Reserved for ads. Please scroll down.

There are four types of groups in Microsoft 365: distribution, security groups, mail-enabled security, and Microsoft 365. Let’s dive right into the types of groups.

Distribution groups

Distribution groups also known as distribution lists will create an email address and distribute the emails to all the members of the group. Distribution groups do not have separate mailboxes. The emails land in the members of the distribution lists mailboxes. You can add anyone with a mailbox inside your organization and you can add mail contacts to distribution groups.

Create a distribution group in Microsoft 365

1. Go to the Microsoft 365 admin center > Teams & groups > Active teams & groups. Then click Add a group.

2. Click Distribution > Next.

3. Name the group. Optionally add a description. Click Next.

4. Set the group email address. Optionally click Allow people outside of my organization to send email to this Distribution group. Click Next.

5. Click Create group.

Add members to the distribution group

You’ll notice you can’t add members to the group while creating the group. To add members, you’ll need to go to the group and manage the members.

1. Go to the Microsoft 365 admin center > Teams & groups > Active teams & groups > Distribution List. Then click the group you want to manage.

2. Click Members > View all and manage members.

3. Click Add members.

4. Select the users you want to add to the group. Then click Add.

Security groups

Microsoft 365 security groups, formerly known as Office 365 security groups, allow admins to manage access to resources, for example, SharePoint, Intune, or apply conditional access policies.

Create a security group in Microsoft 365

1. Go to the Microsoft 365 admin center > Teams & groups > Active teams & groups. Then click Add a group

2. Click Security > Next.

3. Name the group. Optionally add a description. Click Next.

4. Click Create group.

Add members to the security group

To add members, you’ll need to go to the group and manage the members.

1. Go to the Microsoft 365 admin center > Teams & groups > Active teams & groups > Security. Then click the group you want to manage

2. Click Members > View all and manage members.

3. Click Add members.

4. Select the users you want to add to the group. Then click Add.

Mail-enabled security groups

Mail-enabled security groups are the best of both worlds. Use mail-enabled security groups to distribute messages and grant access permissions to resources in Microsoft 365.

You create mail-enabled security groups the same way you create security/distribution groups.

Microsoft 365 groups

Microsoft 365 groups allow users to create and manage their own teams. Microsoft 365 groups can create Microsoft Teams, shared mailboxes, or open discussion forums in Yammer. They can also be used in SharePoint sites, Planner, OneDrive shared libraries, Power BI and more. Note, I said can because depending on where you create the team it will change what is created along with it.

How to create a Microsoft 365 group with a shared mailbox

1. Open Outlook.

2. Right-click Groups in the left pane and click New Group.

3. Set the name, email address, description, privacy, and decide if you want the emails to go to everyone’s mailboxes. Then click Create.

4. Enter the other members' names. Click the member to add them. Click Add Members.

How to create a Microsoft 365 group in other apps

Since knowing all the ways to create a Microsoft 365 group is outside the scope of MS-500 I’ll simply link the instructions below:

• Create a plan in Microsoft Planner
• Create a group in Microsoft Outlook
• Create a team site in SharePoint
• Deploy Microsoft 365 groups to power platform 
• Create a group in Microsoft Teams 
• Create a group in Yammer 

Membership type

Up until now, we’ve only discussed “assigned” groups. Assigned Groups are where you have assigned the user to the group. Another group type in Microsoft 365 is Dynamic. Dynamic groups are where the members are automatically added/removed depending on the attributes of the user. For example, you may want to create a security group based on departments. Then every user that has the same department will be automatically added to the group. For example, if the test says, “Users must be added automatically to the security group of their department.” Then a dynamic security group would be required.

How to create a dynamic security group

1. Open Azure AD admin center > Azure Active Directory > Groups

2. Click New Group

3. Enter the Group name > optionally group description > Select Dynamic User under Membership type > Then click Add dynamic query

4. Set the property to department. Set the Operator to Equals. Then set the Value to HR. Then click Save.

Dynamic membership rules

There are several ways to filter / automatically add users to dynamic groups. Let’s review the rules.

Property

The property attribute is the property the rule will be checking. In our example above we used the department property which says, “check the department property on each user”.

Operator

The operator attribute is how to check the property field against the value. We used Equals in the example above. There are a few more operators that should be discussed.

Equals: The equals operator does an exact match (not case sensitive) of the property to the value.

Contains: The contains operator does partial-string matches but not 

Match: The match operator does a regular expression matching.

Dynamic group limits

You can create a dynamic group that contains devices or users, but you can't create a group that contains both users and devices.

You can't build a dynamic device group based on the owners' attributes. Device dynamic group rules can only reference the device attributes.

Access Review

One of the issues with groups is users come and go and they may even switch job roles or departments. Without reviewing the groups to verify membership the user list may get stale and users may keep access to data that they shouldn’t. With Microsoft 365 you can configure access review.

With access review, you can set all groups or some of your groups to be reviewed. The reviewer can be the group owners, selected users, or groups, users can review their own access or managers of users. Lastly, you can set how often the reviewers need to perform the review. Let’s take a look.

How to setup access review

1. Go to Azure AD admin center > Azure Active Directory > Identity Governance.

2. Access reviews > New access review.

3. In the Select what to review dropdown click Teams + Groups. Click Select Teams + groups. Click select group(s). Click the group you want to perform an access review. Click Select. Click All users. Click Next: Reviews.

4. Click the Select reviewers drop down and click Group owner(s). In duration (in days) set the number of days you want the review to be open for. For review recurrence set the amount of time before the next review. Click Next: Settings.

5. Set Auto apply results to resource. Click Approve access under If reviewers don’t respond. Then click Next: Review + Create.

6. Set the review name. Click Create.

Group Naming policies

The next thing I’d like to mention is group naming policies. Since users can create groups, you may want to use some sort of naming policy. For example, an organization Contoso may want a prefix in front of all the groups “Contoso-“

By setting a group naming policy all users will be required to use your specific naming policy with one exception. Global Admins & User admins can still create groups without using the naming policy.

How to set up a naming policy

1. Go to Azure AD admin center > Azure Active Directory > Groups.

2. Click Naming policy > Group naming policy. Click Add prefix. Set the prefix to a string. Then set the prefix value. Click Save.

Auto-expiration of groups

So now your Microsoft 365 groups are growing. Sometimes the groups can grow out of control. How do you manage all of them? You put the burden on the group owners. In short, you set the groups to auto-expire. Then the group owners will receive an email where they will need to renew the groups to keep them around. Let's jump in and take a look.

1. Go to Azure Active Directory admin center > Azure Active Directory > Groups > Expiration.

2. Set the Group lifetime (in days). Set your email in the Email contact for groups with no owners. Set the enable expiration for these Microsoft 365 groups to All. Click Save.