2015/10/24

Office 365 recipient and group types, detailed



Group types in Office 365 are, in my opinion, quite a mess -- especially from a product specification standpoint.  The use of redundant, inconsistent and conflicting terminology, and the limited applicability and/or overlap of certain group types, make it a bit hard for admins and users to wrap their heads around, to be sure.

There is a lot of overlap between recipient types and group types, so I’m including all of both.  This is from clicking through the O365 interface, using test groups, etc.  I believe that it is accurate as of 2015/10/24.  Please let me know if you see any errors.

These are the options for both:
1.       Office 365 groups (“Used for team collaboration” in O365 Admin center) (this is apparently new as of 2014)
a.       Used for: usable as a security group in sharepoint (file access/sharing) and as a distro group in exchange.
b.      Management
                                                               i.      Created in: O365 groups are added through the OWA “Groups”; The group email address cannot be changed once established.
                                                             ii.      Managed in: managed by O365 admins in O365 Admin Center > Groups­, Managed by the group admins in their OWA
                                                            iii.      There appear not to be email aliases (though a contact and forward could be set up elsewhere in O365)

                                                            iv.      There appears to be no way to back the storage space up or recover it if a group is accidentally deleted (short of a Microsoft support request), and I've not found a way to limit examine the file storage use.

c.       Rights
                                                               i.      Creation: access to create is governed by O365 roles; best to have only O365 admins create groups for larger organizations.
                                                             ii.      Ownership: O365 admins can assign a group “admin”
                                                            iii.      Membership approval: can be by assignment, or open where anyone can join, or moderated where they request membership and it must be approved.
                                                           iv.      Delivery management (Send-to): either only people within the organization, or also allow people outside the org to send to. Not sure that this can be moderated.
                                                             v.      Message approval: no message approval
                                                           vi.      Send-as: No
                                                          vii.      Send on behalf: No
                                                        viii.      Deletion: Admins can delete the group (and all content!)
d.      Members: only email-enabled users
e.      Content
                                                               i.      Messages - All messages or “conversations” are stored in a 50 GB mailbox.
                                                             ii.      Files - Includes a Sharepoint document repository for up to 5000 files.
                                                            iii.      Access method: today, it’s only through the outlook web client; can be synced to workstation with Onedrive Business client.
                                                           iv.      Access restrictions: group content can be private or public
1.       private – only members can see the content or receive updates; but anybody can “send to” the group. The group name still shows up in some lists, though, so you wouldn’t want to use a name that disclosed a secret.
2.       Public – anyone can access the content (whether a member or not), subscribe for updates, etc.
2.        (Traditional) Distribution Group (“Used for mail distribution” in O365 Admin center)
a.       Used for: only used in Exchange, for email. Cannot be used for file/sharing permissions.
b.      Management
                                                               i.      Created in: Distro groups are added in the Exchange Admin Center > Recipients > Groups
                                                             ii.      Managed in: managed by O365 admins in the Exchange Admin Center > Recipients > Groups; used to be managed by group owners in OWA, not sure where this is now, or perhaps in Outlook thick client.
                                                            iii.      Can have multiple email aliases
c.       Rights
                                                               i.      Creation: access to create is governed by O365 roles; best to have only O365 admins create groups for larger organizations.
                                                             ii.      Ownership: O365 admins can manage, or can delegate to owners that are email users or email-enabled security groups
                                                            iii.      Membership approval: can be open, closed, or require owner approval.
                                                           iv.      Leaving group: can be open or closed
                                                             v.      Delivery management (Send-to): either only people within the organization, or also allow people outside the org to send to, or allow a specific set of users or mail-enabled security groups
                                                           vi.      Message approval: can be moderated (by an email user or group of moderators), and can specify senders who don’t require message approval
                                                          vii.      Send-as: can delegate (recipient sees messages as coming from the group itself)
                                                        viii.      Send on behalf: can delegate (recipient sees who sent message on behalf of the group)
d.      Members: can be mail-users, mail-enabled contacts, email-enabled security groups, distro groups, or dynamic distro groups. (can not be O365 groups)
e.      Content – There is no “group storage” for files or mailbox.
3.       Dynamic Distribution group
a.       Used for: only used in Exchange, for email. Cannot be used for file/sharing permissions. Dynamic distro group is like a traditional distro group, but the memberships are calculated dynamically, as each message is sent out, and is based on AD attribute values (Dept., State or province, Company, AD Custom attributes 1-13)
b.      Management
                                                               i.      Created in: the Exchange Admin Center > Recipients > Groups
                                                             ii.      Managed in: managed by O365 admins in the Exchange Admin Center > Recipients > Groups; used to be managed by group owners in OWA, not sure where this is now
                                                            iii.      Can have multiple email aliases
c.       Rights
                                                               i.      Creation: access to create is governed by O365 roles; best to have only O365 admins create groups for larger organizations
                                                             ii.      Ownership: O365 admins can manage, or can delegate to a single owner.
                                                            iii.      Membership approval: NA
                                                           iv.      Delivery management (Send-to): either only people within the organization, or also allow people outside the org to send to, or allow a specific set of users or mail-enabled security groups
                                                             v.      Message approval: can be moderated (by an email user or group of moderators), and can specify senders who don’t require message approval
                                                           vi.      Send-as: can delegate (recipient sees messages as coming from the group itself)
                                                          vii.      Send on behalf: can delegate (recipient sees who sent message on behalf of the group)
d.      Members
                                                               i.      Can be “all recipient types”, or
                                                             ii.      Specify certain recipient types: Exchg mailboxes, mail users with external email addrs, resource mailboxes, mail contacts with external email addrs, or mail-enabled groups
