Intro – Office 365 Distribution Group vs. Security Group
While Office 365 is a powerful and extremely popular tool, the vastness of its features and options can be confusing! Today, we’ll explore the various permission group options in Office 365 and the difference between them. Making the right choice between these groups will help save you trouble down the road since it affects how to use groups. Choosing the appropriate permission group here in Office 365 will help you and your colleagues become more efficient.
Office 365 Distribution Groups
An Office 365 distribution group is a group of users that is mail-enabled (you can send emails to this group email account, and by doing that, all listed users will also be emailed automatically rather than having to email them all individually). Some advantages of using a distribution group for emailing is that you can set certain options, such as permitting emails to be sent to external users in the group:
An Office 365 Distribution Group will get it’s own dedicated email address, and when a user wants to send an email to a group of people, e.g., the finance department with seven employees, the user will send an email to the group he created called “Finance,” instead of sending it to each of the seven members individually.
Visibility in the Global Address List
Another advantage is that the distribution groups you have are visible in the global address list, which means all users can see and find this group in Outlook, for example. Then, users don’t need to create their own email groups because users share them.
The first time the end user uses the distribution group, it gets cached in the Outlook profile so the next time the user won’t have to type the complete name or email address.
So the common questions are:
How are Office 365 Distribution Groups like Outlook Email/Contact Groups? What are the benefits of choosing distribution groups over Outlook Contact groups?
Outlook Contact Group
An Outlook Contact Group is local to your machine, it is created using Microsoft Outlook and you can store multiple contacts into a ‘group’:
Outlook Groups do not ‘Sync’ between Devices
Outlook Groups are more difficult to manage if you have multiple machines/devices. For example: a desktop PC and Laptop, local Outlook groups will not automatically sync between the computers.
Outlook Contact Group vs Distribution Group
- End users can easily create an Outlook group so they do not have to type the email address of every user to send an email.
- Outlook group is stored for the individual user (normally on their machine/laptop), unless they export or share it (creating a duplicate copy, which is not synced).
- The Distribution Group works similar to the Outlook group, but the distribution group is shared, this sharing of the groups is made possible because they are available in the GAL (Global Address List) for all users – so they can be shared (and updated) from one central location to multiple users.
- Distribution Groups also have an option for the administrator to specify the delivery methods, such as who can send ‘to’, and send ‘from’ this list, which can help prevent unwanted spam blasts! (See the above screenshot under Distribution Groups.)
- The owner of the distribution group has an option to add/remove users from the distribution group.
Dynamic Distribution Groups
Dynamic Distribution Groups behave just like regular Distribution Groups above, however the memberships are automatically calculated.
This is from Technet:
“Unlike regular distribution groups that contain a defined set of members, the membership list for dynamic distribution groups is calculated each time a message is sent to the group, based on the filters and conditions that you define. When an email message is sent to a dynamic distribution group, it’s delivered to all recipients in the organization that match the criteria defined for that group.”
Dynamic Distribution Groups are more Powerful (and can be more complex)
For example, you can use PowerShell or the Office 365 Exchange Admin Center UI to create one of these and you have the options below to specify criteria that will dynamically build/grab the members.
Benefits of Dynamic Distribution Groups? (over non-dynamic)
This can be very useful when dealing with many users and many frequent changes/additions/removals of users, and helps prevent mistakes since these are just created once and the OU structure should normally not change very often.
Maintenance (of Dynamic & Non-dynamic Distribution Groups)
Both Distribution Groups and Dynamic Distribution Groups require maintenance. Maintenance for a regular Distribution Group can be delegated out to the users, the Dynamic Distribution Groups changes would require someone more technical, such as someone on the IT team to either change the logic inside the list, or change entries in AD for one or more users.
There are two types of security groups:
- Security groups
- Mail-enabled Security groups
1. Security Group
A security group is used to assign permission to a set of users to grant access to things, such as to a SharePoint Site, Web Pages, an entire SharePoint List or Document Library, or even just some files, etc.
Common Set of Permissions (for multiple users)
Also, a security group is for users who may have a common set of permissions. In this way, an Administrator can assign certain permissions (such as for SharePoint Site access) to all users in this group instead of having to enter each person individually.
Let’s say, for example, five members need the edit permission to a folder or SharePoint Library. The administrator can use a security group, which contains all the members who need access, instead of assigning the permissions to each user individually, and assign this Security Group to the folder or SharePoint Library.
Easier to Manage Permissions/Security
Once the admin assigns permission to a security group, and in case the admin wants to give the same level of permission to more users, he/she can select the security group itself and add a member (or members) either from the Office 365 Admin Center, or using Exchange Admin Center, as show below:
Office 365 Admin Center to Manage Members
Below I have Office 365 groups listed, however your ‘Distribution Groups’ and ‘Security Groups’ can also be listed and managed here.
