Office 365 GroupsFrom the ground up

SPTechCon San Francisco 2016

Drew Madelung

Email : dmadelung@concurrency.com Twitter : @dmadelung Website: drewmadelung.com

Senior SharePoint and Office 365 consultant.

What are Office 365 Groups?

How do I work with them?

How do they work technically?

How can I administer?

Agenda

Demos, Demos & more Demos

What’s new & What’s Next?Office 365 GroupsFrom the ground up

SPTechConSan Francisco 2016

Collaboration is evolving…

Collaboration has evolvedEmployees work on 2x more teams

now than they did five years ago1

1 Source: 2009, 2014 US IW Survey

The real world of collaboration

Reference

Office 365 Groups

Brings together people, information, and apps across Office 365, to enable better communication and collaboration.

Office 365 Designed for the unique workstyle of every group

SharePoint

Teams

Office 365 ProPlus

Yammer

Outlook

Skype

Intranets, Team Sites & Apps

Chat-based Workspace

Co-Authoring Content

Enterprise Social

Mail & Calendar

Voice, Video & Meetings

Complete Collaboration SolutionOffice 365 addresses the breadth of collaboration needs across your company

Integrated ExperiencesOffice 365 Groups and Graph enable integrated experiences that facilitate effective collaboration

Security and ComplianceOffice 365 delivers the security, compliance and manageability required in today’s workplace

Office 365 Groups

SELF-SERVICE

PUBLIC BY DEFAULT

SHARING TO NON-MEMBERS

CONTEXT & HISTORY

SINGLE DEFINITION

SIMPLE TO MANAGE

Office 365 Groups

Azure Active Directory

AppsOffice 365 Groups

Office 365 Groups building blocksIdentity

Office GraphSk

ype

Conv

ersa

tions

Shar

ePoi

nt

Cale

ndar

Note

book

Dyna

mics

CRM

Plan

s

Powe

r BI

Conn

ecto

rs

Yam

mer

Team

s

All new Team Sites will get an Office 365 Group and all new Office 365 Groups will get a Team Site.

Groups & SharePoint “Groups, Graph, and Governance” – Jeff Teper

Existing Office 365 Groups will get a full SharePoint Team Site.

rolling out

rolled out

Projects

Popular Group Scenarios

Organization Interest

How do I access Office 365 Groups?There are multiple endpoints to get started…

Groups in Outlook on the web

Fully immersive experience accessible via the left navigation. Inner group navigation available once in a group.

Groups through OneDrive (SharePoint!)

Can be accessed through OneDrive and redirects to a document library in a SharePoint site.

SharePoint, SharePoint, SharePoint

The SharePoint tile takes you to a list of Sites which includes your Group sites.

I found a SharePoint site

A full SharePoint team site is connected to the Group.

Groups in Outlook 2016

Participate in conversations, schedule meetings, share files & notes and even initiate a Skype for Business voice and video call for urgent real-time decisions.

Office 365 PlannerCreate new plans, organize & assign tasks, share files, talk about what you’re working on, and get updates on progress.

Integrated with Office 365 Groups, so all of the

conversations in Planner are available in Outlook 2016,

Outlook on the web and the Outlook Groups mobile app.

Power BICreate a workspace to collaborate with your team.

Leverage the Groups collaboration & communication

capabilities to create and review insights.

Dynamics CRMCreate Office 365 Groups for opportunities, cases, accounts and all other entities..

Groups experiences are surfaced in-context within CRM

Outlook Groups app

Available on iOS, Android & Windows Phone. Continue conversations, view files, @mention colleagues and even discover other relevant groups.

Demo!

Office 365 Groups things to know

Eligible to use the NGSC for sync as of Sept release

Anyone can create a group and available in the Global Address List by default

A group can’t have more than 10 owners and a user can’t create more than 250 groups

Currently not supported in Outlook 2016 on the Mac

Groups with more than 1000 members are supported but will decrease performance

When a group owner leaves, all content is saved but new admin must be set at high level

Office 365 Groups can be used as security groups in SharePoint (but not O365 Video)

Group site collections exist under “/sites” managed path but cannot be seen via SP Admin Center

Joining vs SubscribingOn creation, the option is available to subscribe all new members automatically

• Joined = only appear in group mailbox

• Subscribed = receives in private inbox and group

Group email options

What’s behind the scenes

Office 365 plans that include GroupsAny O365 plan that includes Exchange and SharePoint

• Enterprise E1-E5• Academic A2-A4• Government G1-G4• Business Essentials• Business Premium• Enterprise K1 (kiosk)*Exchange-only license can only access Inbox & Calendar

One group system across Office 365One identityAzure Active Directory (AAD) is the master for group identity and membership across Office 365 (Exchange, SharePoint, etc.)