4.       Mail-enabled Security Group (*Called “Security Groups” in the Exchange Admin Center!*, and just like security groups “Use to assign Sharepoint permissions” in O365 Admin center! ) (think of it as a security-enabled Distribution group)
a.       Used for: both Exchange email delivery, and Sharepoint/Onedrive for Business file/sharing permissions
b.      Management
                                                               i.      Created in :
1.       Exchange Admin Center > Recipients > Groups
2.       Can be pushed from Okta? (Need to verify that email address can be assigned to a security group after the fact)
                                                             ii.      Managed in: managed by O365 admins in the Exchange Admin Center > Recipients > Groups; used to be managed by group owners in OWA, not sure where this is now
                                                            iii.      Can have multiple email aliases
c.       Rights
                                                               i.      Creation: access to create is governed by O365 roles; best to have only O365 admins create groups for larger organizations
                                                             ii.      Owners: O365 admins can manage, or can delegate to owners that are email users or email-enabled security groups
                                                            iii.      Membership approval: can set to open (where anyone can join) or require owner approval
                                                           iv.      Delivery management (Send-to): either only people within the organization, or also allow people outside the org to send to, or allow a specific set of users or mail-enabled security groups
                                                             v.      Message approval: can be moderated (by an email user or group of moderators), and can specify senders who don’t require message approval
                                                           vi.      Send-as: can delegate (recipient sees messages as coming from the group itself)
                                                          vii.      Send on behalf: can delegate (recipient sees who sent message on behalf of the group)
d.      Members: can be users, email-enabled contacts, distro groups
e.      Content – no “group content” storage; mail-enabled security groups only provide for mail flow and for access to data stored elsewhere in sharepoint / onedrive for business
5.       Security Group (think of it as a “pure security group”) (*not what is called a “security group” in the Exchange Admin Center! ) (like mail-enabled security groups, “Use to assign Sharepoint permissions” in O365 Admin center)
a.       Used for: only used for Sharepoint/Onedrive file/sharing permissions
b.      Management
                                                               i.      Created in:
1.       O365 Admin Center > Groups
2.       can be pushed from Okta,thus from AD based on name filters set in Okta, thus can leverage existing organizational, geography, and project-based groups that have to be maintained in AD, anyway, for file and Okta app access (_org- , _proj-, _geo- groups)
                                                             ii.      Managed in: managed in O365 Admin Center, or pushed from Okta
c.       Rights
                                                               i.      Creation: access to create is governed by O365 roles; best to have only O365 admins create groups for larger organizations
                                                             ii.      Ownership: No delegation of group administration is supported
                                                            iii.      Membership approval: Not supported
d.      Members: can be a user (with or without mailbox), an O365 group, security group, Distro group, or email-enabled security group. (member cannot be dynamic distro group)
e.      Content – no “group content” storage. Security groups only provide access to data stored elsewhere in Sharepoint / onedrive for business
6.       Site Mailbox
a.       I’m not clear on these, exactly; seems to be a Sharepoint site with a mailbox added to it.  But “users have to be added to a sharepoint site individually in order to be able to access the site mailbox from Outlook”.
b.      Seems to be inferior to Office 365 groups, and not needed.
7.       Shared Mailbox
a.       Used for: Exchange only, email is sent to this mailbox. Existing mail-enabled users may access the mailbox. The mailbox cannot be authenticated to directly (e.g., for POP3/IMAP/OWA)
b.      Management:
                                                               i.      Created in: Exchange Admin Center > Recipients > Shared
                                                             ii.      Managed in: Exchange Admin Center > Recipients > Shared
                                                            iii.      Can have multiple aliases
c.       Rights
                                                               i.      Creation: access to create is governed by O365 roles
                                                             ii.      Ownership: “Full Access” can be delegated delegate to an mail-enabled user or email-enabled group
                                                            iii.      Membership approval: NA
                                                           iv.      Delivery management (Send-to): Can set to anyone, only authenticated users, and/or can block certain senders
                                                             v.      Message approval: No
                                                           vi.      Send-as: can delegate to an mail-enabled user or email-enabled group (recipient sees messages as coming from the mailbox/email address itself)
                                                          vii.      Send on behalf: No
d.      Membership: Shared mailboxes can belong to O365 groups, distro groups, email-enabled security groups, security groups, and perhaps dynamic distro groups.
e.      Mail flow
                                                               i.      Can forward or forward&store
                                                             ii.      Can limit message size
f.        Content
                                                               i.      Messages - All messages are stored in a 50 GB mailbox.
                                                             ii.      Files – No file storage; only attachments on messages
                                                            iii.      Access method: OWA, pop3, imap, or Outlook client,
                                                           iv.      Access restrictions: See “Ownership”
8.       Email Contacts
a.       Used for: Exchange only, for email forwarding or for Global Address List population
b.      Management
                                                               i.      Created in: Exchange Admin Center > Recipients > Contacts
                                                             ii.      Managed in: Exchange Admin Center > Recipients > Contacts
                                                            iii.      Can have multiple aliases
c.       Delivery management (Send-to): Can set to anyone, only authenticated users, and/or can block certain senders
d.      Membership: Contacts can belong to O365 groups, distro groups, email-enabled security groups, security groups, and perhaps dynamic distro groups.
9.       Mailbox (Mail-enabled User)
a.       Not going to elaborate
10.   Resource Mailbox
a.       Not going to elaborate
11.   Access Definitions
a.       Joining group:
                                                               i.      Open: anyone can join this group without being approved by the group owners
                                                             ii.      Closed: Members can be added only by the group owners. All requests to join will be rejected automatically
                                                            iii.      Owner Approval: All requests are approved or rejected by the group owners
b.      Leaving Group:
                                                               i.      Open: Anyone can leave this group without being approved by the group owners
                                                             ii.      Closed: Members can be removed only by the group owners  All requests to leave will be rejected automatically