SlideShare a Scribd company logo

Managing Office 365 Groups

Download as PPTX, PDF
Drew Madelung
Drew Madelung

Office 365 Groups are the backbone of innovations occurring in Office 365 and there can be confusion around what Groups actually are and should be used for. This session will deep dive into the management and administration possibilities for Groups from creation to deletion and everything in between. The wonderful world of PowerShell will be utilized and demoed along with the many other tools that you can administer Groups with. This session will focus on the technical aspects around: • How are they structured? • Creation, Deletion, and Updates • What administration options are available? • How can I manage them? • What’s new? By the end of this session you will have a better understanding of how you can effectively roll out, administer and manage Groups to your enterprise with confidence.

Technology
1 of 48
Managing Office 365 Groups SharePoint Saturday Twin Cities 2018 #SPSTC
Thank you #SPSTC sponsors!
Drew Madelung Email : drew.madelung@protiviti.com Twitter : @dmadelung Website: drewmadelung.com Senior Manager – SharePoint & Office 365
What are Office 365 Groups? How do I work with them? How do they work technically? How can I administer? Demos, Demos & more Demos What’s new & What’s Next? Managing Office 365 Groups SharePoint Saturday Twin Cities 2018
SELF-SERVICE PRIVATE*** BY DEFAULT SHARING TO NON-MEMBERS CONTEXT & HISTORY SINGLE DEFINITION SIMPLE TO MANAGE Office 365 Groups
Azure AD Apps Office 365 Groups building blocks
Demo!
Office 365 Groups things to know By default, anyone can create a group and available in the Global Address List 100 owners and a user can’t create more than 250 groups 500,000 tenant max 1000+ members are supported but will decrease performance Content doesn’t leave when owner leaves Can be used as security groups in SharePoint (but not O365 Video) Sites under “/sites” managed path -> Not visible classic admin center GROUP#0 site template
What’s behind the scenes
One group system across Office 365 One identity Federated resources Loose coupling SharePoint Documents OneNote Additional workloads Workload scenarios Exchange Conversations Calendar Identity Resource URLs Owners Members AAD
Office 365 Admin Center Management Options – User Interface Office 365 Admin App Azure AD Admin Portal Exchange Admin Console Clients – (Outlook, Planner, PowerBI, Teams, etc.)
Demo!
Management Options – Scripting Exchange Manipulating groups & membership Owners | Members | Subscribers $creds = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri ` https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection Import-PSSession $Session Establish a remote session to Exchange Online Azure AD Manipulating governance Install-Module AzureADPreview
Useful Scripts for Groups to Get Started Create group New-UnifiedGroup –DisplayName “Legal” –Alias “Legal” –EmailAddresses legal@domain.com Rename group Set-UnifiedGroup -Identity “Legal” -Alias “Legal” -DisplayName “New Legal” -PrimarySmtpAddress legal@domain.com View all subscribers, members or owners for a group Get-UnifiedGroupLinks -Identity “Legal” -LinkType Subscribers Show detailed info for all groups Get-UnifiedGroup | select Id,Alias, AccessType, Language,Notes, PrimarySmtpAddress, ` HiddenFromAddressListsEnabled, WhenCreated, WhenChanged, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Members)).Count }; ` Label='Members'}, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Owners)).Count }; ` Label='Owners'} | Format-Table Alias, Members, Owners
Things we can do Creation permissions Usage guidelines Classification Guest access Allow/Block guest domains Naming policy Expiration policy Access reviews Dynamic membership Soft delete and restore
Managing Group Creation The old way but still can be used for OWA and Outlook 2016 Use an OWA Mailbox Policy to disable group creation for ALL users or a SUBSET of users  This does NOT disable group creation EXCEPT when trying to create through Outlook/Exchange  Creating groups in other clients/admin areas (PowerBI, Planner, etc…) would NOT disable Set-OwaMailboxPolicy -Identity test.comOwaMailboxPolicy-Default -GroupCreationEnabled $false
Managing Group Creation through Azure AD The new way uses Azure AD  No longer dependency on Exchange – All O365 apps  If OWA policy exists and AAD policy is enabled, OWA policy will be ignored  Admins bypass 1. Disable creation for everyone 2. AAD group for whom can create  Can be O365 Group or Distribution Group)  Individual users only  Prerequisites  Azure AD Version 2.0.0.98 or later (V2)  Azure AD Version 1.1.117.0 or later (V1) - deprecation
Managing Group Creation through Azure AD Steps to setup 1. Retrieve the Object ID for the group that contains the authorized users  Use Azure AD portal to get Object ID  Get-AzureADGroup cmdlet to discover GUID via PowerShell 2. Use PowerShell to update the Azure AD policy  Pass the GUID of your authorized user group to GroupCreationAllowedGroupId Connect-AzureAD $template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”} $setting = $template. CreateDirectorySetting() $setting[“EnableGroupCreation”] = “false” $setting[“GroupCreationAllowedGroupId”] = <groupId> New-AzureADDirectorySetting -DirectorySetting $setting 3. Confirm using PowerShell and test creating a group Get-AzureADDirectorySetting | ForEach Values
Group Usage Guidelines Create a link to Groups documentation available when editing and creating Not on by default Only set via PowerShell Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting[“UsageGuidelinesUrl"] = “https://domain.sharepoint.com/Pages/U-Guide.aspx" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting
