Demistifying Microsoft Groups: 5 Keys to Successful Group Management

Microsoft Groups have been used for securing resources and providing membership abilities for more than three decades, before AD even early NT 4 Domains with local groups on servers.  With the advent of Azure AD and the Office 365 Cloud, the newer Microsoft 365 groups have evolved beyond the on premises groups to provide not only access control for files, email distribution and resources, but also security boundaries including the one of the newest features in Teams the information barriers which give you the ability to isolate one group of people from another including their ability to even see them or collaborate with them in the user interface. It’s more important than ever to have a hybrid strategy to manage your groups.

>> Register for a free educational webinar with Joel Oleson on “Demystifying Microsoft Groups: 5 Keys to Successful Group Management on June 2nd. More details below.

Microsoft Groups are used for these main uses:

  • Identity Based Security Perimeter including providing employee only access to internal resources
  • Membership and Access Controls including Application Authorization and SAAS Licensing
  • Email Notification and Distribution including alerts a group inbox or lists for forwarding

Four Types of Microsoft Groups

There are 4 main Microsoft groups in a hybrid environment and you will see overlap in groups between on-premises and the Microsoft cloud. In addition there is a group mailbox, but that function is primarily being replaced by capabilities in Microsoft 365 Groups with Outlook/Exchange online.

  • Microsoft 365 Groups cloud only
  • Security groups – both
  • Distribution groups – both
  • Mail enabled groups – both

You can synchronize groups, but the full sync including write back has limitations especially when discussing the Microsoft 365 group membership. We will continue to see innovation in efforts by Microsoft to make one or 2 way sync better, but it has a long way to go. Much of this is leveraged by AD contact objects internally which prevent access inadvertently being shared from cloud to on-premises.

Microsoft Group Management

Management of Groups in hybrid involved a number of different Admin interfaces.  In your on premise environment you’re using Active Directory and Exchange or even better… PowerShell.  In the cloud you have more options including Azure Active Directory, Microsoft 365 Admin center, Exchange Admin Center.  For policies on the groups you might find yourself using Teams Admin Center and Security and Compliance center.  Microsoft Graph is a great way to script or automate Microsoft 365 group changes.  Think of PowerShell for wide sweeping service wide changes across multiple groups and Graph for granular narrow changes such as changes on a large group. Microsoft Graph is only available in the cloud while PowerShell is available in both cloud and on premises. 

Delegation of rights and management is often provided to the owners while membership itself can be dynamic based on AD user attributes or rules.  These dynamic membership based groups can be configured both on premises and in the cloud with Microsoft 365 groups.  Identity is synchronized with Azure AD Connect.  Various single sign on and MFA solutions are supported for authentication and ensuring a good user experience both at work and remote including mobile support.

5 Keys to Successful Group Management:

Define your Hybrid Group Management Strategy for Service Wide Governance and Security.  There are changes that should only be made in one environment or the other.  Those that think they should simply sync all changes both ways are missing out on zero trust security positioning.  There are often differences with sensitive data internal where those groups should not be synchronized to the cloud.  Governance is not just about security.  Consider naming strategies, usage, reporting, and auditing.  Ownership and policies around lifecycle.

Plan Self Service or IT Led with Oversight  The goal should be self service with oversight, but for some services you may decide to have support desk manage membership.  Smaller companies may use IT support or have IT or HR in the lifecycle or approval process.  Service desk can be burdened for simple membership that could better be managed by the group owner.  Think full lifecycle.   Dynamic groups are the best as it will ensure attributes determine who should have membership.  There are tools that provide identity and access management including membership.  Groups delegation is important but along with it comes responsibility and accountability. 

Provision your Groups with lifecycle membership in mind.  Gather additional metadata including owner, secondary owner, department, location, and other contextual data.  Imagine the owner leaves, the situation you need to avoid is orphaned groups on sensitive data.  It’s chaos to have groups without proper ownership and management.  Relying on the support desk to understand management is asking for trouble if they don’t know who should be a member. 

Audit your groups usage and lifecycle periodically.  We need to ensure that groups never become orphaned (no owner) and we also need to ensure that groups membership is valid, and that its existence still valid.  If a group should be removed, that’s what needs to happen.  Ideally these audits should be as automated as possible with pressure on owners to do the validation and attestation.

Archive or Delete Unused Groups – There’s nothing worse than stale groups giving people rights that they should no longer have.  Even when a group has no members doesn’t mean it isn’t a threat.  It could be used to gain access to resources.  The more groups the greater the chance for mistakes to be made.  You should be not only auditing the groups, but regularly deleting, archiving, and cleaning up the mess.  Dynamic groups are a great way to go to focus on ensuring membership is valid based on rules, but also ensuring owners are regularly reviewing their group.  Do they still need it?  This shouldn’t be a once in a lifetime type question. 

Enjoy the infographic. Feel free to download it blog about it, share it. It is created with creative commons sharealike license. You can download the high resolution printable PDF “Microsoft Groups Demystified: 5 Keys to Successful Group Management” on slideshare or the the JPG version of “Microsoft Groups Demystified: 5 Keys to Successful Group Management.” Love to hear your feedback on social media or in the comments.

Groups are powerful, and yet most companies struggle with management and see self service group management as identity chaos with security nightmares.  Tools such as Cayosoft can help you get a better handle on your hybrid group management strategies.  Keeping groups transparent and understood across the organization as a responsibility and accountability is the most important key to successful group management. 

Join me on a webinar where we can dive into this topic for an hour with Q&A sponsored by Cayosoft.

Free Webinar: Microsoft Groups Demystified: 5 Keys to Successful Group Management

>> Register Now

When: June 4th at 2pm Eastern Time / 11am Pacific Time

Speakers: Joel Oleson, MVP & RD, Director at Perficient and Robert Bobel, CEO of Cayosoft, Hybrid expert

Description: How are you handling Microsoft groups as you adopt more and more of the cloud? What should you do with your DLs? For hybrid environments, legacy groups can be a real struggle, and most organizations leave security groups in place while creating new ones in the cloud. Double the groups can mean double the frustration.

Join us for this webinar, where we’ll explore the history of security groups and distribution lists and dive deep into how best to approach users and strategies for on-premises and cloud group coexistence and synchronization. We’ll also explore the new Teams Information Boundaries and Unified Labeling and classifications to paint a clearer picture of security and classification in Microsoft 365. 

This session will take comprehensive look at Microsoft “Groups end to end” and work to cover some common groups questions:

  • What about lifecycle and cleanup? 
  • Policy & Naming standards?
  • Is write-back an option? 
  • How do I sync my groups? 
  • What can I do for coexistence and hybrid?
  • I want to copy my on-prem groups can I do that?
  • Can I setup my groups as dynamic or rule-based in the cloud (and potential additional costs)? 

>> Register Now

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: