tony redmond – field guide to office 365 groups (and more)
TRANSCRIPT
OFFICE 365 GROUPSTHE GOOD, THE BAD, AND THE IMPOSSIBLE…
Tony Redmond@12Knocksinna
https://exchangeserverpro.com/ebooks/office-365-for-it-pros/
MICROSOFT AND COLLABORATION: A BRIEF HISTORY
Not a happy combination with many false starts and siloed attempts to provide a collaboration platform Public folders Site mailboxes SharePoint team sites Yammer
OFFICE 365 GROUPS CREATE A UNIQUE COLLABORATION FABRIC.I have no idea who came up with this phrase, but let’s debate the point anyway!
WHAT ARE OFFICE 365 GROUPS? A unified identity represented by an Azure Active Directory object Draw functionality from:
Exchange Online (group mailbox and calendar): only the Inbox (threaded conversations) and Calendar folders are used
SharePoint Online (team site including a document library – aka “Files” – and shared notebook)
Integrate with: Power BI, Dynamics CRM, Office 365 Planner Connectors REST-based API Skype for Business
Warning: Don’t use workload-specific administration tools to manage Office 365 Groups. The likelihood is that you will screw things up!
DEFINING OFFICE 365 GROUPS Group membership:
Owners: administrators who take care of maintaining group properties and membership
Members: Office 365 accounts (and external guest users) Subscribers: members who want to receive email updates for
conversations and calendar All group members (belonging to the tenant) share common level of
access to all group resources Groups can be private or public Groups can be hidden from global address lists
Example: “The top secret Group”
WHAT DOES THIS MEAN FOR YOU? Groups are born in the cloud Groups are not Exchange and not SharePoint; they are not
distribution groups and not team sites Groups are managed on their own merit, not according to how
you traditionally managed Exchange or SharePoint Your management and operational processes will probably
need to change to accommodate Groups
TARGETING OFFICE 365 GROUPS Ideal target for an Office 365 Group:
Frequent communication via email (Outlook 2016 or OWA or mobile app)
Team that uses email distribution group today Team working on shared Office documents (might be stored in a
public folder or a site mailbox) Not so good (today) when you need to support:
Very large membership (like “Everyone in the Company”) – Yammer Groups are a better choice
Require granular permissions over shared objects – SharePoint team sites are a better choice
Large-scale dynamic or nested email distribution lists - use Exchange DLs
PREPARING TO DEPLOY Know what Groups are going to be used for and how
Set user guidelines Know the limitations
Single user can be an owner of up to 250 groups
No more than 10 owners per group Groups larger than 1,000 users might have
some performance problems
DEPLOYING AND MANAGING GROUPS
ADMINISTRATION TOOLS
Office 365 Admin Center OWA People section Azure Active Directory console PowerShell (you’ll see a lot of this…)
WHAT HAPPENS WHEN GROUPS ARE CREATED Azure Active Directory is the master AAD object for each group, synchronized to workload directories
(EXODS, SPODS) When new group is created from OWA, immediate writes to AAD
and EXODS to make group mailbox available SPODS notified that group is created, but resources are not
instantiated until the first user attempts to access the document library
Opposite happens when new team site is created to cause a new group to be set up
Regular synchronization from AAD to workload directories keeps everything aligned
EXODS synchronizes email-related properties to AAD (like email addresses)
CREATING NEW OFFICE 365 GROUPS By default, anyone can create a new Office 365
Group From Outlook 2016, OWA, or the Outlook Groups
app From PowerShell (New-UnifiedGroup) From SharePoint Online when you create a new
team site From the Planner, Power BI, and Dynamics CRM
integrations (Soon) from Yammer Debate amongst yourselves whether it’s good
that anyone can create a group The resources consumed by lots of Groups really
don’t matter because Microsoft takes care of provisioning… but you might not like the impact on your corporate directory
Group naming is important
CONTROLLING GROUP CREATION VIA POLICY
Originally created as a setting in an OWA mailbox policy OWA mailbox policy is still used for OWA and Outlook 2016
New implementation in the AAD policy for Office 365 Groups Used to control the ability to create groups through Planner, Dynamics CRM, Power BI and the Outlook
Groups app – will eventually be the only creation policy Same policy controls classification, usage guidelines, and guest user access
Basic idea: Decide to implement a block on general group creation Define a list of users who are permitted to create groups (in an AAD distribution group or Office 365
