Office 365 Groups are collaboration tools that bring together conversations, files, notes, and calendar events into one shared place. The document discusses how Office 365 Groups work, how to administer them, and demos of their functionality. It also covers new features like external guest access and upcoming developments like group classification and usage guidelines.
3. What are Office 365 Groups?
How do I work with them?
How do they work technically?
How can I administer?
Demos, Demos & more Demos
What’s new & What’s Next?
Office 365 Groups
From the ground up
Collab365 Global Conference
4. There are over 70 million active Office 365
commercial users.
Reference
11. All new Team Sites will get an Office 365 Group and
all new Office 365 Groups will get a Team Site.
Moving forward…
“Groups, Graph, and Governance” – Jeff Teper
Existing Office 365 Groups will get a full
SharePoint Team Site.
12. Office 365 Groups things to know
Eligible to use the NGSC for sync as of Sept release
Anyone can create a group and available in the Global Address List by default
A group can’t have more than 10 owners and a user can’t create more than 250 groups
Currently not supported in Outlook 2016 on the Mac
Groups with more than 1000 members are supported but will decrease performance
When a group owner leaves, all content is saved but new admin must be set at high level
Office 365 Groups can be used as security groups in SharePoint (but not O365 Video)
Group site collections exist under “/sites” managed path but cannot be seen via SP Admin Center
17. One group system across Office 365
One identity
Federated resources
Loose coupling
SharePoint
Documents
OneNote
Additional workloads
Workload
scenarios
Exchange
Conversations
Calendar
Identity
Resource URLs
Owners
Members
AAD
18. Office 365 Admin Center
Management Options – User Interface
Office 365 Admin App
Azure AD Admin Portal
Exchange Admin Console
Outlook Groups App
Clients – (Outlook, Planner, PowerBI)
19. Management Options – Scripting
Powershell
Manipulating groups Manipulating group membership
Owners | Members | Subscribers
$creds = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri `
https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
Establish a remote session to Exchange Online
20. Useful Scripts for Groups to Get Started
Create group
New-UnifiedGroup –DisplayName “Legal” –Alias “Legal” –EmailAddresses legal@domain.com
Rename group
Set-UnifiedGroup -Identity “Legal” -Alias “Legal” -DisplayName “New Legal” -PrimarySmtpAddress legal@domain.com
View all subscribers, members or owners for a group
Get-UnifiedGroupLinks -Identity “Legal” -LinkType Subscribers
Show detailed info for all groups
Get-UnifiedGroup |
select Id,Alias, AccessType, Language,Notes, PrimarySmtpAddress, `
HiddenFromAddressListsEnabled, WhenCreated, WhenChanged, `
@{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Members)).Count }; `
Label='Members'}, `
@{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Owners)).Count }; `
Label='Owners'} |
Format-Table Alias, Members, Owners
21. Managing Group Creation
The old way but still can be used for OWA and Outlook 2016
Use an OWA Mailbox Policy to disable group creation for ALL users or a SUBSET of users
This does NOT disable group creation EXCEPT when trying to create through Outlook/Exchange
Creating groups in other clients/admin areas (PowerBI, Planner, etc…) would NOT disable
Set-OwaMailboxPolicy -Identity test.comOwaMailboxPolicy-Default -GroupCreationEnabled $false
22. Managing Group Creation through Azure AD
The new way uses Azure AD
No longer dependency on Exchange so it passes throughout Office 365
If OWA policy exists and AAD policy is enabled, OWA policy will be ignored
You can do 2 things:
Disable the default ability of everyone to create a new Office 365 Group
Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are
allowed to create groups
This group cannot have a group in it, must be individual users
Users with higher tenant roles already have access (company admin, mailbox admin, etc…)
Prerequisites
Azure AD Version 1.1.117.0 or later (currently preview)
23. Managing Group Creation through Azure AD
Steps to setup
1. Retrieve the Object ID for the group that contains the authorized users
Use Azure AD portal to get Object ID
Get-MsolGroup cmdlet to discover GUID via PowerShell
2. Use PowerShell to update the Azure AD policy
Pass the GUID of your authorized user group to GroupCreationAllowedGroupId
Connect-MsolService
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
$setting[“GroupCreationAllowedGroupId”] = “7edd1d0b-557d-43e6-b583-4f3e0198c167”
New-MsolSettings –SettingsObject $setting
3. Confirm using PowerShell and test creating a group
Get-MsolAllSettings | ForEach Values
24. Group Guest Access
You can now grant external users access to Office
365 Groups
Does not comply with tenant
blacklist/whitelist
Enabled by default
Overall Group guest access is managed at
the tenant level
Guests cannot view IRM protected files
Guests needs to access via browser
Guests cannot:
Be an owner
View the GAL
View Group members or contact cards
Access Planner
Be blocked by specific user
Feature Guest user allowed?
Create a group No
Add/remove group members No
Delete a group No
Join a group Yes, by invitation
Start a conversation Yes
Reply to a conversation Yes
Search for a conversation Yes
@mention a person in the group No
Pin/Favorite a group No
Delete a conversation Yes
"Like" messages No
Manage meetings No
View group calendar No
Modify calendar events No
Add a group calendar to a personal calendar No
View and edit group files Yes, if enabled by tenant admin
Access the group OneNote notebook Yes, via link from group member
Browse groups No
25. Group Guest Access
Group owners can invite external
people to be guest users
Group members can request an
invitation for an external person
26. Group Guest Access Admin Controls
Guest addition to organization
• Allow invitation to guests users in the organization
• Office 365 Portal – Settings & Privacy > Sharing
Guest addition to groups
• Allow adding of guests to any group within the
organization.
• Office 365 Portal – Services & Add-Ins > Office 365 groups
• Allow adding of guests to a specific group in the
organization (only available in Power Shell)
Guest access to group resources
• Allow guests to access to any Office 365 group resources
• Office 365 Portal – Services & Add-Ins > Office 365 groups
27. Group Guest Access Powershell
Steps to block for tenant
1. Ensure that sharing is allowed in the SharePoint Admin Center / O365 Admin Center
2. Use PowerShell to update the Azure AD policy (if settings object exists)
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$settings = Get-MsolSettings -SettingId $settings.ObjectId
$Value = $GroupSettings.GetSettingsValue()
$Value["AllowToAddGuests"] = "False"
$Value["AllowGuestsToAccessGroups"] = "True"
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $Value
3. Set AllowGuestsToAccessGroups to False to instantly disable all external users from
accessing groups
28. Group Guest Access Powershell
Steps to block external access for a specific group
1. Ensure that sharing is allowed in the SharePoint Admin Center / O365 Admin Center
2. Use PowerShell to update the Azure AD policy for the group (if no group settings exist)
$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “GROUP DISPLAY NAME”}
$groupsettings = Get-MsolAllSettings -TargetObjectId $group.ObjectId
$template = Get-MsolSettingTemplate -TemplateId 08d542b9-071f-4e16-94b0-74abb372e3d9
$setting = $template.CreateSettingsObject()
$settingsnew = New-MsolSettings -SettingsObject $setting -TargetObjectId $group.ObjectId
$settings = Get-MsolAllSettings -TargetObjectId $group.ObjectId
$value = $GroupSettings.GetSettingsValue()
$value["AllowToAddGuests"] = "False"
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value -TargetObjectId $group.ObjectId
3. Run a check to see if it worked
(Get-MsolAllSettings -TargetObjectId $group.ObjectId).GetSettingsValue() | foreach values
29. Configuring multi-domain support
Example
Main domain is contoso.com
Default accepted domain is service.contoso.com (where groups get created by default)
You have a sub-domain called students.contoso.com and groups.contoso.com
Configured with Exchange Address Policy (EAP) via Exchange Powershell
Option 1:
All Office 365 Groups built under groups.contoso.com domain
New-EmailAddressPolicy -Name Groups -IncludeUnifiedGroupRecipients `
-EnabledEmailAddressTemplates "SMTP:@groups.contoso.com" -Priority 1
30. Configuring multi-domain support - Continued
Option 2:
Control what sub-domains Office 365 groups are created in by attribute
Set users which have their Department attribute set to Students to create groups by default in the
students.contoso.com domain
New-EmailAddressPolicy -Name StudentsGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates `
"SMTP:@students.contoso.com” ManagedByFilter {Department -eq 'Students'} -Priority 1
All other users will create groups in the groups.contoso.com domain
New-EmailAddressPolicy -Name OtherGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates `
"SMTP:@groups.contoso.com” -Priority 2
Only admins can perform this
Use the –RecipientFilter for available properties to filter on (company, city, office, etc…)
If you remove domain you need to update EAPs
Max limit of 100 EAPs per organization