Group Classifications Create classifications that the users can set per Group Not on by default Doesn’t actually do anything (yet!) Choices only set via PowerShell 1 set of classifications per tenant Default value & descriptions available Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting[“ClassificationList"] = “Internal,External,Confidential“ $settings["ClassificationDescriptions"] = "Internal:xx,External:xx,Confidential:xx" $settings["DefaultClassification"] = "Internal" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting
Demo!
Group Guest Access  Does not comply with SPO blacklist/whitelist  Enabled by default  Overall Group guest access is managed at the tenant level  Guests cannot view IRM protected files  Guests needs to access via browser  Guests cannot:  Be an owner  View the GAL  View Group members or contact cards  Be blocked by specific user Feature Guest user allowed? Create a group No Add/remove group members No Delete a group No Join a group Yes, by invitation Start a conversation Yes Reply to a conversation Yes Search for a conversation Yes @mention a person in the group No Pin/Favorite a group No Delete a conversation Yes "Like" messages No Manage meetings No View group calendar No Modify calendar events No Add a group calendar to a personal calendar No View and edit group files Yes, if enabled by tenant admin Access the group OneNote notebook Yes, via link from group member Browse groups No
Group Guest Access Group owners can invite external people to be guest users Group members can request an invitation for an external person
Group Guest Access Admin Controls Guest addition to organization • Allow invitation to guests users in the organization • Office 365 Portal – Settings & Privacy > Sharing Guest addition to groups • Allow adding of guests to any group within the organization. • Office 365 Portal – Services & Add-Ins > Office 365 groups • Allow adding of guests to a specific group in the organization (only available in Power Shell) Guest access to group resources • Allow guests to access to any Office 365 group resources • Office 365 Portal – Services & Add-Ins > Office 365 groups
Group Guest Access Powershell Steps to block for tenant 1. Ensure that sharing is allowed in the SharePoint Admin Center / O365 Admin Center 2. Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting["AllowToAddGuests"] = "False" $setting["AllowGuestsToAccessGroups"] = "True" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting 3. Set AllowGuestsToAccessGroups to False to instantly disable all external users from accessing groups Can be controlled per group 1. Through PowerShell
Group Guest Domain Allow/Block Allow or block guest users by domain Can only create an allow or block list, not both 1 policy per org Works separately than SPO allow/block Doesn’t apply to already added group members 1. Azure AD Portal 2. PowerShell - Set-GuestAllowBlockDomainPolicy.ps1 • file: MS Download Center • -MigrateFromSharePoint
Group Naming Policy Ensure group names follow your standard Currently in preview Applies to group name and group alias Total prefixes and suffixes string length restricted to 53 characters Total group name length 264 characters 1. Prefix-suffix naming policy • Can be fixed strings or user attributes Example: • Policy = “GRP [GroupName] [Department] • User’s department = Engineering • Created group name = “GRP My Group Engineering” Supported Azure AD attributes: [Department] [Company] [Office] [StateOrProvince] [CountryOrRegion] [Title] [CountryCode]
Group Naming Policy 2. Custom blocked words • Upload comma separated list of blocked words • Done after appending the prefix and suffix • No sub-string searches occur • Case-insensitive • No character restrictions in the blocked words • No upper limit to number of words that can be set • Admin roles exempted (Global admin, Partner support, User acct admin, Directory writers) • Example: “CEO, Payroll, HR” Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting[“PrefixSuffixNamingRequirement"] = “Grp_[Department]_[GroupName]_[Country]" $setting[“CustomBlockedWordsList"] = “Payroll,CEO,HR" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting
Group Expiration Policy Expiration policies can help remove inactive groups Off by default Administrators can specify expiration period If a Group is not renewed it will be “soft-deleted” renewedDateTime property holds the last renewal/creation time Groups older than expiration will be notified not just removed Group owners sent email before expiration • 30, 15, & 1 day prior
Group Expiration Policy Powershell View your policy Get-AzureADMSGroupLifecyclePolicy Create a new policy New-AzureADMSGroupLifecyclePolicy Update a policy Set-AzureADMSGroupLifecyclePolicy Add a Group to a policy Add-AzureADMSLifecyclePolicyGroup
Azure AD Access Reviews Ask users to attest users’ access Review just guests or users Can be set on occurrence • Weekly, Monthly, Quarterly, Annually Reviewers can be owners or others Completion • If reviewer not responded • Actions to apply on denied users • Delete from AAD • Block sign-in Requires AD P2
Dynamic membership Membership generated by query Example: All users in HR Update membership through query Basic or advanced queries Owners not included in query by default Users not notified if removed Planner does not work Or… • Use security groups to drive membership Pic from O365 for IT Pro book
