Office 365 Groups are spreading like wildfire, and as they become more and more important it’s crucial for Office 365 & SharePoint admins to have a firm grasp over them. To ensure that, Todd Klindt held a webinar “Demystifying Office 365 Groups” in which he explained how they work and showed the best way to use and administer them. You can watch the full webinar here.
This blog post contains the most interesting questions and Todd’s answers to them.
Question: What is the difference between a Team and a Group?
Todd: This is one of those terminology things again, I’m shaking my fist at the sky because Microsoft uses teams and groups, for all kinds of things. Teams as a product, that’s a chat product that you might use to chat with your team at work, for example to complain about your manager, teams is also what you use inside of the product Teams to chat with your teams, teams is also a kind of group that you can create, so it’s the group like the Outlook Group but with the Microsoft Team. So, the difference between a group and a team depends on context, so you might have an Office 365 Group that is a Teams created group that has the SharePoint plan or whatever, and the Teams group. It gets ugly.
Question: Shouldn’t you create your Office 365 Groups in Teams because if you make it in SharePoint or Office 365 Admin, it does not automatically create a Microsoft Team site/channel?
Todd: They’ve added some new things in the last couple of years. You are right that depending on where you create it you get a different set of resources, and if you create it in SharePoint the way that I do, as a SharePoint person, it does not create a team automatically, but you can “Teamfy” an existing group if you go into Teams and you say I want to create a Team. If you are an owner of an Office 365 group, it will give you the option of creating a team based on that group name and add the team to that existing group, so you don’t lose anything if you create it that way.
Question: Can I create a Group from Teams and add an existing SharePoint Site?
Todd: You cannot, when you create a group inside of Teams it creates a new SharePoint site. You can copy your data over, but you cannot connect it to the existing one, and I mentioned earlier that if you have a SharePoint site you can “Groupify”. You can go to the SharePoint site that was created before a Group, and you can “Groupify” it, and you can do that in the UI or as admin you can do it with PowerShell. I suppose after that group is created you can go to the Teams and add that. You can “Teamify” the group that you created with SharePoint. I didn’t try that particular thing myself, but I suppose you can do it.
Question: When you delete an Office 365 Group is it gone forever or is it a soft delete?
Todd: Deleted Groups can be recovered but only for the next 30 days after deletion, and you can do it with PowerShell. Since it isn’t a SharePoint thing you can’t go into the SharePoint site collection or recycle, so it must be done with PowerShell.
Question: Did I hear that correctly; you can only restore deleted Office 365 Groups via PowerShell not Admin UI?
Todd: I believe that’s the case. There might be an admin UI for it, but I have not looked. I really like PowerShell and so as soon as I found out the way to do it with PowerShell I quit looking.
Question: Does Microsoft Teams seem to you like a leading technology?
Todd: Microsoft is putting a lot of effort into Teams, is putting a lot of programming effort, and they’re putting a lot of marketing effort into Teams. Microsoft very much sees Teams as the next iteration of Outlook, they want it to be the app that you go into and work out of every day. So, you can have your SharePoint files and now your calendar and there you can write apps for it. That’s the way they see that. I’ve got a couple of customers that are doing that but for the most part that’s been a rough transition mostly because the Team’s client has some pretty glaring deficiencies and I think until those deficiencies get fixed in the client, like the ability to have multiple instances or pop windows out, or be logged into multiple tenants at the same time without painful context switching, that probably won’t be adopted.
Question: What is the most effective implementation of Groups and Teams that you’ve seen?
Todd: Most of my customers are very early in the roll-outs of this so I haven’t been able to look at one that’s, you know, a solid six months old to see what works, and what doesn’t work. I know that with every customer that I’ve talked to over the last few months regarding the Groups, it has been a constantly refined process. So, we sat down with them and talked about you know what’s your company culture like, what’s your I.T. culture like, and then once we start doing it, and when all these groups appeared, then they started to get worried and started trying to figure out how to manage it. So, it’s been a moving target.
Question: What does the admin model look like for a company of five thousand users and two dedicated admins?
Todd: Well I imagine there might be alcohol involved. I don’t know. So that seems a little low for IT staff. But if you know with Office 365, maybe you can do that. I would say you’re probably a little bit low if you’ve got everything in Office 365, those folks are going to have to know all kinds of stuff like Exchange, PowerShell, and SharePoint. So, I think that seems like a low staff, especially if that includes helpdesk, training and all that.
Question: What type of analysis tools are available to analyze Office 365 Groups?
Todd: I know the management seems so scary, “how will we ever wrap our arms all the way around this boat”, but SysKit Security Manager is the way to do it. This is a tool that the folks at SysKit have created, and SysKit is a great company. I could go on and on about that. One of the things that they do is they talk to a lot of their customers. They also talk to people out in the field. They bring me in periodically and ask you know what I’ve seen in the field, ask of solutions, or suggestions I have. And they write their products to do that. And one of the things that we’ve talked to them about, and it was no new news, they already knew it, but group management is painful for people. So, they’ve added that to the SysKit Security Manager tool. So, here is just is just a quick overview of what this can do, this is not only a group Management tool. This works with SharePoint on prem, Office 365, SharePoint Groups, and all the other things, but it also has a module for Groups itself. So, you can look for groups, you can run reports on groups, you can see if there’s groups with no owners, it creates a report, it kicks out an Excel spreadsheet and you can see all those kind of things. You can obviously add members here, you can get a report of which groups are sharing files externally, again one big Excel spreadsheet and it’s just all in one spot. Super easy to use. If you want to manage your Groups, you can create them. Again, my example in PowerShell, where I had to write that four pages of PowerShell code to add people to multiple groups you can do that in SysKit Security Manager easily. You can add people to multiple groups at a time. It is just a really friendly tool if you really are jumping in with that. It has a 30-day free trial, so I highly recommend going out there installing it because groups have their little fingers in all different corners of Office 365.