31. • Office 365 Groups are created & managed in Azure Active Directory (AAD)
• Azure AD Connect enables synchronization of Groups with your on-premises Active Directory into
DLs with:
• Target Address - the service address of the Groups object
• Recipient Type Details - specifies that the Group is not mastered in the on-premises directory
• AAD Premium is required
• Exchange 2013 CU9 required (individual mailboxes are on-premises) or Exchange 2016
• Still lots of issues as primarily in preview
• Can also be configured to write back as a mail enabled security group
Office 365 Groups Hybrid Support
Resources:
• Configure Office 365 Groups with on-premises Exchange Hybrid
• Integrating your on-premises identities with Azure Active Directory
• Office 365 Groups write back
• How to write back an Office Group in Azure AD to a Mail Enabled Security Group
33. Security and Compliance
eDiscovery through Exchange and SharePoint
Data loss prevention
Preservation policies
Audit log and Content search
34. Management tidbits
Establish governance plan for groups
Establish AAD group creation policies
Monitor SharePoint Online Storage to ensure group sites not overtaking total storage
Establish a process to have groups admin support easily available for users
Run reports to try to track groups sprawl
Use UsageGuidelinesUrl and ClassificationList
Migrate multiple distribution lists to Office 365 groups – Link – (also via GUI)
35. Technical Options
Set access type (private or public)
Add quota setting for Group Sites
Set-UnifiedGroup -Identity "Legal" -AccessType Private
Set-SPOSite –Identity https://contoso.sharepoint.com/sites/<groupname> -StorageQuota 3000 -StorageQuotaWarningLevel 2000
*Before using the Set-SPOSite command, your site collection storage management must be set to Manual and not use pooled storage
View all subscribers, members or owners of a group
Get-UnifiedGroupLinks -Identity $groupAlias -LinkType Subscribers
$groupAlias = “TestView”
Available LinkTypes: Members | Owners | Subscribers
36. 1. Pass the groupalias to the Get-Recipient cmdlet to get the recipient details.
2. Pass the group to the Add-RecipientPermission cmdlet with the useralias
Technical Options…continued
Allow users to send as the Office 365 Group
Set naming policy via Exchange
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $groupAlias
Add-RecipientPermission -Identity $groupsRecipientDetails.Name -Trustee $userAlias -AccessRights SendAs
$groupAlias = “TestSendAs”
$userAlias = “User”
Audit reports
This is set via EAC and it applies to Distribution Groups, dynamic distribution groups AND Office 365 Groups
*use carefully
View reports of who created, joined and shared Groups via Azure AD Portal
37. Technical Options…continued
Remove groups email from GAL (global address list)
Accept/Reject certain users from sending emails to groups
Set-UnifiedGroup –Identity $groupAlias –HiddenFromAddressListsEnabled $true
$groupAlias = “TestGAL”
–RejectMessagesFromSendersOrMembers or -AcceptMessagesOnlyFromSendersOrMembers
Set-UnifiedGroup –Identity $groupAlias –RejectMesssagesFromSendersOrMembers dmadelung@concurrency.com
$groupAlias = “TestHide”
Hide group members unless you are a member of the private group
$groupAlias = “TestSend”
Set-unifiedgroup –Identity $groupAlias –HiddenGroupMembershipEnabled:$true
38. Technical Options…continued
Find out which groups do not have owners
1. Get all groups into $groups then go through each looking at the ManagedBy property
$groups = Get-UnifiedGroup
ForEach ($G in $Groups) {
If ($G.ManagedBy -Ne $Null)
{
$GoodGroups = $GoodGroups + 1
}
Else
{
Write-Host "Warning! The" $G.DisplayName "has no owners"
$BadGroups = $BadGroups + 1
}
}
Write-Host $GoodGroups "groups are OK but" $BadGroups "groups lack owners"
40. External access
Groups SharePoint sites expanding (rolling out)
Group classification
Group usage guidelines URL
Groups iPad app
Privacy type conversion
Dynamic membership (requires Azure AD premium)
eDiscovery and Litigation available
Ability to change privacy type of created Group
Azure AD creation restriction
Upgrade a DL to a Group via GUI
As of 10/5/2016
What’s new in Office 365 Groups
42. • xxxx
Help Contribute &
Stay Informed!