Restore a deleted Group Deleted Groups retained for 30 days If deleted through Remove-MsolGroup it is not recoverable 1. Display all soft-deleted Groups and get object ID of deleted Group Get-AzureADMSDeletedGroup 2. Restore the Group • Pass the GUID of your Group you got above Restore-AzureADMSDeletedDirectoryObject –Id <objectId> Can be restored through Exchange Admin Center Permanently delete the Group via Remove-AzureADMSDeletedDirectoryObject –Id <objectId>
Suppressing the Group welcome message When a user is added a Group they will get a welcome email by default • What if you want to mass add people and not let them know? The UnifiedGroupWelcomeMessageEnabled switch specifies whether to enable or disable sending system- generated welcome messages to users who are added as members to the Office 365 Group. • $true by default Set-UnifiedGroup -Identity “Legal” –UnifiedGroupWelcomeMessageEnabled:$false
Hiding from the Global Address List (GAL) When a group is created it is automatically viewable in the GAL • What if you don’t want people to see it? The HiddenFromAddressListsEnabled specifies whether the Office 365 Group appears in the global address list (GAL) and other address lists in your organization. • $true • Hidden from the GAL and other address lists. • Can still receive messages, • Can’t see in Outlook or discover option • $false • Visible in the GAL - default Set-UnifiedGroup -Identity “Legal” –HiddenFromAddressListsEnabled:$true
Demo!
What about governance?
Reporting Activity Reports Monitor regularly Leverage Power BI content packs for insights: • Office 365 Adoption content pack • Azure AD content pack • Office 365 Groups Report (Unified Groups)
Security and Compliance eDiscovery Data loss prevention Retention Audit log and Content search Labels
How are organizations managing groups successfully? OPEN CONTROLLED Processes in place Reporting & monitoring Change management
How does Microsoft IT manage groups? Empower employees while protecting content, keeping compliant and holding employees accountable Self-service group creation and life-cycle Creation tied to Dynamic Group of all full-time employees; non-employees can’t create groups No naming prefix/suffix but blocked words 180-day group life-cycle; groups must be renewed or will be deleted (unless under retention) (expiry policy) Usage guidelines shown with plain language; e.g. “Be polite & inclusive” Custom job emails group members for groups with no owner Classification, protection & compliance Classification configured in Azure AD; Highly Confidential, Confidential (default), General Custom jobs set Privacy to Private and disable external membership/sharing based on classification Group site provisioned in region tied to user’s Preferred Data Location (multi-geo) Membership reviews for groups with external members (access reviews) Divisional groups created in SharePoint have retention configured with site template Custom jobs to enforce ownership policy (2 owners with at least 1 full time employee) A foundation for modern collaboration: Microsoft 365 bolsters teamwork
Management tidbits  Discuss a governance plan for groups  Figure out if you need group creation policies  Monitor SharePoint Online Storage to ensure group sites not overtaking total storage  Establish a process to have groups admin support easily available for users  Run reports to try to track groups sprawl  Use UsageGuidelinesUrl and ClassificationList  Migrate multiple distribution lists to Office 365 groups – Link – (also via GUI)
Description AAD: O365 AAD: P1 License req. Create, read, update, delete Yes Yes None – Free Feature Soft-delete and restore Yes Yes None - Free feature Tenant-wide self-service group creation controls Yes Yes None - Free feature Dynamic group membership Yes Each user that is also a member of a group within tenant. Granular self-service group creation controls Yes Each user that is also a member of a group linked with GroupCreationAllowedGroupId Group Naming Policy Yes Each user that is also a member of a group within tenant. Group Expiry* Yes Each user that is also a member of a group affected by a group's expiration policy. Usage Guidelines Yes Each user that is also a member of a group within tenant. Default classification Yes Each user that is also a member of a group within tenant. * Admins don't need an AAD P1 license just to configure the expiration settings * No licenses required for guest access IMPORTANT: For all the Groups features, if you have an Azure AD Premium subscription, users can join the group whether or not they have an AAD P1 license assigned to them. Licensing isn't enforced.
What’s Next
What’s next dynamic membership for Teams based groups In workload expiration notification and auto extend notification New and improved group admin roles Admin center improvements Group driven membership Unified Group classification using Microsoft Information Protection Labels
• xxxx Help Contribute & Stay Informed! O365 Groups UserVoice https://office365.uservoice.com/forums/286611-office-365-groups Microsoft Tech Community https://techcommunity.microsoft.com Office 365 Roadmap https://fasttrack.microsoft.com/roadmap Office Blogs https://blogs.office.com/ Office 365 Admin Center – Message Center https://portal.office.com/AdminPortal Office 365 for IT Pros http://exchangeserverpro.com/ebooks/office-365-for-it-pros Essential Powershell for Office 365 https://www.amazon.com/Essential-PowerShell-Office-365-Productivity/dp/1484231287
Questions? Email: drew.madelung@protiviti.com Twitter: @dmadelung Website: drewmadelung.com Scripts: http://bit.ly/DrewGroupScripts Slides: http://bit.ly/DrewSlides
Managing Office 365 Groups SharePoint Saturday Twin Cities 2018 #SPSTC

