Office 365 groups enable users to access information in a variety of places, including SharePoint or OneDrive for Business document libraries, OneNote files, shared inboxes or calendars on Exchange Online, Lync or Skype for Business meetings, or Dynamics CRM databases. Office 365 groups are objects in Azure Active Directory, so they are not available in your on-premises deployment. A group includes the list of users who are members, URLs for resources and a list of the group’s owners.
Creating Office 365 groups
Both administrators and end users can create groups.
Office 365 administrators can log in to the portal at https://portal.office.com, click the Admin link, hover over the people icon on the side and then click Add Group.
Figure 1. How administrators can create a group from the Office 365 portal
Users can create new groups directly from Outlook from the ribbon, as long as they are using Outlook from the Office 365 ProPlus package:
Figure 2. How users can add a new group from Outlook
That will bring up a screen much like the portal’s screen, where they can name the group and choose the privacy settings.
Figure 3. How users specify details about a group they are creating from Outlook
Keep in mind that users can interact with Office 365 groups only from a web browser, not from a current Office desktop client. The upcoming Office 2016 client will include support for groups.
Managing Office 365 groups
Groups are intended to be largely self-service: Users can create their own groups and administer their membership using tools built into the web user interface or through the full applications in the Office 2016 suite. Users can also browse the list of groups to find the one they need and sign themselves up to be group members. Therefore, groups tend to proliferate quickly, which leads to challenges for administrators, including the following:
- Who manages the lifecycle of all of these groups, some of which might have been created for week-long tasks and some of which are for long-term projects? Who decides what content is still live and what needs to be archived?
- What happens when the next iteration or version happens? How do accounts and resources move around? The process is less than clear, particularly for users that have a hybrid deployment of Exchange, SharePoint or both.
- What if the topic being discussed in a group is sensitive? If so, the group should probably not be public, nor should just anyone be able to add themselves to the group.
Adding guest users to Office 365 groups
One of the big benefits of Office 365 groups is the guest access feature — the ability to let users outside of the company collaborate on items in the group. This capability centers around the concept of a guest user in Azure AD, which is an account associated with an email address from outside the tenant.
Only an owner of a group can add a guest to the group. To provide guest access, open the group using Outlook Web Access on Office 365. From the three-dotted menu on the right, select Members and then Guests. Click Add Members and then enter the guest’s email address.
Behind the scenes, Office 365 checks whether a guest user object already exists for that email address; if it does not, Office 365 automatically creates one on the fly. Then it grants the new or existing guest user account appropriate permissions to the group and sends an email to the guest user with a link to the object to be shared and information about how the guest user can remove himself or herself from the group.
If the guest user has a Microsoft account that matches the email address the owner specified during the addition process, then the guest will authenticate with that. If not, the user will be redirected to invitations.microsoft.com to create an ad-hoc account in that Office 365 tenant (which is not a universal Microsoft account).
What can a guest user do in an Office 365 group? Learn some common scenarios below:
- Join in a conversation in the group mailbox. This is through email only and not any sort of interface on the Office 365 system; the messages are emailed to the guest’s email address. Therefore, they can also search the group conversations they have been a part of within their own mailbox.
- Send meeting requests to the shared calendar for the group,
- Interact with a single document in a SharePoint Online library that a user has invited them to edit.
- Access the group’s document libraries and search through those documents in SharePoint Online using the Files view in Office 365.
- See attachments sent through the OneDrive for Business integration with Outlook and shared OneNote notebooks.
Mitigating the risks of guest users in Office 365 groups
Granting external users access to corporate access raises two key concerns:
- Risk of data loss — How do you make sure that users keep private content in the site and don’t forward it or download it?
- Risk of continued access — How do you ensure that access rights of external users are consistently revoked when they are no longer needed?
Microsoft has built in some protections against these threats. For example:
- Guests can interact with Office 365 groups only through the browser (except for the individual email notifications described earlier).
- Guests can’t see Global Address List (GAL) information, such as organizational hierarchy, and guests don’t appear in the GAL.
- Guests can’t view or interact with information saved with Information Rights Management (IRM) protection.
- Guests cannot become owners of Office 365 groups.
- MailTips warn anyone using either Outlook on the Web or the Outlook desktop client when they are mailing items to a group that includes guest users to help prevent the leak of confidential material.
To further mitigate these risks, you should educate your users about security best practices for Office 365 groups and require owners to regularly attest to the continued usefulness and membership of their Office 365 groups.