How to Manage Office 365 Groups with SysKit Security Manager

Office 365 and its sharing capabilities are amazing, but since everybody in your company can create Office 365 Groups on their own, it’s pretty easy to lose track of all those Groups and fall victim to unnecessary sprawl. Also, Office 365 Groups management can become tricky due to external sharing. You see, anyone in your company can share any group file to anybody outside the company. And that’s just not the safest way of running an organization.

Dear reader, this is the functionality of our former product, SysKit Security Manager. Check out our new cloud-based Microsoft 365 governance solution, SysKit Point, to monitor user activity, manage permissions, make reports, and govern your users and resources.

Luckily, SysKit Security Manager is there to help you govern and manage your Office 365 Groups and keep a cool head. Read more to find out how SysKit approaches group management giving you full visibility and maximum control over your Office 365 Group governance.

Office 365 Groups Overview

If you navigate to Security Manager’s SharePoint explorer, you’ll see an easy site structure over your entire tenant. You will immediately notice red and blue icons pointing you in the direction of either a SharePoint Site Collection (Red Icon) or Office 365 Group Site (Blue Icon). As you know, each group created in Office 365 automatically creates a dedicated site, and with SysKit Security Manager you will get full access to that information. Just connect your tenant and list all Office 365 Groups and the sites that belong to them.

If you click on any of these sites, the entire SharePoint hierarchy for that site will expand. This means you will see every subsite, list and list item below the starting Site. You can see exactly which folders and files are stored in a certain group. Moreover, you can see what type of access rights a certain user has. Whether an Office 365 Group has individual users as members, other groups such as SharePoint, security or other Office 365 groups, you’ll be able to detect them in no time.

In the case of any access requests for this group’s content you can check access requests directly from within the app, this works for anonymous access links as well.SharePoint Permissions explorer

On top of that, you can audit changes and actions made on the site. You can filter it by user, time frame and event details.

Office 365 Groups Explorer

If you navigate to the section below, called the Office 365 Groups explorer, you can see all the Office 365 Groups in a tenant. The view will capture any group, it’s privacy status (Private or public Office 365 Group), group creation date, as well as a count of group members, owners, guests and activity status for the set Office 365 Group.Office 365 Groups Management - explore all Office 365 Groups in a tenant

From the same screen, you can create a new group. You can also add multiple members and owners to multiple existing groups, as well as delete a single or multiple Office 365 Groups with a single click. This brings us to the next set of actions – Office 365 Groups management.

Office 365 Groups User Management

Modern user permissions management is done by adding a user to various Office 365 Groups. It makes user onboarding, as well as offboarding a whole lot easier. Not to mention that this process leaves a lot less room for mistakes. Think about it: instead of giving a user access to hundreds of files, you can add a user to one or maybe two groups, and they’re ready to roll!
SysKit Security Manager makes user onboarding even easier. You can multi-select the users you want to give access to and with a single click add them to multiple groups.

Create Office 365 Groups and Add Office 365 Groups Members

One of the regular tasks of an Office 365 admin is to delete users from the Azure Active Directory when they are leaving the company. But the workloads that the deleted users created, like Office 365 Groups, still remain live. As a consequence, some of the Office 365 Groups in your tenant can become orphaned, or in other words – without owners.

You need to manage orphaned groups as they can’t function without having an owner. Luckily, SysKit Security Manager can help you with that. You can navigate to the Orphaned Office 365 Groups report and see all orphaned groups in a tenant. In the example below, you can see that three Groups in a tenant are orphaned.

Orphaned Office 365 Groups

If you navigate to a specific orphaned group, you can find the button Add Owner and add one or more users to the group.

Add Office 365 Groups Owners and Members

Office 365 Groups Membership

Within SysKit Security Manager you can open each Office 365 Group and see their members, whether they are internal or external users. Management options are built-in, so changing access rights to users becomes easy. But rather than just seeing the group members for each group separately, with our very new Users dashboard, you can list all Office 365 Groups per user. Just select the Single User option, pick a user and click the Office 365 Groups and Teams filter.

For instance, you can check Mary’s access and see what Office 365 Groups she’s a member of. She is supposed to be a member of the group Marketing, but you can see that she’s also a member of the group HR. Since she’s not supposed to have access to confidential files in the group HR, you can remove her from that group.

List all Office 365 Groups Per User

Office 365 Groups External Users and Guest Access

Office 365 is a wild place when it comes to guest access, and that’s why it deserves a special paragraph in this blog post. With SysKit Security Manager you can easily check if someone from outside your company can access your group files. Simply navigate to the Office 365 Groups explorer and select All Groups. There you will see a column named Guests, which shows if a group has external users.

Office 365 Groups with Guests

If you navigate to the group with guest users you can see exactly who those users are.

Office 365 Groups with Guests Details

Having idle guest users or users that don’t have a reason to be in the group poses a security threat for your company. For example, you see that a guest Aldo Muller still has access to the group Demos although he hasn’t been active for two years in that group. You can instantly remove Aldo’s access rights from the SysKit Security Manager interface.

Remove Idle Office 365 Groups Users

You can also generate a report for Groups containing guest users and schedule an automatic delivery to any email address you specify.

Office 365 Groups Guest user report

On top of that, you can use the Externally Shared Content report to see what exactly is shared with guest users down to the list item level. By clicking on any of the users in the report, you can get an insight into their permissions from a different angle.Office 365 Groups Externally shared content report

Office 365 Groups Activity and Adoption

If you have self-service turned on in your organization, Office 365 Groups get created automatically with a new SharePoint site or a new team in Microsoft Teams. Having said that, there’s a good chance that the owner of a self-provisioned group doesn’t even know it’s there.

With the Office 365 Groups explorer, you can simply detect which groups are unused in the period of the last 3 months. In the screenshot below, you can see the Activity row with colored circles. Green circles represent active, while grey ones represent inactive Office 365 Groups.

Detect Unused Office 365 Groups

Once you have detected unused groups, you can simply delete them from the SysKit Security Manager interface.

Delete Unused Office 365 Groups

Office 365 Groups Audit

The newest SysKit Security Manager set of features is contextual Office 365 auditing. This means that you can generate the reports only for the type of activities you are interested in. For example, if you want to check Office 365 Groups activities, you can navigate to the good old Office 365 Groups explorer, hit the audit button and see the activities related to Groups exclusively.

Let’s not forget to mention that the scope and type of activities you get are in a correlation with the depth of information you are looking for. For example, if you’re looking to find all groups created in the last year, you can choose the All Groups audit tab. On the other hand, if you’re interested in who deleted a paycheck table from the group Finance, you can choose to see audit logs only for that site

Microsoft Teams, Office 365 Groups and OneDrive Audit


Hopefully, we showed you how SysKit Security Manager can help you with Office 365 Groups management, audit, and governance. But don’t take our word for it – try it for yourself! With a 30-day free trial, you will have more than enough time to try all the features and see why SysKit Security Manager might just be the right tool for you.

Want to read more posts from us? Subscribe to our blog and stay updated!

SysKit Point Schedule a Demo

Subscribe to the SysKit Blog

Get more product guides, webinar transcripts, and news from the Office 365 and SharePoint world!