Exchange Admin Center to Manage Members
- Go to your Office 365 Admin Center, click on Admin Centers and click Exchange. Otherwise, you can also just use link below
- Office 365 Exchange Administration center (Outlook.office365.com/ECP)
- Go to recipient>groups>select the group
- Click Edit (Pencil icon)
- Click on the membership button as shown below and add members to the group
What is the difference between a Security group and a Distribution group?
Unlike the distribution group, a security group can manage permissions for the users. The distribution group is used only to send emails to multiple users (who are members of that distribution group).
Also, if you’re using synchronized identity through the AD, the security group is also used to assign permissions to users in the Active Directory.
2. Mail-Enabled Security Group
If we mail-enable the security group, we can send e-mail to all members of that group. For example, if you create a security group that gives members access to the RBAC (Role-based Access control) roles in Office 365, you may want to send an email to that group to notify them about their permissions.
How is a mail-enabled security group different from a distribution group?
Unlike a distribution group, a mail-enabled security group is used to BOTH manage permissions AND send emails to users.
Office 365 Groups
The latest addition to these ‘permission group’ options are ‘Office 365 Groups’.
An Office 365 group is used to communicate, collaborate and schedule meetings or events with group members. Users can create, find and join groups right from their inboxes. Once users create a group or join a group, they can start sharing files and collaborate with each other.
Office 365 Groups are great for users that need collaboration
Office 365 Groups add an Azure AD Group (similar to a Security Group) as well as a SharePoint site (for sharing documents and other information), as well as a ‘group’ email address, similar to a Distribution List.
The ‘group email address’ will also appear in the Global Address List (on by default) and therefore will show up in Outlook for everyone in your organization.
Similar to Distribution Lists
As mentioned above, it is worth repeating that Office 365 groups support group emails, like a distribution list, and appear in the Global Address List.
So a user can send an email to the Office 365 group email account, and all members will receive the email (instead of having to email all users individually).
You can also configure the addresses to be available only to internal organization members or allowed to be emailed by external users.
Office 365 groups also allow you to use the group to set and apply permissions, like a security group. In addition, an Office 365 group has collaboration and social features built into it as shown above.
Office 365 Groups – are Social: Private and Public
When users first create an Office 365 group, they can choose to make the group public or private. Earlier in Office 365, they couldn’t change the privacy settings after they created the group. Now, users can change the privacy settings on an Office 365 group, in Outlook on the web, after they’ve created it.
For example, a user creates a group for the human resources team in their company and made it a public group, but now, the user would like to make it a private group. They can easily change the privacy settings in a few steps as shown below:
- Open OWA (Outlook Web Access)
- Navigate to the Office 365 Group that the user wants to change the privacy terms on
- From the group page, click or tap Edit group tabUnder Privacy, select one of the terms, Public or Private, to match the setting you want
- Click Save to and close the page
Integration with Microsoft Teams
You can use your Office 365 with Microsoft Teams to manage tasks using Planner, open files in SharePoint, set calendar dates for the teams, discuss projects and channels using chat, video or voice calling, which is built on top of Skype. To learn more about Microsoft Teams, visit here:
As an end user, you own any existing Office 365 group and can add it to Microsoft Teams here https://teams.microsoft.com. Otherwise, if you create a team from within the Microsoft Teams application or the team’s website here https://teams.microsoft.com, it automatically creates an Office 365 group with the same name for you.
- I have an existing group, so it will show me the tab below when I open Microsoft Teams:
- Click on Yes, add Microsoft Teams functionality, which will pop up a new window as below:
- Select the group and proceed with selection of “choose team tab”
- Once you are done, you can create your Microsoft Teams site, as well as start with a conversation or file-sharing.
Note: if you opt out of an existing Office 365 group that you own, and you create a new team in Microsoft Teams, it will also create an Office 365 group as well.
With Teams Integration, a company can empower individuals and teams to collaborate for teamwork, offer a chat-based work space and customization options. The screenshot below shows a glimpse of Teams Integration with Office 365 Groups:
Benefits of Office 365 Groups
- You can post emails to the group just as you do for a distribution group.
- Members can upload or view/edit One Drive files.
- Discover, share and collaborate on a team site that’s as good as a SharePoint team site (Please note: The team site in the Office 365 Group is not part of SharePoint sites and the quotas that are available for them).
- A group member (members) can stay updated with third-party apps, like Twitter and Facebook, by enabling the feeds from such sites through the Office 365 group.
- Post photos or ideas or any important information in the One Note app.
- You can assign tasks to group members through a planner.