Recommended

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss Prevention
Drew Madelung
 
Introduction to Microsoft Syntex
Introduction to Microsoft SyntexIntroduction to Microsoft Syntex
Introduction to Microsoft Syntex
Drew Madelung
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview Solutions
Drew Madelung
 
Deploying & Managing OneDrive
Deploying & Managing OneDriveDeploying & Managing OneDrive
Deploying & Managing OneDrive
Drew Madelung
 
Deploying Viva Topics
Deploying Viva TopicsDeploying Viva Topics
Deploying Viva Topics
Drew Madelung
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
Drew Madelung
 
How to Successfully Manage OneDrive for Business
How to Successfully Manage OneDrive for BusinessHow to Successfully Manage OneDrive for Business
How to Successfully Manage OneDrive for Business
Drew Madelung
 

Recommended

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Deep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss PreventionDeep dive into Microsoft Purview Data Loss Prevention
Deep dive into Microsoft Purview Data Loss Prevention
Drew Madelung
 
Introduction to Microsoft Syntex
Introduction to Microsoft SyntexIntroduction to Microsoft Syntex
Introduction to Microsoft Syntex
Drew Madelung
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview Solutions
Drew Madelung
 
Deploying & Managing OneDrive
Deploying & Managing OneDriveDeploying & Managing OneDrive
Deploying & Managing OneDrive
Drew Madelung
 
Deploying Viva Topics
Deploying Viva TopicsDeploying Viva Topics
Deploying Viva Topics
Drew Madelung
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
Drew Madelung
 
How to Successfully Manage OneDrive for Business
How to Successfully Manage OneDrive for BusinessHow to Successfully Manage OneDrive for Business
How to Successfully Manage OneDrive for Business
Drew Madelung
 
What's New with OneDrive
What's New with OneDriveWhat's New with OneDrive
What's New with OneDrive
Drew Madelung
 
Getting started with with SharePoint Syntex
Getting started with with SharePoint SyntexGetting started with with SharePoint Syntex
Getting started with with SharePoint Syntex
Drew Madelung
 
Intro to Shared Channels
Intro to Shared ChannelsIntro to Shared Channels
Intro to Shared Channels
Drew Madelung
 
What's new with Security & Compliance for SharePoint, OneDrive, and Teams
What's new with Security & Compliance for SharePoint, OneDrive, and TeamsWhat's new with Security & Compliance for SharePoint, OneDrive, and Teams
What's new with Security & Compliance for SharePoint, OneDrive, and Teams
Drew Madelung
 
Everything you need to know about external sharing in OneDrive, SharePoint, a...
Everything you need to know about external sharing in OneDrive, SharePoint, a...Everything you need to know about external sharing in OneDrive, SharePoint, a...
Everything you need to know about external sharing in OneDrive, SharePoint, a...
Drew Madelung
 
Microsoft Ignite 2021 Recap
Microsoft Ignite 2021 RecapMicrosoft Ignite 2021 Recap
Microsoft Ignite 2021 Recap
Drew Madelung
 
How to successfully manage OneDrive
How to successfully manage OneDriveHow to successfully manage OneDrive
How to successfully manage OneDrive
Drew Madelung
 
What's new with OneDrive - July 2021
What's new with OneDrive - July 2021What's new with OneDrive - July 2021
What's new with OneDrive - July 2021
Drew Madelung
 
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity LabelsSecuring SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
Drew Madelung
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
Drew Madelung
 
Sensitivity for Groups, Teams, and SharePoint
Sensitivity for Groups, Teams, and SharePointSensitivity for Groups, Teams, and SharePoint
Sensitivity for Groups, Teams, and SharePoint
Drew Madelung
 
Wisconsin SharePoint User Group - November 2020 - Ignite News
Wisconsin SharePoint User Group - November 2020 - Ignite NewsWisconsin SharePoint User Group - November 2020 - Ignite News
Wisconsin SharePoint User Group - November 2020 - Ignite News
Drew Madelung
 
M365 Records Management Community Webinar
M365 Records Management Community WebinarM365 Records Management Community Webinar
M365 Records Management Community Webinar
Drew Madelung
 
Enabling Sharing & Collaboration in OneDrive & SharePoint
Enabling Sharing & Collaboration in OneDrive & SharePointEnabling Sharing & Collaboration in OneDrive & SharePoint
Enabling Sharing & Collaboration in OneDrive & SharePoint
Drew Madelung
 
Following the Evolution of Office 365 Groups to Microsoft 365 Groups
Following the Evolution of Office 365 Groups to Microsoft 365 GroupsFollowing the Evolution of Office 365 Groups to Microsoft 365 Groups
Following the Evolution of Office 365 Groups to Microsoft 365 Groups
Drew Madelung
 
Securing Team, SharePoint, and OneDrive in Microsoft 365 - M365VM
Securing Team, SharePoint, and OneDrive in Microsoft 365 - M365VMSecuring Team, SharePoint, and OneDrive in Microsoft 365 - M365VM
Securing Team, SharePoint, and OneDrive in Microsoft 365 - M365VM
Drew Madelung
 
Sensitivity labels for Teams, Microsoft 365 Groups & SharePoint Sites
Sensitivity labels for Teams, Microsoft 365 Groups & SharePoint SitesSensitivity labels for Teams, Microsoft 365 Groups & SharePoint Sites
Sensitivity labels for Teams, Microsoft 365 Groups & SharePoint Sites
Drew Madelung
 
