Microsoft Online Service - Group Management
Overview
Microsoft Groups are a fundamental feature used to control access and make information sharing easier. In the Microsoft 365 platform, there are four core group types, all of which have a core component in Azure AD. Many features in Microsoft 365 are controlled via groups and even things like Teams sites are built on top of groups.
Atria offers Universal Group Management for all four core group types. Core administration is now possible through the Atria UI.
Applies to
15.x onwards
Requires Microsoft Online Service to be deployed and provisioned to the Customer.
Introduction to Group Management
The Core Group Types Supported
- Azure AD Security Groups
- Distribution Groups
- Mail Enabled Security Groups
- Microsoft 365 Groups
Each group type has different properties and features, the edit form will differ slightly across group types. Note that there are currently some limitations with available APIs which may restrict functionality available for some group types.
The table below shows the different group types and their attributes:
Atria interacts with Microsoft APIs directly and data is retrieved from Microsoft and updated in real time. The time taken to complete tasks can be variable depending on group type.
Distribution groups and Mail Enabled Security Groups can only be created if a tenant has a Microsoft Online subscription that has been activated. The group selector will hide these two group types if Exchange Online is not activated.
Exchange Online is activated when the first license containing Exchange Online is assigned to a user. This triggers the internal Microsoft provisioning process for Exchange Online
Creating Groups
To create a Microsoft Group, head to Services > Microsoft Online > Group Management, and click Add.
The group selector allows you to choose the group type, once a group type has been selected, the group type cannot be changed.
For Service Providers using Atria to manage groups on behalf of a customer, the Groups will be displayed, created and edited in the context of the currently selected customer. You can always see the currently selected customer in the banner.
Once you chose the group type, you will be presented with multiple configuration options:
When you create a group and attempt to edit it immediately, it may seem that the group has been successfully created. However, it can take some time for the new group to appear in subsequent queries to the Microsoft API. If an error occurs, waiting a few seconds before trying again usually resolves the issue.
Editing Groups
Editing groups provides the same dialog used to create groups. Simply select the required group from the list, and edit the properties as required.
Deleting Groups
Deleting groups just requires you to select the menu button on the right, then select "Delete" on the main group management page. You will be prompted to confirm deletion:
Access and Security
Default Permissions
- Microsoft Online Administrators role – has full access to create, update, read and delete all groups. This is the default permission that will be granted to end-customer administrators if permissions have not been modified.
- Reseller and Service Provider administrators will by default be able to manage on behalf of their customers.
Advanced Permissions Control
There are four core permissions available which can be added to Atria Security Roles. They are all contained under the Microsoft Online Service Segment.
- Create Group
- Read Group
- Update Group
- Delete Group
Auditing
Atria audits changes to groups in the [MicrosoftOnlineGroups_AT] database table. Changes are stored against the user who performed the change, and any user who was impersonated to make the change.
Any groups created outside of Atria will not have a record within this table, but any subsequent updates to the group, made through Atria, will be recorded.
Dynamic Groups
Dynamic groups are not shown and cannot be created through Atria.
Synced Groups
Groups that are synchronized into Azure AD using Azure AD Connect cannot be edited. Atria will let you view these groups but they will be read-only. The option of managing these groups via Workspace is still possible and will enable editing. The next section explains this feature.
Manage Group Membership through Workspace
When editing a group, you will see a toggle to 'Manage Group Membership through Workspace'. This is a useful feature that allows Microsoft groups to be imported and managed through the Workspace service.
For this feature to work, you will need to have deployed and provisioned Workspace to the customer, along with having at least 1 Workspace ItemType to match the Microsoft group you would like to import. For more info on setting up and configuring Workspace, refer here: Workspace Overview.
Once you enable the toggle, fill in the following parameters:
- Workspace ItemType
- Name
- Description
- Any Tags
Click Save and a Workspace item will be created that can be used to manage the Microsoft Group.
Further information on this feature can be found here: AAD Manage via Workspace
Once a group has been imported into Workspace, it can no longer be managed through the Group Management interface and the group can not be moved back.