or bother IT.
IT-led Users request a group from IT. IT can guide them in selecting the best collaboration tools for their needs.
Controlled Group creation restricted to specific people, teams or services. To learn more, see Manage who can create Office 365 Groups.

Your organization might have specific requirements to implement strict controls on who can create groups. Use the following table to help make the decision on which provisioning model fits your organization.

image desc Decision points
  • Which provisioning model fits your organization requirements?
  • Does your organization require limiting group creation to administrators?
  • Does your organization require limiting group creation to security group members?
  • Does your organization require some groups to be created dynamically based on user attributes, such as department?
image desc Next steps
  • Document your organization’s requirements for group and team creation.
  • Plan to implement these requirements as a part of your groups rollout.
  • Communicate and publish your policies to inform users of the behavior they can expect
  • Plan to implement dynamic membership where applicable.

Important

Limiting group and team creation can slow users productivity because many Office 365 services require that groups be created for the service to function. To learn more, see Why control who creates Office 365 Groups?

Resources

Group soft delete and restore

If you've deleted an Office 365 group, by default it's retained for 30 days. This 30-day period is called "soft-delete" because you can still restore the group. After 30 days, the group and associated content is permanently deleted and cannot be restored.

Tip

  • Communicate the restore process to your users.
  • Train your helpdesk team.
  • Track upcoming groups that will be deleted using PowerShell script.
image desc Decision points
  • Do you require that certain assets to be archived for long term storage?
  • Do you have certain retention requirements for your organization?
image desc Next steps
  • Communicate and publish the delete and restore policies to inform users of the behavior they can expect
  • Document your organizations requirements for monitoring deleted groups.
  • Plan to implement these requirements as part of your groups rollout.

Important

During the "soft-delete" period if a user tries to access the site they will get a 403 forbidden message. After this period if the user tries to access the site they will get a 404 not found message.

Resources

Group naming policy

A naming policy can help you and your users identify the function of the group, membership, geographic region, or who created the group. The naming policy can also help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases.

Tip

  • Use short strings as suffix.
  • Use attributes with values.
  • Don’t be too creative, total name length has a maximum of 264 characters.
  • Upload your organization specific blocked words to restrict usage.
image desc Decision points
  • Does your organization require a specific naming convention for groups?
  • Does your organization require the naming convention across all workloads?
  • Does your organization have specific words that you want to prevent users from using?
image desc Next steps
  • Document your organization’s requirements for naming Office 365 groups.
  • Plan to implement these requirements as part of your groups rollout.
  • Communicate and publish the naming policies and standards to inform users.

Important

The naming policy is applied to groups that are created across all groups workloads (like Outlook, Microsoft Teams, SharePoint, Planner, Yammer, etc). It gets applied to both the group name and group alias. It gets applied when a user creates a group and when group name or alias is edited for an existing group.

Resources

Group expiration policy

Administrators can specify an expiration period and any group that reaches the end of that period, and is not renewed, will be deleted. The expiration period begins when the group is created, or on the date it was last renewed. Group owners will automatically be sent an email before the expiration that allows them to renew the group for another expiration interval.

Once you set a group to expire:

  • Owners of the group are notified to renew the group as the expiration nears
  • Any group that is not renewed is deleted
  • Any Office 365 group that is deleted can be restored within 30 days by the group owners or the administrator

Tip

  • Pilot with specific groups initially.
  • Choose inactive groups based on the activity report in Office Admin center.
  • Communicate renewal process to group owners.
  • Onboard your helpdesk team.
  • Ensure groups have multiple owners and configure email for orphan groups.
image desc Decision points
  • Does your organization require specifying an expiration date for teams?
  • Determine the strategy for dealing with orphan groups?
image desc Next steps
  • Document your organization’s requirements for group expiration, data retention, and archiving.
  • Plan to implement these requirements as part of your groups rollout.
  • Plan to implement a custom job to report on groups that have single owners or are ownerless.

Important

When you change the expiration policy, the service recalculates the expiration date for each group. It always starts counting from the date when the group was created, and then applies the new expiration policy.

Resources

Group guest access

Admins can control whether to allow guest access to Office 365 Groups for their whole organization or for individual Office 365 groups. They can also control who can allow guests to be added to groups.

