Microsoft Security Groups and Microsoft 365 Groups End to End

I've been working on how to explain the differences and the strategies for Hybrid group management. It doesn't solve all your problems to synchronize all your groups from the cloud to on-premises or visa versa.

Best Practices or 5 Keys to Successful Group Management:

Define your Hybrid Group Management Strategy for Service Wide Governance and Security. There are changes that should only be made in one environment or the other. Those that think they should simply sync all changes both ways are missing out on zero trust security positioning. There are often differences with sensitive data internal where those groups should not be synchronized to the cloud. Governance is not just about security. Consider naming strategies, usage, reporting, and auditing. Ownership and policies around lifecycle.

Plan Self Service or IT Led with Oversight The goal should be self service with oversight, but for some services you may decide to have support desk manage membership.  Smaller companies may use IT support or have IT or HR in the lifecycle or approval process.  Service desk can be burdened for simple membership that could better be managed by the group owner. Think full lifecycle.  Dynamic groups are the best as it will ensure attributes determine who should have membership. There are tools that provide identity and access management including membership. Groups delegation is important but along with it comes responsibility and accountability. 

Provision your Groups with lifecycle membership in mind. Gather additional metadata including owner, secondary owner, department, location, and other contextual data. Imagine the owner leaves, the situation you need to avoid is orphaned groups on sensitive data. It’s chaos to have groups without proper ownership and management. Relying on the support desk to understand management is asking for trouble if they don’t know who should be a member. 

Audit your groups usage and lifecycle periodically and automatically with attestation. We need to ensure that groups never become orphaned (no owner) and we also need to ensure that groups membership is valid, and that its existence still valid. If a group should be removed, that’s what needs to happen. Ideally these audits should be as automated as possible with pressure on owners to do the validation and attestation.

Archive or Delete Unused Groups – There’s nothing worse than stale groups giving people rights that they should no longer have. Even when a group has no members doesn’t mean it isn’t a threat. It could be used to gain access to resources. The more groups the greater the chance for mistakes to be made. You should be not only auditing the groups, but regularly deleting, archiving, and cleaning up the mess. Dynamic groups are a great way to go to focus on ensuring membership is valid based on rules, but also ensuring owners are regularly reviewing their group. Do they still need it? This shouldn’t be a once in a lifetime type question.  

Administration of Groups can be done in PowerShell across many groups and services, with Graph for granular management for an individual Office 365 group, and in the Admin UI of Azure Ad, Exchange and the Microsoft 365 Admin center. You'll even find policies per service in Teams, Exchange, and SharePoint. Phew! There are differences in each of these UXs and the image above tries to illustrate the differences.

You can read more on collabshow.com and download the full Microsoft 365 Groups and Office 365 Group Infographic and join the webinar on June 4.