Dear reader, we have decided to replace SysKit Security Manager with a brand new tool. Check out SysKit Point, a cloud-based Office 365 governance solution that offers even more functionalities!
Question: Hello, is the only way to prevent users creating Office 365 groups by doing it in Azure AD via PowerShell? Creating a group and adding only users in that group who are allowed to create Office 365 groups?
Todd: So, can we restrict how can make groups? We can. As you mentioned it’s a pretty ugly process, and I’ll talk about that in a minute, but let’s talk about what that actually does. So if I go in and do this ugly process and I restrict who can create groups that doesn’t keep them from creating the individual pieces that would be created with the group so I can go in and I can say nobody can create groups, but then if a user goes in they can still create a SharePoint site unless we’ve gone out of our way to disable that as well. So, disabling group creation does not disable the creation of all the other things. Now, you said earlier that you had tough time doing that. Right now, that process is PowerShell only, and it is very complicated and convoluted. You need to download the Azure AD PowerShell module, you need to log in as a tenant admin, global admin and you need to look for an Azure AD policy, the domain policy, if it has not been added to your domain you need to add it through PowerShell and then you need to copy that policy out and tweak some parameters of that and then write that back to Azure AD. It is pretty ugly.
Question: Can you define Exceptions to Expiration policies? We have some core Office 365 Groups for our departments which we don’t want to expire but all other group owners should be warned about expiration.
Todd: You can have some groups expire and some not, and I can’t remember if that’s in PowerShell or if that’s in the admin interface. But yes, you can control that. However, you can only have one Expiration Policy for your tenant, so you can have one policy that covers all or some of your groups.
Question: Not sure if its outside the scope of this but interested in your take on Yammer vs Teams. Can you see a place for both?
Todd: I’m not a huge fan of Yammer. I’ve just never really got into that. I’m sure it’s very viable product and people use it all the time, it’s just never been a right fit for me. Teams is a little bit better. I like the concept of Teams. The Teams’ client and I don’t always get along, but I probably like it a little bit better.
Question: I attended a VIP session with Julia White some years ago. She got the question: “Why Groups?”. Her response was, and I quote: “We looked what was working in Yammer – and that was groups – so we created Office 365 groups “
Todd: Office 365 Groups make a lot of sense. Once you get your head wrapped around them, from a management standpoint, they do make a lot of sense. Julia is probably pretty smart there.
Question: How do you feel about using Teams as a file share repository vs. SharePoint?
Todd: Well that’s the thing, Teams is using SharePoint in the background, so you don’t have to choose. You can access the files in Teams or in SharePoint or however. Using the Teams client allows end-users to have all their data “in-context” along with other team activities while retaining all the benefits of the SharePoint platform. Getting your head wrapped around that is complicated. You don’t get to choose, it’s the same either way.
More questions, More answers
Unfortunately, Todd didn’t have enough time to answer all of your questions, but have no fear, SysKit is here. Our SharePoint and Office 365 experts have taken the time to provide you with the answers you needed, so look at the rest of this post to find those questions and answers.
Question: What is the impact of guests on licensing?
SysKit: Guest access is included with all Office 365 Business Premium, Office 365 Enterprise, and Office 365 Education subscriptions with no additional licensing requirements. You can have up to 5 guests per licensed user on your tenant. For more information about licensing, see the Azure Active Directory B2B collaboration licensing guidelines.
Question: Are you going to show the steps to turning on Guests? This has been confusing to me.
SysKit: To enable guests you need to sign in to the Microsoft Teams admin portal, in the navigation menu choose Org-wide settings and select Guest access, then you must click on the toggle next to Allow guest access in Microsoft teams, choose Save and you’re done. For more detailed instructions check out this blog post.
Question: What’s the relationship between Groups and the Modern SharePoint UI?
SysKit: This is how stuff works in Office 365. Every Microsoft Team is an Office 365 Group. Every group has an underlying SharePoint Site. Currently a modern site is being provisioned. You can also create a modern site and then upgrade it to a Group (groupify), or to a Team (teamify).
Question: Whats the best way to govern the creation of Groups and Teams to avoid the sprawl we used to see in SharePoint?
SysKit: If your organization wants to control how Teams are provisioned more closely, it would be advised that you turn off Groups and Teams creation and setup a provisioning workflow managed by e.g. I.T. to create new groups and teams.
Question: Can Office 365 Groups apply permissions across multiple site collections?
SysKit: Yes, you can share another SharePoint site with an Office 365 group. Just be careful as this could lead to a permissions governance nightmare.
Question: Would you say that naming conventions are essential to a clean and organized deployment?
SysKit: Naming conventions do help, and you can configure some org-wide policies for naming Groups. There are other things one should consider, including group lifecycle, governance, provisioning workflows and approvals and monitoring usage.
Still hungry for more Office 365 Groups knowledge?
Watch the full “Demystifying Office 365 Groups” webinar, or try SysKit Security Manager and master Office 365 Groups once and for all. Besides it being a huge help when it comes to Office 365 Groups it will also help you manage Teams, monitor OneDrive, and a lot more. After investing only 2 minutes into installing SysKit Security Manager you will be able to add members to Groups in bulk, change owners or create new Office 365 Groups. You can also monitor group activity and delete inactive groups or groups without users.