2. Max Fritz
Email : max@o365mn.org
Twitter : @TheCloudSherpa
Blog: maxafritz.com
LinkedIn : in/maxafritz
Senior Consultant
MCSA Office 365, MCSE Productivity
Founder/Leader of Minnesota Office 365 User
Group
Working with Office 365 for over 8 years
Focus in Azure AD, Exchange, and SharePoint
Online
Contact Details
6. Hub for TeamworkCo-AuthorConnect Across
the Organization
Intranets &
Content Management
Email & Calendar
TeamsOffice AppsYammerSharePointOutlook
Office 365 Groups
Single team membership
across apps and services
Microsoft Graph
Suite-wide intelligence
connecting people and content
Security and Compliance
Centralized policy management
7.
8. Skype for Business
Call or Instant
Message (IM)
Outlook Email
OneDrive for
Business
Urgent/HightAd-Hoc/Low
Group size in the company
Office 365 Groups
Skype Meeting Broadcast
Yammer
(Groups and all company)
Skype for Business Online Meetings
Microsoft Teams
SP Team News, Files, OneNote, Calendar, Planner
Outlook Groups
9. Skype for Business
Call or Instant
Message (IM)
Outlook Email
OneDrive for
Business
Urgent/HightAd-Hoc/Low
Group size in the company
Office 365 Groups
Skype Meeting Broadcast
Yammer
(Groups and all company)
Skype for Business Online Meetings
Microsoft Teams
SP Team News, Files, OneNote, Calendar, Planner
Outlook Groups
Individual Team
Business
Unit
Entreprise wide /
Several Business
Units
10.
11. SharePoint
SharePoint
Online AD
- Documents
- OneNote
Additional workloads
Workload scenarios
Local
Directory
(if applicable)
Exchange
- Conversations
- Calendar
Exchange
Online AD
- Identity
- Resource URLs
- Owners
- Members
Azure Active Directory
12. Azure Active Directory Admin Portal Office Admin Portal
Exchange Admin Center PowerShell
17. 1. User
enters
group
name in
PowerApps
2. Data is
sent to SPO
list
3. Flow is
triggered
and sends
approval
email
4. Manager
accepts or
rejects the
request
5. Reject:
Sender gets
a denied
email
6. Accept:
Azure
function
starts
7. Azure
function
creates the
group +
owner
8. Flow
sends email
to sender
26. How do I apply
structure to how
my groups are
named?
27. Selective admin roles can override the
naming conventions and blocked words
check
Upload your organization specific blocked
words to restrict usage
28. Guidance for using prefixes and suffixes
Use Fixed strings or Attributes as prefixes and suffixes for group names and aliases
Fixed Strings
• Use short strings that can help you differentiate groups in the Global Address List (GAL) and in the
group apps.
• Some of the common prefixes and suffixes are Keywords like ‘Grp_Name’ , ‘#Name’, ‘_Name’
Attributes
• Use attributes that can help identify who created the group, like [Department] and where it was created,
like [CountryCode].
• Supported Azure AD attributes are [Department], [Company], [Office], [StateOrProvince],
[CountryOrRegion], [CountryCode], [Title]
• Only use attributes that have values filled in for all users in your organization and do not use
attributes that have long values
29. Custom Blocked Words
Specify a list of blocked words that will be restricted from user created group names and alias.
Reserve words for administrators and block Abusive words
• Use this option to restrict groups created with specific keywords that you want to reserve only for
admins like ‘Payroll’, ‘HR’, ‘CEO’, <VIP> names in your org, so that users cannot abuse them.
• Use this option to upload a list of abusive words that you want to restrict from users using in group
names and alias.
30. Selective administrator roles are exempted
Exempted administrators can create groups with the blocked words and with their
desired naming conventions.
List of exempted Azure AD administrator roles
Tenant Administrator
Partner Tier 1 Support Administrator
Partner Tier 2 Support Administrator
User Account Administrator
Directory Writers
These administrator roles are exempted across all group workloads and end points.