Review of the new Managed Metadata experience in SharePoint Online
Review of the new Managed Metadata experience in SharePoint OnlineReview of the new Managed Metadata experience in SharePoint Online
Review of the new Managed Metadata experience in SharePoint Online
Drew Madelung
 
Getting Started with Site Designs and Site Scripts - SPSChi
Getting Started with Site Designs and Site Scripts - SPSChiGetting Started with Site Designs and Site Scripts - SPSChi
Getting Started with Site Designs and Site Scripts - SPSChi
Drew Madelung
 
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & DrewMicrosoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Drew Madelung
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
CzechDreamin
 

More Related Content

More from Drew Madelung

How to successfully manage OneDrive
How to successfully manage OneDriveHow to successfully manage OneDrive
How to successfully manage OneDrive
Drew Madelung
 

More from Drew Madelung (20)

What's New with OneDrive
What's New with OneDriveWhat's New with OneDrive
What's New with OneDrive
 
Getting started with with SharePoint Syntex
Getting started with with SharePoint SyntexGetting started with with SharePoint Syntex
Getting started with with SharePoint Syntex
 
Intro to Shared Channels
Intro to Shared ChannelsIntro to Shared Channels
Intro to Shared Channels
 
What's new with Security & Compliance for SharePoint, OneDrive, and Teams
What's new with Security & Compliance for SharePoint, OneDrive, and TeamsWhat's new with Security & Compliance for SharePoint, OneDrive, and Teams
What's new with Security & Compliance for SharePoint, OneDrive, and Teams
 
Everything you need to know about external sharing in OneDrive, SharePoint, a...
Everything you need to know about external sharing in OneDrive, SharePoint, a...Everything you need to know about external sharing in OneDrive, SharePoint, a...
Everything you need to know about external sharing in OneDrive, SharePoint, a...
 
Microsoft Ignite 2021 Recap
Microsoft Ignite 2021 RecapMicrosoft Ignite 2021 Recap
Microsoft Ignite 2021 Recap
 
How to successfully manage OneDrive
How to successfully manage OneDriveHow to successfully manage OneDrive
How to successfully manage OneDrive
 
What's new with OneDrive - July 2021
What's new with OneDrive - July 2021What's new with OneDrive - July 2021
What's new with OneDrive - July 2021
 
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity LabelsSecuring SharePoint, OneDrive, & Teams with Sensitivity Labels
Securing SharePoint, OneDrive, & Teams with Sensitivity Labels
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
 
Sensitivity for Groups, Teams, and SharePoint
Sensitivity for Groups, Teams, and SharePointSensitivity for Groups, Teams, and SharePoint
Sensitivity for Groups, Teams, and SharePoint
 
Wisconsin SharePoint User Group - November 2020 - Ignite News
Wisconsin SharePoint User Group - November 2020 - Ignite NewsWisconsin SharePoint User Group - November 2020 - Ignite News
Wisconsin SharePoint User Group - November 2020 - Ignite News
 
M365 Records Management Community Webinar
M365 Records Management Community WebinarM365 Records Management Community Webinar
M365 Records Management Community Webinar
 
Enabling Sharing & Collaboration in OneDrive & SharePoint
Enabling Sharing & Collaboration in OneDrive & SharePointEnabling Sharing & Collaboration in OneDrive & SharePoint
Enabling Sharing & Collaboration in OneDrive & SharePoint
 
Following the Evolution of Office 365 Groups to Microsoft 365 Groups
Following the Evolution of Office 365 Groups to Microsoft 365 GroupsFollowing the Evolution of Office 365 Groups to Microsoft 365 Groups
Following the Evolution of Office 365 Groups to Microsoft 365 Groups
 
Securing Team, SharePoint, and OneDrive in Microsoft 365 - M365VM
Securing Team, SharePoint, and OneDrive in Microsoft 365 - M365VMSecuring Team, SharePoint, and OneDrive in Microsoft 365 - M365VM
Securing Team, SharePoint, and OneDrive in Microsoft 365 - M365VM
 
Sensitivity labels for Teams, Microsoft 365 Groups & SharePoint Sites
Sensitivity labels for Teams, Microsoft 365 Groups & SharePoint SitesSensitivity labels for Teams, Microsoft 365 Groups & SharePoint Sites
Sensitivity labels for Teams, Microsoft 365 Groups & SharePoint Sites
 
Review of the new Managed Metadata experience in SharePoint Online
Review of the new Managed Metadata experience in SharePoint OnlineReview of the new Managed Metadata experience in SharePoint Online
Review of the new Managed Metadata experience in SharePoint Online
 
Getting Started with Site Designs and Site Scripts - SPSChi
Getting Started with Site Designs and Site Scripts - SPSChiGetting Started with Site Designs and Site Scripts - SPSChi
Getting Started with Site Designs and Site Scripts - SPSChi
 
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & DrewMicrosoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
Microsoft Ignite Recap: Microsoft 365 Security & Compliance with Vlad & Drew
 

Recently uploaded

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
CzechDreamin
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
UXDXConf
 