Federated resourcesO365 services extend with their data(e.g., conversations stored in Exchange mailbox & documents stored in SharePoint for a group)

Loose couplingServices notify each other of changes to a group (e.g., creation, deletion, updates)Using sync from AAD to Exchange Online AD and SharePoint Online AD they achieve reliability if they miss notifications

SharePoint

SharePoint Online AD Documents

OneNote

Site collection

Additional workloads

Workload scenarios

Workload resourcesLocal

directory

Exchange

Conversations Calendar

Group mailboxExchange

Online AD

IdentityResource URLsOwnersMembers

AAD

Group identity

Office 365 Admin Center

Management Options – User Interface

Office 365 Admin App

Azure AD Admin Portal

Exchange Admin Console

Outlook Groups App

Clients – (Outlook, Planner, PowerBI)

Demo!

Management Options – ScriptingPowershell

Manipulating groupsAdd-UnifiedGroupLinksGet-UnifiedGroupLinksRemove-UnifiedGroupLinks

Get-UnifiedGroupNew-UnifiedGroupRemove-UnifiedGroupSet-UnifiedGroup

Manipulating group membership

Owners | Members | Subscribers

$creds = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri ` https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirectionImport-PSSession $Session

Establish a remote session to Exchange Online

Useful Scripts for Groups to Get StartedCreate groupNew-UnifiedGroup –DisplayName “Legal” –Alias “Legal” –EmailAddresses legal@domain.com

Rename groupSet-UnifiedGroup -Identity “Legal” -Alias “Legal” -DisplayName “New Legal” -PrimarySmtpAddress legal@domain.com

View all subscribers, members or owners for a groupGet-UnifiedGroupLinks -Identity “Legal” -LinkType Subscribers

Show detailed info for all groupsGet-UnifiedGroup | select Id,Alias, AccessType, Language,Notes, PrimarySmtpAddress, ` HiddenFromAddressListsEnabled, WhenCreated, WhenChanged, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Members)).Count }; ` Label='Members'}, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Owners)).Count }; ` Label='Owners'} | Format-Table Alias, Members, Owners

Managing Group CreationThe old way but still can be used for OWA and Outlook 2016Use an OWA Mailbox Policy to disable group creation for ALL users or a SUBSET of users

This does NOT disable group creation EXCEPT when trying to create through Outlook/Exchange Creating groups in other clients/admin areas (PowerBI, Planner, etc…) would

NOT disable

Set-OwaMailboxPolicy -Identity test.com\OwaMailboxPolicy-Default -GroupCreationEnabled $false

Managing Group Creation through Azure ADThe new way uses Azure AD No longer dependency on Exchange so it passes throughout Office 365 If OWA policy exists and AAD policy is enabled, OWA policy will be ignored

You can do 2 things: Disable the default ability of everyone to create a new Office 365 Group Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of

people who are allowed to create groups This group cannot have a group in it, must be individual users Users with higher tenant roles already have access (company admin, mailbox admin,

etc…)

Prerequisites Azure AD Version 1.1.117.0 or later (currently preview)

Managing Group Creation through Azure ADSteps to setup1. Retrieve the Object ID for the group that contains the authorized users

Use Azure AD portal to get Object ID Get-MsolGroup cmdlet to discover GUID via PowerShell

2. Use PowerShell to update the Azure AD policy Pass the GUID of your authorized user group to GroupCreationAllowedGroupId

Connect-MsolService$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}$setting = $template.CreateSettingsObject()$setting[“EnableGroupCreation”] = “false”$setting[“GroupCreationAllowedGroupId”] = “7edd1d0b-557d-43e6-b583-4f3e0198c167”New-MsolSettings –SettingsObject $setting

3. Confirm using PowerShell and test creating a groupGet-MsolAllSettings | ForEach Values

Group Guest AccessYou can now grant external users access to Office 365 Groups

Does not comply with tenant blacklist/whitelist

Enabled by default Overall Group guest access is

managed at the tenant level Guests cannot view IRM protected

files Guests needs to access via browser Guests cannot:

Be an owner View the GAL View Group members or contact

cards Access Planner Be blocked by specific user

Feature Guest user allowed?Create a group NoAdd/remove group members NoDelete a group NoJoin a group Yes, by invitationStart a conversation YesReply to a conversation YesSearch for a conversation Yes@mention a person in the group NoPin/Favorite a group NoDelete a conversation Yes"Like" messages NoManage meetings NoView group calendar NoModify calendar events NoAdd a group calendar to a personal calendar

No

View and edit group files Yes, if enabled by tenant adminAccess the group OneNote notebook Yes, via link from group memberBrowse groups No

Group Guest Access

Group owners can invite external people to be guest users

Group members can request an invitation for an external person

Group Guest Access Admin ControlsGuest addition to organization• Allow invitation to guests users in the

organization• Office 365 Portal – Settings & Privacy > Sharing

Guest addition to groups• Allow adding of guests to any group within the

organization. • Office 365 Portal – Services & Add-Ins > Office 365

groups• Allow adding of guests to a specific group in the

organization (only available in Power Shell)

Guest access to group resources• Allow guests to access to any Office 365 group

resources• Office 365 Portal – Services & Add-Ins > Office 365

groups

Group Guest Access PowershellSteps to block for tenant1. Ensure that sharing is allowed in the SharePoint Admin Center / O365

Admin Center2. Use PowerShell to update the Azure AD policy (if settings object exists)