Group) Create directory setting object and update settings to implement block by restricting creation to
permitted list Clients and integrations access AAD to retrieve directory settings and implement block/permitted list
GROUP CREATION POLICY[PS] C:\> Connect-MsolService
[PS] C:\> $Policy = Get-MsolSettingTemplate –TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b
[PS] C:\> $Setting = $Policy.CreateSettingsObject()
[PS] C:\> $Setting[“EnableGroupCreation”] = "false"
[PS] C:\> $Setting[“GroupCreationAllowedGroupId”] = "a3c13e4d-7083-4448-9224-287f10f23e10"
[PS] C:\> New-MsolSettings –SettingsObject $Setting
Retrieve template idPrepare new setting objectUpdate settings to block creation and assign permitted listCreate the directory setting object This is the object id of
the group that contains the permitted list
Connect to Azure AD
GROUP CREATION POLICYInclude usage guidelines and Group classifications in the directory setting object
[PS] C:\> $SettingID = (Get-MsolAllSettings –TargetType Groups).ObjectID [PS] C:\> $ExistingSettings = Get-MsolSettings -SettingId $SettingID [PS] C:\> $Values = $ExistingSettings.GetSettingsValue()
[PS] C:\> $Values[“UsageGuidelinesUrl”] = “http://office365exchange.com/GroupGuidelines.html"
[PS] C:\> $Values[“ClassificationList”] = “General Usage, External Access, Internal Only, Confidential”
[PS] C:\> Set-MsolSettings -SettingId $SettingID -SettingsValue $Values
Retrieve ID for current settingsRetrieve existing settings
Set new values
Update directory setting object
GROUP NAMING POLICY Stored in Exchange organization configuration setting
Also used by email DLs Due to be replaced by the AAD policy for Groups
(late 2016) Common implementations:
Include prefix in name “GRP – group name” Include department in name “ Operations – group
name” Set through EAC or PowerShell
Administrator can override to create a group named according to their requirements
Set-OrganizationConfig -DistributionGroupNamingPolicy “GRP - <Department> <GroupName>"
Warning: Use the same policy on both sides of a hybrid deployment!
IDENTIFYING INACTIVE GROUPS Check audit records for
SharePoint file activity in document library with Search-UnifiedAuditLog
Check the number and last date of conversations in group mailbox with Get-MailboxFolderStatistics
See script at https://gallery.technet.microsoft.com/Check-for-obsolete-Office-c0020a42
OFFICE 365 GROUPS AND COMPLIANCE
Use functionality delivered through Security & Compliance Center rather than individual workloads
Exchange eDiscovery and in-place hold can include group mailboxes Exchange retention policies don’t process group mailboxes SharePoint eDiscovery cases support group document libraries
SCC Content searches Can search both group mailboxes and document libraries
SCC Preservation policies Can place holds on group mailboxes and document libraries
SCC eDiscovery Cases can use group mailboxes and document libraries as sources
and place group mailboxes and sites on hold Unified DLP policies
SECRET GROUPS Sensitive Groups can be hidden (from GAL and membership) Set-UnifiedGroup -HiddenFromAddressListsEnabled $True –HiddenGroupMembershipEnabled
Caveat: Make sensitive groups private to avoid casual searches for confidential documents
Good idea for users to mark secret groups as favorites so they are easily accessible in all clients
The CalendarMemberReadOnly flag can be set with Set-UnifiedGroup to stop members deleting calendar items in sensitive groups
DYNAMIC GROUPS Dynamic Office 365 Groups are implemented through queries executed against Azure Active Directory
The queries defining group membership can only be created and maintained through AAD console Requires AAD Premium license for every account that comes in scope for a query used by a
dynamic Office 365 Group E.g. “All Company” group for 10,000 user company = $60,000/month cost Cost is not an issue if the organization uses AAD Premium licenses for other reasons (like
writeback for hybrid synchronization, password self-service, or the Enterprise Mobility Suite)
BACKUP FOR OFFICE 365 GROUPS Soft-delete and hard-delete of Groups Group mailboxes are not backed up – Exchange Online uses
Native Data Protection to protect data (DAG, 4 DB copies, SIR, etc.)
Group document libraries are backed up along with other SharePoint Online data – and the recycle bin works!
Data associated with integrations (such as Office 365 Planner) are not backed up
Third-party backup products don’t view Office 365 Groups as holistic entities – data is usually backed up at the workload level
Might not even recognize the existence of group mailboxes and the hidden site collections!