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfBuy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
EasyPrinterHelp
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
UXDXConf
 

Recently uploaded (20)

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Buy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdfBuy Epson EcoTank L3210 Colour Printer Online.pdf
Buy Epson EcoTank L3210 Colour Printer Online.pdf
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelTHE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 

Managing Office 365 Groups

  • 1. Managing Office 365 Groups SharePoint Saturday Twin Cities 2018 #SPSTC
  • 3. Drew Madelung Email : drew.madelung@protiviti.com Twitter : @dmadelung Website: drewmadelung.com Senior Manager – SharePoint & Office 365
  • 4. What are Office 365 Groups? How do I work with them? How do they work technically? How can I administer? Demos, Demos & more Demos What’s new & What’s Next? Managing Office 365 Groups SharePoint Saturday Twin Cities 2018
  • 5. SELF-SERVICE PRIVATE*** BY DEFAULT SHARING TO NON-MEMBERS CONTEXT & HISTORY SINGLE DEFINITION SIMPLE TO MANAGE Office 365 Groups
  • 6. Azure AD Apps Office 365 Groups building blocks
  • 8. Office 365 Groups things to know By default, anyone can create a group and available in the Global Address List 100 owners and a user can’t create more than 250 groups 500,000 tenant max 1000+ members are supported but will decrease performance Content doesn’t leave when owner leaves Can be used as security groups in SharePoint (but not O365 Video) Sites under “/sites” managed path -> Not visible classic admin center GROUP#0 site template
  • 10. One group system across Office 365 One identity Federated resources Loose coupling SharePoint Documents OneNote Additional workloads Workload scenarios Exchange Conversations Calendar Identity Resource URLs Owners Members AAD
  • 11. Office 365 Admin Center Management Options – User Interface Office 365 Admin App Azure AD Admin Portal Exchange Admin Console Clients – (Outlook, Planner, PowerBI, Teams, etc.)
  • 12. Demo!
  • 13. Management Options – Scripting Exchange Manipulating groups & membership Owners | Members | Subscribers $creds = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri ` https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection Import-PSSession $Session Establish a remote session to Exchange Online Azure AD Manipulating governance Install-Module AzureADPreview
  • 14. Useful Scripts for Groups to Get Started Create group New-UnifiedGroup –DisplayName “Legal” –Alias “Legal” –EmailAddresses legal@domain.com Rename group Set-UnifiedGroup -Identity “Legal” -Alias “Legal” -DisplayName “New Legal” -PrimarySmtpAddress legal@domain.com View all subscribers, members or owners for a group Get-UnifiedGroupLinks -Identity “Legal” -LinkType Subscribers Show detailed info for all groups Get-UnifiedGroup | select Id,Alias, AccessType, Language,Notes, PrimarySmtpAddress, ` HiddenFromAddressListsEnabled, WhenCreated, WhenChanged, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Members)).Count }; ` Label='Members'}, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Owners)).Count }; ` Label='Owners'} | Format-Table Alias, Members, Owners
  • 15. Things we can do Creation permissions Usage guidelines Classification Guest access Allow/Block guest domains Naming policy Expiration policy Access reviews Dynamic membership Soft delete and restore
  • 16. Managing Group Creation The old way but still can be used for OWA and Outlook 2016 Use an OWA Mailbox Policy to disable group creation for ALL users or a SUBSET of users  This does NOT disable group creation EXCEPT when trying to create through Outlook/Exchange  Creating groups in other clients/admin areas (PowerBI, Planner, etc…) would NOT disable Set-OwaMailboxPolicy -Identity test.comOwaMailboxPolicy-Default -GroupCreationEnabled $false
  • 17. Managing Group Creation through Azure AD The new way uses Azure AD  No longer dependency on Exchange – All O365 apps  If OWA policy exists and AAD policy is enabled, OWA policy will be ignored  Admins bypass 1. Disable creation for everyone 2. AAD group for whom can create  Can be O365 Group or Distribution Group)  Individual users only  Prerequisites  Azure AD Version 2.0.0.98 or later (V2)  Azure AD Version 1.1.117.0 or later (V1) - deprecation
  • 18. Managing Group Creation through Azure AD Steps to setup 1. Retrieve the Object ID for the group that contains the authorized users  Use Azure AD portal to get Object ID  Get-AzureADGroup cmdlet to discover GUID via PowerShell 2. Use PowerShell to update the Azure AD policy  Pass the GUID of your authorized user group to GroupCreationAllowedGroupId Connect-AzureAD $template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”} $setting = $template. CreateDirectorySetting() $setting[“EnableGroupCreation”] = “false” $setting[“GroupCreationAllowedGroupId”] = <groupId> New-AzureADDirectorySetting -DirectorySetting $setting 3. Confirm using PowerShell and test creating a group Get-AzureADDirectorySetting | ForEach Values
  • 19. Group Usage Guidelines Create a link to Groups documentation available when editing and creating Not on by default Only set via PowerShell Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting[“UsageGuidelinesUrl"] = “https://domain.sharepoint.com/Pages/U-Guide.aspx" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting
  • 20. Group Classifications Create classifications that the users can set per Group Not on by default Doesn’t actually do anything (yet!) Choices only set via PowerShell 1 set of classifications per tenant Default value & descriptions available Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting[“ClassificationList"] = “Internal,External,Confidential“ $settings["ClassificationDescriptions"] = "Internal:xx,External:xx,Confidential:xx" $settings["DefaultClassification"] = "Internal" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting
  • 21. Demo!
  • 22. Group Guest Access  Does not comply with SPO blacklist/whitelist  Enabled by default  Overall Group guest access is managed at the tenant level  Guests cannot view IRM protected files  Guests needs to access via browser  Guests cannot:  Be an owner  View the GAL  View Group members or contact cards  Be blocked by specific user Feature Guest user allowed? Create a group No Add/remove group members No Delete a group No Join a group Yes, by invitation Start a conversation Yes Reply to a conversation Yes Search for a conversation Yes @mention a person in the group No Pin/Favorite a group No Delete a conversation Yes "Like" messages No Manage meetings No View group calendar No Modify calendar events No Add a group calendar to a personal calendar No View and edit group files Yes, if enabled by tenant admin Access the group OneNote notebook Yes, via link from group member Browse groups No
  • 23. Group Guest Access Group owners can invite external people to be guest users Group members can request an invitation for an external person
  • 24. Group Guest Access Admin Controls Guest addition to organization • Allow invitation to guests users in the organization • Office 365 Portal – Settings & Privacy > Sharing Guest addition to groups • Allow adding of guests to any group within the organization. • Office 365 Portal – Services & Add-Ins > Office 365 groups • Allow adding of guests to a specific group in the organization (only available in Power Shell) Guest access to group resources • Allow guests to access to any Office 365 group resources • Office 365 Portal – Services & Add-Ins > Office 365 groups
  • 25. Group Guest Access Powershell Steps to block for tenant 1. Ensure that sharing is allowed in the SharePoint Admin Center / O365 Admin Center 2. Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting["AllowToAddGuests"] = "False" $setting["AllowGuestsToAccessGroups"] = "True" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting 3. Set AllowGuestsToAccessGroups to False to instantly disable all external users from accessing groups Can be controlled per group 1. Through PowerShell
  • 26. Group Guest Domain Allow/Block Allow or block guest users by domain Can only create an allow or block list, not both 1 policy per org Works separately than SPO allow/block Doesn’t apply to already added group members 1. Azure AD Portal 2. PowerShell - Set-GuestAllowBlockDomainPolicy.ps1 • file: MS Download Center • -MigrateFromSharePoint
  • 27. Group Naming Policy Ensure group names follow your standard Currently in preview Applies to group name and group alias Total prefixes and suffixes string length restricted to 53 characters Total group name length 264 characters 1. Prefix-suffix naming policy • Can be fixed strings or user attributes Example: • Policy = “GRP [GroupName] [Department] • User’s department = Engineering • Created group name = “GRP My Group Engineering” Supported Azure AD attributes: [Department] [Company] [Office] [StateOrProvince] [CountryOrRegion] [Title] [CountryCode]
  • 28. Group Naming Policy 2. Custom blocked words • Upload comma separated list of blocked words • Done after appending the prefix and suffix • No sub-string searches occur • Case-insensitive • No character restrictions in the blocked words • No upper limit to number of words that can be set • Admin roles exempted (Global admin, Partner support, User acct admin, Directory writers) • Example: “CEO, Payroll, HR” Use PowerShell to update the Azure AD policy (if settings object exists) $setting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} $setting[“PrefixSuffixNamingRequirement"] = “Grp_[Department]_[GroupName]_[Country]" $setting[“CustomBlockedWordsList"] = “Payroll,CEO,HR" Set-AzureADDirectorySetting -Id $setting.Id -Directorysetting $setting
  • 29. Group Expiration Policy Expiration policies can help remove inactive groups Off by default Administrators can specify expiration period If a Group is not renewed it will be “soft-deleted” renewedDateTime property holds the last renewal/creation time Groups older than expiration will be notified not just removed Group owners sent email before expiration • 30, 15, & 1 day prior
  • 30. Group Expiration Policy Powershell View your policy Get-AzureADMSGroupLifecyclePolicy Create a new policy New-AzureADMSGroupLifecyclePolicy Update a policy Set-AzureADMSGroupLifecyclePolicy Add a Group to a policy Add-AzureADMSLifecyclePolicyGroup
  • 31. Azure AD Access Reviews Ask users to attest users’ access Review just guests or users Can be set on occurrence • Weekly, Monthly, Quarterly, Annually Reviewers can be owners or others Completion • If reviewer not responded • Actions to apply on denied users • Delete from AAD • Block sign-in Requires AD P2
  • 32. Dynamic membership Membership generated by query Example: All users in HR Update membership through query Basic or advanced queries Owners not included in query by default Users not notified if removed Planner does not work Or… • Use security groups to drive membership Pic from O365 for IT Pro book