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}$settings = Get-MsolSettings -SettingId $settings.ObjectId$Value = $GroupSettings.GetSettingsValue()$Value["AllowToAddGuests"] = "False"$Value["AllowGuestsToAccessGroups"] = "True"Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $Value

3. Set AllowGuestsToAccessGroups to False to instantly disable all external users from accessing groups

Group Guest Access PowershellSteps to block external access for a specific group1. Ensure that sharing is allowed in the SharePoint Admin Center / O365 Admin Center2. Use PowerShell to update the Azure AD policy for the group (if no group settings

exist)$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “GROUP DISPLAY NAME”} $groupsettings = Get-MsolAllSettings -TargetObjectId $group.ObjectId$template = Get-MsolSettingTemplate -TemplateId 08d542b9-071f-4e16-94b0-74abb372e3d9$setting = $template.CreateSettingsObject()$settingsnew = New-MsolSettings -SettingsObject $setting -TargetObjectId $group.ObjectId$settings = Get-MsolAllSettings -TargetObjectId $group.ObjectId$value = $GroupSettings.GetSettingsValue()$value["AllowToAddGuests"] = "False"Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value -TargetObjectId $group.ObjectId

3. Run a check to see if it worked(Get-MsolAllSettings -TargetObjectId $group.ObjectId).GetSettingsValue() | foreach values

Configuring multi-domain support

Example Main domain is contoso.com Default accepted domain is service.contoso.com (where groups get created by

default) You have a sub-domain called students.contoso.com and groups.contoso.com

Configured with Exchange Address Policy (EAP) via Exchange Powershell

Option 1:All Office 365 Groups built under groups.contoso.com domain

New-EmailAddressPolicy -Name Groups -IncludeUnifiedGroupRecipients `-EnabledEmailAddressTemplates "SMTP:@groups.contoso.com" -Priority 1

Configuring multi-domain support - ContinuedOption 2:

Control what sub-domains Office 365 groups are created in by attribute

Set users which have their Department attribute set to Students to create groups by default in the students.contoso.com domain

New-EmailAddressPolicy -Name StudentsGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates `"SMTP:@students.contoso.com” ManagedByFilter {Department -eq 'Students'} -Priority 1

All other users will create groups in the groups.contoso.com domainNew-EmailAddressPolicy -Name OtherGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates `

"SMTP:@groups.contoso.com” -Priority 2

Only admins can perform this Use the –RecipientFilter for available properties to filter on (company,

city, office, etc…) If you remove domain you need to update EAPs Max limit of 100 EAPs per organization

What about governance?

Security and Compliance

eDiscovery through Exchange and SharePoint

Data loss prevention

Preservation policies

Audit log and Content search

Management tidbits Establish governance plan for groups

Establish AAD group creation policies

Monitor SharePoint Online Storage to ensure group sites not overtaking total storage

Establish a process to have groups admin support easily available for users

Run reports to try to track groups sprawl

Use UsageGuidelinesUrl and ClassificationList

Migrate multiple distribution lists to Office 365 groups – Link – (also via GUI)

A few technical optionsRemove groups email from GAL (global address list)

Accept/Reject certain users from sending emails to groups

Set-UnifiedGroup –Identity $groupAlias –HiddenFromAddressListsEnabled $true

$groupAlias = “TestGAL”

–RejectMessagesFromSendersOrMembers or -AcceptMessagesOnlyFromSendersOrMembers

Set-UnifiedGroup –Identity $groupAlias –RejectMesssagesFromSendersOrMembers dmadelung@concurrency.com

$groupAlias = “TestHide”

Hide group members unless you are a member of the private group

$groupAlias = “TestSend”

Set-unifiedgroup –Identity $groupAlias –HiddenGroupMembershipEnabled:$true 

Demo!

External access Groups SharePoint sites expanding Group classification Group usage guidelines URL Groups iPad app Privacy type conversion Dynamic membership (requires Azure AD premium) eDiscovery and Litigation available Ability to change privacy type of created Group Azure AD creation restriction Upgrade a DL to a Group via GUI Groups usage reporting As of 12/5/2016

What’s new in Office 365 Groups

What’s upcoming?Launched

Rolling out

As of 12/5/2016http://fasttrack.microsoft.com/roadmap

In Development

• xxxx

Help Contribute & Stay Informed!

O365 Groups UserVoicehttps://office365.uservoice.com/forums/286611-office-365-groups

Microsoft Tech Communityhttps://techcommunity.microsoft.com

Office 365 Roadmaphttps://fasttrack.microsoft.com/roadmap

Office Blogshttps://blogs.office.com/

Office 365 Admin Center – Message Centerhttps://portal.office.com/AdminPortal

Office 365 for IT Proshttp://exchangeserverpro.com/ebooks/office-365-for-it-pros

Questions?Email: dmadelung@concurrency.com Twitter: @dmadelung

Website: drewmadelung.com

Scripts: http://bit.ly/DrewO365GroupScripts

Slides: http://bit.ly/DrewSlides

Office 365 GroupsFrom the ground up

SPTechConSan Francisco 2016