- You can integrate with Microsoft Teams to get a centralized platform to manage the different Office 365 groups and the assets and resources encompassed within them.
Some How-to’s about Office 365 Groups for Administrators
Team site created by Office 365 Groups—not found in Site Collections List in SharePoint Administration Site?
How do you find the Office 365 Group SharePoint Team site?
“Classic SharePoint Administration”
By default, in Office 365 Administration under ‘SharePoint Admin Center Classic view’, team sites created with Office 365 group are hidden and not visible. It will only list SharePoint sites that are NOT associated with Office 365 Groups. Bah!
Use the new SharePoint Administration Center to view your Office 365 Group SharePoint sites:
PowerShell Alternative to Manage Office 365 Groups
As an admin, to view these sites, the administrator can use PowerShell (shown below) commands: This is the same way you would access and get information from normal team sites as well.
- Connect PowerShell with SharePoint online admin center
Connect SPOService: https://mycompany-admin.sharepoint.com
Note: In this case, the Office 365 group that I created was “test12”
After running this command, it will list all the sites that are hidden or visible in the SharePoint admin center (including the one that’s part of an Office 365 group, in this case it’s test23).
- You can get the complete information about team sites using the command below:
Get SPOSite Identity https://mycompany.sharepoint.com/sites/test23
- To get complete information of this team site, run the command below:
Get SPOSite Identity https://mycompany.sharepoint.com/sites/test23 |f1
- To remove the team site, run the command below. (It’s the same as using PowerShell to remove a regular team site.)
Note: This is only going to remove the group team site.
(ii) As an administrator, how do I remove an Office 365 group using PowerShell?
a) Connect PowerShell to an exchange online
$credential = get-credential
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection
b) Run the command below to get all the Office 365 groups listed
c) Use the PowerShell command below to remove any of these Office 365 groups
Remove-unifiedgroup -identity email@example.com
(iii) How do you hide an Office 365 group from the Global Address List/GAL?
Set-UnifiedGroup -Identity *firstname.lastname@example.org -HiddenFromAddressListsEnabled $true
(iv) How do I create a library in an Office 365 group team site?
Navigate to the team site > New > document library
Limitations of Office 365 Groups
- Office 365 groups are not visible in Outlook 2013; they are only compatible and integrated with Outlook 2016. In either case, the user can always access the Office 365 groups from the Outlook web app.
- When an Office 365 group is removed, the team site created for the group is not removed by default. The administrator needs to use PowerShell to remove the team site.
Despite these limitations, Office 365 groups support advanced security and compliance features, as well as a huge number of benefits listed above.
Summary about Office 365 Groups vs other options
The use of Office 365 Groups is an effective way to quickly set up team and project members to use a collaboration tool. They are perfect not only for enterprise customers but also small and medium-sized businesses.
Office 365 vs Distribution List vs Contact Group comparison
|Office 365 Group
|Send a copy of an e-mail message to all members.||Yes||Yes||Yes|
|Store copy of each past message sent to the group in shared mailbox.||No||No||Yes|
|Expand groups’ name into members in Outlook.||Yes||Yes||No|
|Dedicated e-mail address.||Yes||No||Yes|
|OneDrive storage for files.||No||No||Yes|
|Dedicated OneNote Notebook.||No||No||Yes|
|Planer, Site, Connectors.||No||No||Yes|
Another Comparison: Office 365 Groups vs Distribution Lists
|Distribution Lists||Office 365 Groups|
|Functionalities||Enables users to send emails to all members of a group.||In addition to the distribution list’s feature, integrates with SharePoint, Yammer, Team, Planner, OneNote, and PowerBI.|
|PowerShell management||Yes, sample cmdlet: Set-DistributionGroup.||Yes, sample cmdlet: Set-UnifiedGroup.|
|Can send emails to all members of a list||Yes, both for internal and external senders.||Yes, both for internal and external senders.|
|Shared inbox||No, emails are only distributed to members.||Yes.|
|Defining access type||Not available.||The option is available.|
|Document library||Not available.||Set up automatically in SharePoint.|
|Shared calendar||Not available.||Set up automatically.|
|Required license||Any AAD subscription (including free.)||Free AAD subscription is enough for most Office 365 Groups’ features. For a full list of available features visit this article.|
|Restore a deleted group||Not available.||Office 365 group can be restored for up to 30 days after deletion.|
|Dynamic membership||Possible with Dynamic Distribution Groups.||Requires Azure AD premium subscription.|
- What is SharePoint? A Beginner’s Guide to MS SharePoint Software - October 8, 2018
- Beginner’s Guide: Windows PowerShell – How to Use Tutorial for Dummies - October 8, 2018
- Remote PowerShell to Manage SharePoint on-premises - August 14, 2018