  • 33. Restore a deleted Group Deleted Groups retained for 30 days If deleted through Remove-MsolGroup it is not recoverable 1. Display all soft-deleted Groups and get object ID of deleted Group Get-AzureADMSDeletedGroup 2. Restore the Group • Pass the GUID of your Group you got above Restore-AzureADMSDeletedDirectoryObject –Id <objectId> Can be restored through Exchange Admin Center Permanently delete the Group via Remove-AzureADMSDeletedDirectoryObject –Id <objectId>
  • 34. Suppressing the Group welcome message When a user is added a Group they will get a welcome email by default • What if you want to mass add people and not let them know? The UnifiedGroupWelcomeMessageEnabled switch specifies whether to enable or disable sending system- generated welcome messages to users who are added as members to the Office 365 Group. • $true by default Set-UnifiedGroup -Identity “Legal” –UnifiedGroupWelcomeMessageEnabled:$false
  • 35. Hiding from the Global Address List (GAL) When a group is created it is automatically viewable in the GAL • What if you don’t want people to see it? The HiddenFromAddressListsEnabled specifies whether the Office 365 Group appears in the global address list (GAL) and other address lists in your organization. • $true • Hidden from the GAL and other address lists. • Can still receive messages, • Can’t see in Outlook or discover option • $false • Visible in the GAL - default Set-UnifiedGroup -Identity “Legal” –HiddenFromAddressListsEnabled:$true
  • 36. Demo!
  • 38. Reporting Activity Reports Monitor regularly Leverage Power BI content packs for insights: • Office 365 Adoption content pack • Azure AD content pack • Office 365 Groups Report (Unified Groups)
  • 39. Security and Compliance eDiscovery Data loss prevention Retention Audit log and Content search Labels
  • 40. How are organizations managing groups successfully? OPEN CONTROLLED Processes in place Reporting & monitoring Change management
  • 41. How does Microsoft IT manage groups? Empower employees while protecting content, keeping compliant and holding employees accountable Self-service group creation and life-cycle Creation tied to Dynamic Group of all full-time employees; non-employees can’t create groups No naming prefix/suffix but blocked words 180-day group life-cycle; groups must be renewed or will be deleted (unless under retention) (expiry policy) Usage guidelines shown with plain language; e.g. “Be polite & inclusive” Custom job emails group members for groups with no owner Classification, protection & compliance Classification configured in Azure AD; Highly Confidential, Confidential (default), General Custom jobs set Privacy to Private and disable external membership/sharing based on classification Group site provisioned in region tied to user’s Preferred Data Location (multi-geo) Membership reviews for groups with external members (access reviews) Divisional groups created in SharePoint have retention configured with site template Custom jobs to enforce ownership policy (2 owners with at least 1 full time employee) A foundation for modern collaboration: Microsoft 365 bolsters teamwork
  • 42. Management tidbits  Discuss a governance plan for groups  Figure out if you need group creation policies  Monitor SharePoint Online Storage to ensure group sites not overtaking total storage  Establish a process to have groups admin support easily available for users  Run reports to try to track groups sprawl  Use UsageGuidelinesUrl and ClassificationList  Migrate multiple distribution lists to Office 365 groups – Link – (also via GUI)
  • 43. Description AAD: O365 AAD: P1 License req. Create, read, update, delete Yes Yes None – Free Feature Soft-delete and restore Yes Yes None - Free feature Tenant-wide self-service group creation controls Yes Yes None - Free feature Dynamic group membership Yes Each user that is also a member of a group within tenant. Granular self-service group creation controls Yes Each user that is also a member of a group linked with GroupCreationAllowedGroupId Group Naming Policy Yes Each user that is also a member of a group within tenant. Group Expiry* Yes Each user that is also a member of a group affected by a group's expiration policy. Usage Guidelines Yes Each user that is also a member of a group within tenant. Default classification Yes Each user that is also a member of a group within tenant. * Admins don't need an AAD P1 license just to configure the expiration settings * No licenses required for guest access IMPORTANT: For all the Groups features, if you have an Azure AD Premium subscription, users can join the group whether or not they have an AAD P1 license assigned to them. Licensing isn't enforced.
  • 45. What’s next dynamic membership for Teams based groups In workload expiration notification and auto extend notification New and improved group admin roles Admin center improvements Group driven membership Unified Group classification using Microsoft Information Protection Labels
  • 46. • xxxx Help Contribute & Stay Informed! O365 Groups UserVoice https://office365.uservoice.com/forums/286611-office-365-groups Microsoft Tech Community https://techcommunity.microsoft.com Office 365 Roadmap https://fasttrack.microsoft.com/roadmap Office Blogs https://blogs.office.com/ Office 365 Admin Center – Message Center https://portal.office.com/AdminPortal Office 365 for IT Pros http://exchangeserverpro.com/ebooks/office-365-for-it-pros Essential Powershell for Office 365 https://www.amazon.com/Essential-PowerShell-Office-365-Productivity/dp/1484231287
  • 47. Questions? Email: drew.madelung@protiviti.com Twitter: @dmadelung Website: drewmadelung.com Scripts: http://bit.ly/DrewGroupScripts Slides: http://bit.ly/DrewSlides
  • 48. Managing Office 365 Groups SharePoint Saturday Twin Cities 2018 #SPSTC