A WIDE RANGE OF CLIENTS FOR GROUPS
Outlook 2016 Desktop Client• Pro Plus or Click-to-Run• Groups information returned in
Autodiscover XML manifest• Appear as a resource (like Public
Folders)• Can be favorited (cross-client)
Outlook 2016 for Mac (roadmap)• Currently no support for Groups
OWA• Latest and Greatest• Import DL to Group membership• Groups Discovery & Delve
Outlook Groups mobile app• iPhone and iPad (new)
OUTLOOK 2016 AND GROUPS Groups only supported in
cached Exchange mode GST file used to store local
copies of Groups AutoDiscover finds and reports
groups to Outlook Some concern about the
number of connections created by Outlook – one to each group
HYBRID CONNECTIVITY Hybrid organizations can use AAD Connect to synchronize Office 365 Groups back to on-premises Active Directory (with writeback) Requires Exchange 2016 CU2 or Exchange 2013 CU13 (or later
versions); hybrid tenants must stay current with -1 CU (required for proper transport routing to/from groups)
Depends on properly configured and functioning hybrid connection Office 365 Groups show up in on-premises GAL as distribution groups On-premises users can get to SharePoint resources if they are
licensed See
https://technet.microsoft.com/en-us/library/mt668829%28v=exchg.150%29.aspx for more information (or read what Van Hybrid says…)
SHAREPOINT AND GROUPS
IN THE BEGINNING…A hidden Site Collection
Access only to a single Document Library
Limited functionality to serve simple document sharing needs
GROUPS AND SITESGroups & SharePointEvery SharePoint Team Site Collection gets a GroupEvery Group gets a SharePoint Team Site Collection
Phase 1New Groups & New Team SitesExisting Groups
Phase 2Selectively Upgrade existing Team Sites
Independent SharePointSites not connected to Groups
Impact on Membership
Group Owners AND Group Members have Full Control over the Team Site
Office 365 Groups can be granted rights to SharePoint objects
Disabling Guest Access to Groups does not prevent SharePoint External Sharing
Make sure to manage permissions in SharePoint and not just through the Group
ACCOMMODATING GUEST USERS
EXTERNAL ACCESS External users can email contributions to groups if allowed
Guest user access allows external people to more fully participate with group files and notebook
A guest user is a simple AAD object whose account and credentials are controlled outside the tenant
• Email address• Display name• Password
GUEST USER ACCESS CONTROLS AAD settings for the tenant must allow invitations to be sent Controllable in Office 365 Admin Center (Security and
Privacy – Sharing) SharePoint Online settings must allow sharing AAD policy for Office 365 Groups provides method to control
guest access to all Office 365 Groups on a tenant level AllowToAddGuests controls whether group owners can
add guest users AllowGueststoAccessGroups controls guest user access
to Groups Guest access to individual groups can be restricted through
AAD settings for the group
GUEST USER ACCESS Group owners can invite external people to be guest users
Group members can request an invitation for an external person
External access does not yet extend to Microsoft Planner
GUEST USER ACCESS Restricted version of browser “Files” view can be accessed by
guest users Can access cloudy attachments Can’t see full tenant GAL Can’t access conversations Restricted view of group members No mobile access No access from Outlook
No way to block specific guest users Design issue: should you allow guest users access to “full”
groups or “special” groups
EXTENDING GROUPS
CONNECTORSUse Connectors to gather information “cards” from 50+ cloud data sources or create your own
Connectors vs. Flow vs. PowerApps?
POWERSHELL When in doubt, look to PowerShell… Specific cmdlets contained in Exchange Online module
New/Set/Remove-UnifiedGroup Add/Remove-UnifiedGroupLinks
Some of the Exchange mailbox-centric cmdlets also work, but group mailboxes remain invisible to most cmdlets
Get-MailboxStatistics Get-MailboxFolderStatistics
LET’S TALK ABOUT MIGRATION – OUR FAVORITE TOPIC
MIGRATING EXISTING DATA TO AN OFFICE 365 GROUP A challenging situation…
Tools from QUADROtech (ADAM) and Binary Tree (E2E Complete) are available
OneDrive for Business sync client can be used to import files into the document library, including those in other SharePoint document libraries
Third-party products (like Sharegate) and MetaLogix
Outlook doesn’t support drag and drop to move items from a PST or shared mailbox
MIGRATION – DISTRIBUTION GROUPS Only simple distribution groups can be migrated (only cloud mailboxes, no other types of email recipients) No dynamic groups No nested groups No mail-enabled security groups No groups containing mail-enabled objects other than Office 365
accounts
MIGRATION TOOLS One-click convert from the Exchange Online Admin Center
Microsoft scripts Hummingbird Github project Create your own PowerShell scripts (sample in TechNet script gallery)
Run the New-UnifiedGroup cmdlet
COMING SOON Office 365 Groups and Yammer Groups Soft-delete capability Policy-driven lifecycle AAD-based naming policy Profanity list and custom banned words …and more!
IN SUMMARY…
MULTIPLE WAYS TO SHARE Office 365 Groups offer a lot of interesting
potential for team-based collaboration, but they are not a universal panacea for collaboration – other methods are still valuable Distribution lists Shared mailboxes Yammer
QUESTIONS?