O365 Groups UserVoice
https://office365.uservoice.com/forums/286611-office-365-groups
Microsoft Tech Community
https://techcommunity.microsoft.com
Office 365 Roadmap
https://fasttrack.microsoft.com/roadmap
Office Blogs
https://blogs.office.com/
Office 365 Admin Center – Message Center
https://portal.office.com/AdminPortal
Office 365 for IT Pros
http://exchangeserverpro.com/ebooks/office-365-for-it-pros
How many people are on Office 365?
Who is looking to go to Office 365?
Work anywhere, anytime, across all platforms
People will take paths to get work done if IT/Business does not provide solutions
Security/Compliance become more vital but is not just the users concerns
End users have more power to break security barriers with technology
Thanks to benjamin nialun & tony redmond
If you missed their field guide from ignite go watch it
One size does not fit all for collaboration – Christophe
Finding people becomes more vital
Communication is expected to move faster
Over controlled solutions lead to insecure data
Siloed teams lead to slow collaboration without cross functional learning
Projects and solutions are not built to the full potential due to lack of availability for knowledge transfer
Search needs to be more dynamic and flexible. Need more findability!
How easy is it to “properly” share content with users in a traditional sharepoint site
Are you using SP groups or AD groups?
Are you breaking inheritance everywhere?
Most importantly, are you getting the right people to help with the right tasks
Microsoft identified these issues
Groups -> Graph -> Governance
Groups are the new “experience” - An Office 365 Group makes the PEOPLE the priority and not the tools.
They are not a team site
They are not a yammer group
Not an eroom
They combined certain aspects that bring people together in a single application
The goal is to not know or care what type of software you are using whether its exchange/sharepoint/onedrive/yammer
Fast, quick deployment. **Caution, still need governance, don’t let these turn into eRooms that have been abandon.
Single definition ->they should not be misunderstood with other collab platforms
Public by default -> trying to encourage open collaboration
Sharing to non-members -> bring people together
Self-service -> non IT user controlled
Context & history -> have conversations and be able to know what happened
Simple to manage -> FOR THE END USER, Not IT PRO
They are not a technology
They are a solution that spans across office 365 and uses the strengths from different pillars and combines them into a collaboration solution
Good::
Frequently uses email
Team that uses email distribution group
Bad::
Not good for all company
Require granular permissions
Large-scale dynamic or nested email distribution lists
The merging of these two primary content areas eases confusion on what goes where
There are some great write-ups on what should go where but that is because it is not intuitive
The ability to easily move content between both sources is coming
“how do you know where to park in a parking lot”
Current understanding is that the team site the store files now will continue to be expanded upon for availabality
I’m sure this could change but here are the key areas to navigate to your group info via the browser
As you can tell there is not a single place to access “groups”
The user experience is different across clients but they all are part of the same “group” so much easier
My #1 starting point
View conversations as key here
Navigating to a group
Browsing conversations, planner, outlook, powerBI, files, onenote
Subscribing = get notifications of all conversations and calendars
Modern documents UI
Everything starts in azure AD
Azure AD combines to subsidiary services
Sync occurs between services
AAD is master directory but objects for groups exist in workload specific directories to permit integration with other workload components
Group object created in azure AD
Group mailbox created in exchange online
Group document library created in hidden site collection (will provision when a user accesses “Files” the first time)
Most common for an IT Pro
Most common for an IT Pro
Not necessary unless doing dynamic membership or gathering object info
Don’t know how to delete a group from it
Handy if you are out of the office and need to add a member
Similar to O365 app
Only OWA policies fall under outlook
Dynamics CRM can do it too
By default EVERYONE can create a group (remember public folderS)
MS wants groups to be user driven and not IT controlle
Use the Unified Groups commands to work with groups themselves and the United Group Links to work with membership
To use the commands you will use exchange online via PS
Multiple ways to administer
The downside of using an OWA mailbox policy is that it is a method specific to Exchange Online, where it is used to control the options available to users in the OWA client. As time went by and integrations with Office 365 Groups appeared that had no relationship with Exchange, the fact that OWA mailbox policies exist was ignored and any user was able to create new groups through these integrations. This is true for Power BI, Dynamics CRM, and Office 365 Planner, and when new groups are created with PowerShell.
