Tuesday, February 21, 2017

All you never wanted to know about Exchange Online, Azure AD and Office 365 Groups creation

Before setting the scenario, the solution to my problem would be either an Office 365 group with dynamic Azure Active Directory membership where all services in the Office 365 group where opt-in and not mandatory, or an e-mail enabled security group with dynamic membership. Neither of those options exist and we ended up having one dynamic distribution group and one dynamic security group.
image
I’m working with a customer moving from on-premises to Office 365, and at the top level they have divisions. Each of the divisions will get a plain old SharePoint site to handle different kinds of documentation. We do not want to go with an Office 365 Group, as memberships can involve a lot of people, and having all the mandatory tools in an Office 365 Group will most likely confuse the users. In addition, each of the divisions should have an e-mail address, a distribution list.

To handle access to the division sites we created one dynamic security group in AAD per division which uses the division name as the membership key (dynamic membership is an AAD Premium feature). To handle the e-mail scenario, we created a corresponding dynamic distribution group in Exchange Online Admin, with the same membership key. Not ideal as we have two places with the same rule, but that’s what we get. We also tried any manner of adding different group types as members of other groups to make it work more smooth, but not doable.

How do you go about setting this up using the admin UI’s?

Below I show what’s possible in each admin UI, and I have highlighted in yellow the option which is only available in a particular UI, as there are overlapping functionality for most scenarios. I do not discuss how you can do this programatically or using PowerShell.

Office 365 Tenant Admin UI for Groups

image

The Office 365 Tenant Admin UI allows you to create the following:
  • An Office 365 group with explicitly added members – the de facto Office 365 Group which gives you a security group, an e-mail address, a team site, planner etc. You may also use this group as a security group, granting permissions to the members in for example a plain old team site.
  • Distribution list – an e-mail distribution list in Exchange where you add individuals as members.
  • Mail-enabled security group – Same as a distribution list, but you can also use this to grant permissions to for example a SharePoint site.
  • Security Group – an AAD security group with explicitly added members.

Exchange Online Admin UI for Groups

image

The Exchange Online Admin UI allows you to create the following:
  • An Office 365 group with explicitly added members.
  • Distribution group – which actually pulls up the UI for an Office 365 group – so no plain distribution list for you from this UI. Head over to the Office 365 tenant admin UI instead.
  • Security Group – an AAD security group with explicitly added members.
  • Dynamic distribution group – a mailing list which allows you to add members based on AAD properties instead of adding them explicitly.

Azure AD Admin UI for Groups

image

The Azure AD Admin UI allows you to create the following:
  • Security Group – an AAD security group with explicitly added members.
    • Membership type = Assigned
    • Enable Office features = No
  • Security Group – an AAD security group with dynamic members.
    • Membership type = Dynamic User (or device)
    • Enable Office features = No
  • An Office 365 group with explicitly added members.
    • Membership type = Assigned
    • Enable Office features = Yes
  • An Office 365 group with dynamic members
    • Membership type = Dynamic User (or device)
    • Enable Office features = Yes

Happy Grouping!

No comments:

Post a Comment