Microsoft 365 Groups Cheat Sheet

This is my compilation of the something out of everything you need to know about the M365 Groups.

Over the course of time Microsoft brought different types of groups to manage users and computers. In all those scenarios, the group was capable of performing one task or 2 maximum.
Act as a Security Group or an Exchange Distribution List or both at once.

Microsoft 365 Groups for the win

As you know already, it’s latest iteration is Microsoft 365 Groups and this has been in the scene for quite a while now. Office 365 Groups, familiar?

But what does it do when you create one? What are it’s capabilities and how it helps you to bring all Microsoft 365 aspects under one group and mainly single identity across Microsoft 365 resources

Check the Microsoft 365 Groups Posters

A few places to manage a M365 Group

This is mainly because of the fact stated above. M365 group will be the back-bone of many services that’s involved. So from each service, there is a way to access it to complete it’s requirement

  • M365 Admin Center > Groups
  • AAD Portal > Groups
  • Exchange Admin Console > Recipients > Groups
  • SPO Admin Console > Sites > Active Sites
  • Teams Admin Console > Manage Teams (if Teams has been enabled)
  • PowerShell > get-unifiedgroups or get-azureadgroups

1. Places where a M365 Group is getting created automatically when,

  • You create a Team
  • You create a SharePoint Team site
  • You create a planner
  • You create a Yammer Community
  • You create a Shared Outlook inbox
  • You create a Stream
    and the list goes on….

Quick facts


2. Importance of the Owner being a member of a Group

Group owner can pretty much see everything that is happening in the services that are attached to the M365 group and mainly the owner can manage the group. Add/ remove members, delete the group etc.

However, for an example the owner to be able to search items in Teams, create a Planner inside a Team for an example, that Owner also should be a Member of that specific M365 Group.

Go to Admin Center > Groups > look for the Group in Active Groups > Members > click on View all and manage members


3. Setting M365 Groups with an expiration

This is ideal for groups thats created for a specific project that you know you’ll no longer needed after sometime. This will also eliminate the hassle of housekeeping work for Groups after sometime.

Steps: Create the M365 Group from the Azure AD portal

Set expiration
Azure AD portal > Azure Active Directory > Groups > Expiration

Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and Power BI.Group lifetime (in days)


3. Controlling the Group creation feature

This option may come in handy for a medium or larger organization to control over Groups. This feature is recommended to have ON so only the IT admins can create the Groups as required. This can eliminate the duplication and user creating the Group and then forgetting about it.

**Blocking this function will take the user’s ability to create a Team, Planner, SharePoint Site for an example and only a selected group can perform such task**

**To manage who creates groups, the following people need Azure AD Premium licenses or Azure AD Basic EDU licenses assigned to them**

Rather than re-inventing the wheel, I will direct you to the Official Microsoft Docs page as it has the required steps. Please check here

It’s important to go to Azure AD Portal > Azure AD > Groups > General under Settings
Switch NO to Users can create Microsoft 365 groups in Azure portals option and press Save


4. Deletion and Restoring a M365 Group

A group deletion will make it to go to a Soft-Delete state where you are able to recover it within 30 days.

To recover: Go to Admin Center > Groups > Deleted Groups > Select the deleted group and click Restore Group

Use the below command to permanently delete the Group and this WILL NOT go to the Deleted Groups section as it’ll be permanently purged.
to do this, Get the previously soft-deleted Group’s Object ID.

Get-AzureADMSDeletedGroup

Purge the Group

Remove-AzureADMSDeletedDirectoryObject -Id <object ID>


5. M365 Groups Naming Policy

Naming convenstions to manage objects is always a good thing and the best practice. This can bring uniformity and if this can be adopted from the begining its a win.

Set Blocked words if required
Azure AD Portal > Azure Active Directory > Groups > Naming Policy

Group Naming Policy

This will allow you to add prefixes and suffixes according to the requirement. It can be either a String or an Attribute that comes from the AD. This will take effect if a user creates a M365 Group.


6. Retention Policies for M365 Groups

If you are already using Retention Policies, this can come in handy where you can retain the mails and files in the M365 Groups

  • Name the policy
  • Set the time period
  • Keep the switch ON only for Office 365 and select the Groups
  • Review and create the policy

7. Convert Exchange Distribution Lists to M365 Groups

This is another good and a quick fix (not a workaround) to convert the traditional DLs to M365 Groups.

This can eliminate duplication where you have department wide DLs in use already and you have the need to create a department wide Team.
Creating a Team will involve creating a M365 Group which predominantly require the same set of users as members.
Converting the current DL can cater this feature and this will still preserve the DL functionality as well.

Some useful info from the official Microsoft doc pages

Process to convert

  1. From Exchange Admin Center
    M365 Admin Center > Exchange Admin Center > recipients > Groups
    Click on the New button

This will show the upgradable DLs

Select the DL and click on Start Upgrade button

Once the upgrade is done, it’ll be available in the Upgraded DLs section

2. PowerShell

**People with global admin or Exchange admin rights can run the below commands after connecting to EXO on PowerShell**

Single DL

Check eligibility
Get-DistributionGroup \<DL SMTP address\> | Get-EligibleDistributionGroupForMigration
Upgrade
Upgrade-DistributionGroup -DlIdentities <DL address>

Few DLs at once
Upgrade-DistributionGroup -DlIdentities <DL1 address>, <DL2 address>, <DL3 address>

Get the upgreadable DL list
Get-EligibleDistributionGroupForMigration | Foreach-Object{ Upgrade-DistributionGroup -DlIdentities $_.PrimarySMTPAddress}


8. Hide a M365 Group from the Global Address List (GAL)

Why do you need this option?

This is not needed if you need to let users be able to send emails to the groups so they’ll be visible in the GAL.

Run the below commands if you need to hide them from GAL

Set-UnifiedGroup -Identity -HiddenFromAddressListsEnabled $true


9. Use M365 groups for modern work

Example, when you have one M365 group for the department, without creating another group, the same M365 group can be setup for,
Group Based Licensing,
Conditional Access Policies


10. Last but not least, PowerShell

Run the below command to get the full gist of info on the M365 Group.
This basically gives you info regarding all of it’s services that’s connected to at the moment that I’ve elaborated earlier.

Get-UnifiedGroup -Identity <displayname>

Eg: Get-UnifiedGroup -Identity Test-Team-2_c782b9817-ea6a-0000-d481-123cc222222a |fl


Summary

You still might need to consider Security Groups for certain operations . For an example, M365 Groups can’t support NTFS permissions, hence it can’t be used to grant permissions for Azure Files.
Hope this will be helpful you to manage and plan the modern groups in the environments in a meaningful manner.

One thought on “Microsoft 365 Groups Cheat Sheet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.