31. Administrator Options
Set the Prefixes and Suffixes for
group names and alias
Set Custom Blocked Words to be
restricted in group names and alias
Administrator Tools
Azure AD PowerShell – Supported
Azure AD portal – Not yet supported
View the current group settings
1. Fetch the current naming policy to view the current settings
> $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting
| where -Property DisplayName -Value "Group.Unified" -EQ).id
> $Setting.Values
Setting the prefixes, suffixes and custom blocked words
2. Set the prefixes and suffixes
> $Setting["PrefixSuffixNamingRequirement"] = “Grp [GroupName]
[Department]"
3. Set custom blocked words that need to restricted
> $Setting["CustomBlockedWordsList"]=“Payroll,CEO,HR"
4. Save the settings for the new policy to be effective.
> Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -
Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting
$Setting
33. What if our user attributes are quite long? Will it impact group creation?
Yes, group alias is restricted to 64 chars and group name to 256 chars. So longer user attributes used as
prefixes/suffixes could block group creation in your organization
Can we use extension attributes and custom attributes?
Extension attributes and custom attributes are currently not supported
Can we have different naming policies for each group workload?
No, this will be a tenant wide policy and will apply to all group workloads
Can we create rule based policy where we can apply prefixes only for users in a
specific department?
We currently do not support rule based policy application. We suggest that you leverage user attributes for
these scenarios
Is this a premium feature?
Yes, Group naming policy requires Azure AD Premium P1 license for unique users that are members of Office
365 groups in tenants.
34. How can I recover
groups that were
accidentally deleted?
35. Admin can permanently delete the soft
deleted group
Admin can restore the soft deleted group
and its contents within 30 days of deletion
Any group that is deleted is stored in a
separate container for 30days
36. Administrator Tools
Azure AD PowerShell – Supported
Exchange Admin Center – Supported
Exchange PowerShell – Supported
Microsoft Graph APIs – Supported
Office Admin Center – Not yet supported
37. Azure AD PowerShell and
EAC
Soft Delete groups
View Soft Deleted groups and
when it was soft deleted
Hard Delete groups (only
PowerShell)
Restore Soft Deleted groups
Soft Delete a specific group
> Remove-AzureADGroup -ObjectId <objectId of the group>
Show all Soft Deleted Groups
> Get-AzureADMSDeletedGroup
Restore a specific soft deleted group
> Restore-AzureADMSDeletedDirectoryObject -Id <objectId of the soft deleted
group>
Hard Delete a Group
> Remove-AzureADMSDeletedDirectoryObject – Id <objectId of the soft deleted
group>
39. Can I change the soft deletion period of 30 days?
Can I restore a soft deleted group, if another group with the same name exists?
Can I soft delete a group if the group mailbox is on legal hold?
Can I soft delete a group if I have setup an Advanced retention policy in the Security
and Compliance Center?
link
42. Admins can select a specific set of groups and
apply the policy to those
Owners get notified by email to renew the
expiring group incase they still need to use it
Admins can expire groups created older than
x days
If the group expires and gets soft deleted,
owners can still restore the group
44. Pilot with select groups
Define a goal on which groups you want to expire
Get groups older than X days
> $date = Get-Date.AddDays(-X); > Get-UnifiedGroup -Filter {WhenCreatedUTC -le $date} -ResultSize
Unlimited
Get Ownerless groups
> Get-UnifiedGroup -ResultSize Unlimited -filter {ManagedBy -eq $null}
45. Build a strategy for Orphaned groups
Create a different email notification template to revert back to the IT admin from the group members, for
self-nomination of the person who reverts back and set them as group owners
Survey Pilot Users
To check if the owners noticed the expiry notification and to check the renewal rate
46. Roll out in phases
If your ultimate motive is to expire groups older than 6 months, start with 12 months - check the renewal rate, and
then proceed with 9 months and then finally 6 months
Onboard the Helpdesk team
Appraise the Helpdesk team of the prospective of getting more tickets during the soft deletion period of 30 days
for the groups that were not renewed and expired
If you have specific support teams for each workload such as Microsoft Teams, Sharepoint site, etc. you would
need to onboard all of them since the groups created across workloads will expire with the group expiration policy
50. Can I set an option to expire groups that are inactive?
This is not currently supported. The expiration policy is applied based on group creation date.