Tip

  • Enable guest access at the tenant level. If needed, block for specific groups.
  • Govern using allow/block guest domains, guest inviter role, access reviews, terms of use.
  • Track guest user activity via audit logs.
image desc Decision points
  • Do you need to restrict the ability to add guests to teams on a per-group basis?
  • Does your organization require to present relevant disclaimers for legal or compliance requirements?
  • Does your organization have the need to reduce administrative over-head of adding and removing users?
  • Does your organization expect audit controls for guest/external access?
image desc Next steps
  • Document requirements for guest/external access for certain classified groups including the retention period and occurrence.
  • Document organization’s requirements for which groups will require terms of use and access review.
  • Perform reviews to efficiently manage group memberships for both internal and guest users.

Resources

Group policies & information protection

Office 365 groups is built on the advanced security and compliance capabilities of Office 365 and supports classifications, auditing and reporting, compliance content search, e-discovery, Legal Hold, and retention policies.

Tip

  • Configure classification, usage guidelines, and labels aligned with your organization's needs.
  • Retention policies can be defined independently of labels.
  • Audit groups activities: creation, deletion, etc.
  • Manage group privacy and guest access based on classification.
image desc Decision points
  • Does your organization have specific usage requirements that need to be communicated to all users?
  • Does your organization require the classifications of all content?
  • Does your organization require content to be retained for a specific period of time?
  • Does your organization require specific data retention policies be ap-plied to groups?
  • Does your organization expect to require the ability to archive inactive groups to preserve the content?
  • Do group creators need the ability to assign organization-specific classifications to teams?
image desc Next steps
  • Document your organization’s usage guidelines for Groups
  • Document your organization’s requirements for classification.
  • Determine the policies to be enforced based on the classification e.g. sensitivity, retention, guest access
  • Define the sensitivity labels for your organization and what protection settings you want associated.
  • Define a label policy to control which users and groups see those labels.
  • Plan to implement these requirements as a part of your groups rollout.

Resources

Upgrade traditional collaboration tools

For years organizations have relied on distribution groups to communicate and collaborate with groups of people both inside and outside the company. Now, however, Office 365 Groups in Outlook offer a more powerful solution for collaboration. In addition, being able to connect an Office 365 group to an existing SharePoint site is important if you want to modernize that site.

Tip

  • Easily upgrade all your eligible distribution lists in seconds via the Exchange Admin center, or using PowerShell cmdlets.
  • Connect existing SharePoint team sites to new Office 365 Groups.
image desc Decision points
  • Does your organization have distribution lists that are not eligible for upgrade?
  • Determine which type of group is the distribution list best migrated to?
image desc Next steps
  • Identify which distribution lists would be candidates for upgrading to Office 365 Groups.
  • Analyze your existing SharePoint team sites to see which sites are ready to be group-connected.
  • Let other teams in your company know that you upgraded your distribution group and what steps you took to make it successful!

Resources

Groups reporting

The Office 365 Reports dashboard shows you the activity overview across the Office 365 products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product.

Tip

  • You can use the Groups activity reports to gain insights into the activity of Office 365 Groups in your organization and see how many Office 365 Groups are being created and used. -The Office 365 groups report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days.
  • Monitor group activity across group mailbox conversations, group site/files activity, details around group membership including external member counts.
  • Monitor regularly to reach out to group owners of active groups to learn uses cases and amplify them internally.
  • Leverage Power BI content packs for additional insights.
image desc Decision points
  • Does your organization require regular reports to understand usage of Office 365 groups?
  • Does your organization require reporting on all groups that have external members?
image desc Next steps
  • Document your organization’s requirements for regularly review groups activity reports.

Resources

Getting started based on your cloud adoption journey

Office 365 Groups provides a rich set of governance capabilities your organization might require. Consider the following organization profiles as guidance to understand best practices, ask the right questions to determine the requirements for governance, and how to meet them.

Consider the following organization profiles:

  • Small Business
  • Medium-sized Business
  • Regulated or Enterprise

Small business

Consider an organization that has deployed Office 365 with at least Exchange Online and SharePoint Online licenses that includes the Business Essentials and Business Premium plans, and the Enterprise E1, E3 and E5 plans with no Azure Active Director Premium licensing.

Stage Description
Guidance
  • Consider a self-service provisioning model
  • Groups in Outlook & SharePoint sites are private by default.
  • Groups can be created by upgrading existing distribution lists (DLs) either one-by-one or in bulk via PowerShell. See Upgrade distribution lists to Office 365 Groups.
  • Enable guest access but govern using allow/block guest domains.
  • Use group reporting to gain insights on how users are using groups.
  • Consider creating an org-wide team Microsoft Teams as a way for everyone to be a part of a single team for collaboration.
Next Steps
  • Consider using site designs and site scripts to define the default design to controls using the actions defined within the JSON schema reference.
  • Review groups reporting
  • Track total groups and inactive/active groups
  • Track both Exchange and SharePoint storage used
  • View group activity across group mailbox conversations, group site/files activity, etc.

Medium-sized business

In addition to the above recommendations consider the following for medium-sized business who has deployed Office 365 with at least an Enterprise E3/E5 with Azure Active Directory Premium P1 licenses.

Stage Description
Guidance
  • Decide on an Open or IT-led provisioning model.
  • Consider creating certain groups tied to dynamic memberships rules based on Azure AD attributes like Department
  • Define classifications within your organization e.g., Highly Confidential, Confidential (default), General.
  • Define the policies based on classification such as retention and sensitivity.
  • SharePoint is the content service for every Office 365 Group. Consider designing and Deploying SharePoint Online sites for three tiers of protection (baseline, sensitive, and highly confidential). For more information about these three tiers of protection, see Secure SharePoint Online sites and files.
  • Both public and private groups are listed in the GAL by default. Deter-mine which groups you want to appear in the GAL specifically groups created outside of Microsoft Teams. Use the Set-UnifiedGroup cmdlet's "HiddenFromAddressListsEnabled" or “HidefromExchangeC-lients” to hide specific groups
Next Steps
  • Define Usage guidelines to educate your users about best practices that help keep their groups effective, and educate them on internal content policies. For example, understanding classifications, policies and procedures.
  • Define group lifecycle period that groups must be renewed or will be deleted - expiry policy.
  • Consider creating the following custom jobs to implement policies based on classifications.
  • Set Privacy to Private.
  • Disable external membership/sharing.
  • Emails to notify group members for groups with no owner.
  • Enforce ownership policy (min. 2 owners).
  • Define retention policies for groups based on classification.
  • Overview of retention policies.
  • Using Powershell to identify groups with a classification and Set-RetentionCompliancePolicy.
  • Consider using site designs and site scripts to define the controls using the actions defined within the JSON schema reference.
  • Consider building a simple site directory using a site design and Micro-soft Flow. Whenever a site is created using this site design, details of the site are captured and written to a list.

Regulated or Enterprise

In addition to the above recommendations consider the following for highly regulated or large enter-prises such as government, financial services, or healthcare who has deployed Office 365 with at least an Enterprise E3/E5 with Azure Active Directory Premium P1/P2 licences.

Stage Description
Guidance
Next Steps

Groups Management Capability Planning Checklist

A number of groups-related controls can be administered through Azure Active Directory. To learn more about configuring group settings, see Azure Active Directory cmdlets for configuring group settings.

Use the following table to determine which capabilities you will need to deploy your organizations requirements. It will help you determine which licenses you need so you can plan ahead.

Capability Details Azure AD Premium license required Decision
Group naming policy Use Prefix-Suffix–based, Custom Blocked Words. P1 TBD
Group classification Assign classifications to teams. P1 TBD
Group guest access Allow or prevent guests from being added to groups. No TBD
Group creation Limit team creation to administrators. No TBD
Group creation Limit team creation to security group members. P1 TBD
Group usage guidelines Set a link the Group Usage Guidelines which will be visible on all group creation endpoints. P1 TBD
Hidden membership Hide the members of the Office 365 Group from users who aren't members of the group No TBD
Expiration policy Manage the lifecycle of Office 365 groups by setting an expiration policy. P1 TBD
Group activity reports Gain insights into the activity of Office 365 Groups in your organization and see how many Office 365 Groups are being created and used. No TBD
Retention policy Retain or delete data for a specific time period by setting retention policies for Office 365 Groups in the Security & compliance center. Note: Using this feature requires licensing of Office 365 Enterprise E3 or above. No TBD
Data loss prevention policy Identify sensitive information across Office 365 group connected sites and prevent the accidental sharing. Note: Using this feature requires licensing of Office 365 Enterprise E3 or above. No TBD
Archive and restore Archive a team when it’s no longer active but you want to keep it around for reference or to reactivate in the future. No TBD
Access Reviews Perform reviews to efficiently manage group memberships for both internal and guest users P2 TBD
Terms of Use A simple method that organizations can use to present information to end users. This presentation ensures users see relevant disclaimers for legal or compliance requirements. P1 TBD