Company Administrator
User Account Administrator
Mailbox Administrator
Partner Tier1 Support
Partner Tier2 Support
Directory Writers
Guest users are identified by an email address. The email address can point to another domain within Office 365, an email domain for a company that doesn’t exist within Office 365, or a consumer email service like Gmail.com or Yahoo.com.
After a guest user account is created in Azure Active Directory, it is first synchronized with Exchange Online and then with SharePoint Online. Once it exists in the Azure Active Directory instance for a tenant, the same guest user object can become a member of multiple Office 365 Groups
Guest users are identified by an email address. The email address can point to another domain within Office 365, an email domain for a company that doesn’t exist within Office 365, or a consumer email service like Gmail.com or Yahoo.com.
After a guest user account is created in Azure Active Directory, it is first synchronized with Exchange Online and then with SharePoint Online. Once it exists in the Azure Active Directory instance for a tenant, the same guest user object can become a member of multiple Office 365 Groups
Guest users are identified by an email address. The email address can point to another domain within Office 365, an email domain for a company that doesn’t exist within Office 365, or a consumer email service like Gmail.com or Yahoo.com.
After a guest user account is created in Azure Active Directory, it is first synchronized with Exchange Online and then with SharePoint Online. Once it exists in the Azure Active Directory instance for a tenant, the same guest user object can become a member of multiple Office 365 Groups
As an admin, you can specify the domain to be used when users in your organization create Office 365 groups.
EAPs are evaluated in the order of priority. A value of 1 means the highest priority. Once an EAP matches, no further EAP is evaluated and addresses that gets stamped on the Office 365 group are as per the matched EAP. If no EAPs match the specified criteria, then the Office 365 group gets provisioned in the organization’s default accepted domain.
As an admin, you can specify the domain to be used when users in your organization create Office 365 groups.
EAPs are evaluated in the order of priority. A value of 1 means the highest priority. Once an EAP matches, no further EAP is evaluated and addresses that gets stamped on the Office 365 group are as per the matched EAP. If no EAPs match the specified criteria, then the Office 365 group gets provisioned in the organization’s default accepted domain.
The option for group writeback in optional features will allow you to writeback Office 365 Groups to a forest with Exchange installed. This is a group which is always mastered in the cloud. If you have Exchange on-premises then you can write back these groups to on-premises so users with an on-premises Exchange mailbox can send and receive emails from these groups.
Issues:
Groups don’t appear for mailboxes moved to o365
New groups don’t appear in on-premises GAL
Groups don’t receive messages from on-premises users
Groups can sprawl but that necessarily isn’t a bad thing
Empowering end users drives adoption and collaboration
If you need control its possible but still light due to minimal viable product release
Exchange retention policies don’t work for group mailboxes
New-UnifiedGroup can also be used to migrate DLs 1 by 1
The DlIdentity parameter specifies the distribution group (also known as a distribution list or DL) that you want to migrate to an Office 365 Group. The distribution group must be a universal distribution group (the RecipientTypeDetails property value isMailUniversalDistributionGroup)
Even after you disable group creation, current groups can still be edited
Don’t set the naming policy unless you have to
Rumor is the GAL option coming to the GUI
Set the rejection for CEO/Executive groups
Rumor is the GAL option coming to the GUI
Set the rejection for CEO/Executive groups
Administering groups
Dynamic membership
Privacy type
Advanced file management
Connectors
A lot of these have come out very recently
MS is always listening
Reach out anytime
Multiple ways to administer
My #1 starting point
View conversations as key here
You can see your list of groups within the OneDrive for business landing page and view the files from there
New UI slowly rolling out
Integrated within office client
You can create a group from here too
Share communications/files around reports
You can create a group from here too
Requires PowerBI Pro
Every plan is a group
1 to 1 relationship
Very new to the market, looks like trello
Lots of updates coming
Once it moves out of first release navigation will be ocmpleted
View group content with CRM
Great sidekick
Correlates with new SharePoint mobile app
Where should you put things?
The merging of these two primary content areas eases confusion on what goes where
There are some great write-ups on what should go where but that is because it is not intuitive
The ability to easily move content between both sources is coming
“how do you know where to park in a parking lot”
Current understanding is that the team site the store files now will continue to be expanded upon for availabality