Can we change the expiry notification intervals?
The expiry notification intervals are fixed to 30 days, 15 days and 1 day prior to expiry and cannot be changed.
Can we apply expiration policy to specific group workloads?
The expiration policy applies to all groups workloads and it cannot be set for specific group workloads.
What happens to expiring groups if I have setup an Advanced retention policy in
Security and Compliance Portal?
When a group expires and gets soft deleted, the group’s conversations in mail box and files in the group site are
retained in the retention container for the specific number of days defined in the retention policy. Refer link for more
details.
Is this a premium feature?
Yes, Group expiration policy requires Azure AD Premium P1 license for unique users that are members of Office 365
groups in tenants.
51. Office Documentation: https://support.office.com/article/8d253fe5-0e09-4b3c-8b5e-f48def064733
Azure AD Documentation: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-
lifecycle-azure-portal
MS graph API Documentation: https://developer.microsoft.com/en-us/graph/docs/api-
reference/beta/resources/grouplifecyclepolicy
PowerShell Module: https://www.PowerShellgallery.com/packages/AzureADPreview/2.0.0.137
PowerShell Documentation: https://docs.microsoft.com/en-
us/PowerShell/module/azuread/?view=azureadps-2.0-preview&branch=master#groups
52.
53. Manage who can create Office 365 groups Populate groups dynamically based on object attributes
54. View the group mailbox storage used and
the group site storage used
View group activity across Group mailbox,
SharePoint sites and Yammer groups
View the total groups created and how
many are active
55. Groups Activity across workloads
Admin can view group activity across Group mailbox Conversations, Group site/files activity, Yammer group activity
56. Audit Logs in the Azure
AD Admin Portal
Audit Log Search in
Security and Compliance
Center
57. Group Activities that are logged and can be audited
Added group
Updated group
Deleted group
Added member to group
Removed member from group
60. User adds
joe@gmail.com to an
O365 Group
Azure Active Directory
creates Guest ID and
makes guest a member of
the group
Guest ID synched to
Exchange Online,
SharePoint Online
Guest access in Office 365 groups | Guest access in Office 365 groups – Admin Help
Guest access to resources
governed by organization
policies
61. • Guest inviter role - Setup a
policy so that users with this
role can only invite guest
• This can be set using user AD
properties such - Title, Job
Description
Reach
• Admins can create an
allow/deny list of
external partner
domains that are
allowed to be added as
guests.
• Guest approved by IT admin
can be approved and added
to groups..
• Add guests through B2B
portal and turn off sharing
for tenant
62.
63. AAD connect for hybrid
Distribution List, Public Folders Migration
Public Folder Migration | Upgrade DL’s to Groups | Configure Office 365 Groups with on-premises Exchange
65. SharePoint - Connect a classic site
to an Office 365 group (team site)
Giving the ability to take an existing
SharePoint Online team site and connect it
to an Office 365 Group. The group
provides membership management and
other services like shared calendar, Planner,
etc. once it is created.
66. Proper Setup of Yammer Network
Yammer identity management
Enable Group creation through Yammer
(Big) Advantage!
67. Link an existing private group to a Microsoft Team
Use main Planner Site for Group plannings
70. 1. User
enters
group
name in
PowerApps
2. Data is
sent to SPO
list
3. Flow is
triggered
and sends
approval
email
4. Manager
accepts or
rejects the
request
5. Reject:
Sender gets
a denied
email
6. Accept:
Azure
function
starts
7. Azure
function
creates the
group +
owner
8. Flow
sends email
to sender
73. Thank you!
Email : max@o365mn.org
Twitter : @TheCloudSherpa
Website/Blog: maxafritz.com
Stay in touch!
Come ask me questions!
Leave feedback
Join me next for:
Become the Taskmaster