Group types in Office 365 are, in my opinion, quite a mess -- especially from a product specification standpoint. The use of redundant, inconsistent and conflicting terminology, and the limited applicability and/or overlap of certain group types, make it a bit hard for admins and users to wrap their heads around, to be sure.
There is a lot
of overlap between recipient types and group types, so I’m including all of
both. This is from clicking through the O365 interface, using test groups, etc. I believe that it is accurate as of 2015/10/24. Please let me know if you see any errors.
These are the
options for both:
1. Office 365 groups (“Used for team
collaboration” in O365 Admin center) (this is apparently new as of 2014)
a.
Used for: usable
as a security group in sharepoint (file access/sharing) and as a distro group
in exchange.
b.
Management
i.
Created in: O365
groups are added through the OWA “Groups”; The group email address cannot be changed
once established.
ii.
Managed in: managed
by O365 admins in O365 Admin Center > Groups, Managed by the group admins in
their OWA
iii.
There appear
not to be email aliases (though a contact and forward could be set up elsewhere
in O365)
iv.
There appears to be no way to back the storage space up or recover it if a group is accidentally deleted (short of a Microsoft support request), and I've not found a way to limit examine the file storage use.
c.
Rights
i.
Creation: access
to create is governed by O365 roles; best to have only O365 admins create
groups for larger organizations.
ii.
Ownership: O365
admins can assign a group “admin”
iii.
Membership
approval: can be by assignment, or open where anyone can join, or moderated
where they request membership and it must be approved.
iv.
Delivery
management (Send-to): either only people within the organization, or also allow
people outside the org to send to. Not sure that this can be moderated.
v.
Message approval:
no message approval
vi.
Send-as: No
vii.
Send on behalf:
No
viii.
Deletion:
Admins can delete the group (and all content!)
d.
Members: only
email-enabled users
e.
Content
i.
Messages - All
messages or “conversations” are stored in a 50 GB mailbox.
ii.
Files - Includes
a Sharepoint document repository for up to 5000 files.
iii.
Access method:
today, it’s only through the outlook web client; can be synced to workstation
with Onedrive Business client.
iv.
Access
restrictions: group content can be private or public
1.
private – only members
can see the content or receive updates; but anybody can “send to” the group.
The group name still shows up in some lists, though, so you wouldn’t want to
use a name that disclosed a secret.
2.
Public – anyone
can access the content (whether a member or not), subscribe for updates, etc.
2. (Traditional) Distribution Group (“Used for
mail distribution” in O365 Admin center)
a.
Used for: only used in Exchange, for email. Cannot be
used for file/sharing permissions.
b.
Management
i.
Created in: Distro
groups are added in the Exchange Admin Center > Recipients > Groups
ii.
Managed in:
managed by O365 admins in the Exchange Admin Center > Recipients >
Groups; used to be managed by group owners in OWA, not sure where this is now,
or perhaps in Outlook thick client.
iii.
Can have
multiple email aliases
c.
Rights
i.
Creation: access
to create is governed by O365 roles; best to have only O365 admins create
groups for larger organizations.
ii.
Ownership: O365
admins can manage, or can delegate to owners that are email users or
email-enabled security groups
iii.
Membership
approval: can be open, closed, or require owner approval.
iv.
Leaving group:
can be open or closed
v.
Delivery
management (Send-to): either only people within the organization, or also allow
people outside the org to send to, or allow a specific set of users or
mail-enabled security groups
vi.
Message approval:
can be moderated (by an email user or group of moderators), and can specify
senders who don’t require message approval
vii.
Send-as: can
delegate (recipient sees messages as coming from the group itself)
viii.
Send on behalf:
can delegate (recipient sees who sent message on behalf of the group)
d.
Members: can be
mail-users, mail-enabled contacts, email-enabled security groups, distro
groups, or dynamic distro groups. (can not be O365 groups)
e.
Content – There
is no “group storage” for files or mailbox.
3. Dynamic Distribution group
a.
Used for: only used in Exchange, for email. Cannot be
used for file/sharing permissions. Dynamic distro group is like a
traditional distro group, but the memberships are calculated dynamically, as
each message is sent out, and is based on AD attribute values (Dept., State or
province, Company, AD Custom attributes 1-13)
b.
Management
i.
Created in: the
Exchange Admin Center > Recipients > Groups
ii.
Managed in:
managed by O365 admins in the Exchange Admin Center > Recipients >
Groups; used to be managed by group owners in OWA, not sure where this is now
iii.
Can have
multiple email aliases
c.
Rights
i.
Creation: access
to create is governed by O365 roles; best to have only O365 admins create
groups for larger organizations
ii.
Ownership: O365
admins can manage, or can delegate to a single owner.
iii.
Membership
approval: NA
iv.
Delivery
management (Send-to): either only people within the organization, or also allow
people outside the org to send to, or allow a specific set of users or
mail-enabled security groups
v.
Message approval:
can be moderated (by an email user or group of moderators), and can specify
senders who don’t require message approval
vi.
Send-as: can
delegate (recipient sees messages as coming from the group itself)
vii.
Send on behalf:
can delegate (recipient sees who sent message on behalf of the group)
d.
Members
i.
Can be “all
recipient types”, or
ii.
Specify certain
recipient types: Exchg mailboxes, mail users with external email addrs,
resource mailboxes, mail contacts with external email addrs, or mail-enabled
groups
4. Mail-enabled Security Group (*Called
“Security Groups” in the Exchange Admin Center!*, and just like security groups
“Use to assign Sharepoint permissions” in O365 Admin center! ) (think of it as
a security-enabled Distribution group)
a.
Used for: both Exchange
email delivery, and Sharepoint/Onedrive for Business file/sharing permissions
b.
Management
i.
Created in :
1.
Exchange Admin Center
> Recipients > Groups
2.
Can be pushed
from Okta? (Need to verify that email address can be assigned to a security
group after the fact)
ii.
Managed in: managed
by O365 admins in the Exchange Admin Center > Recipients > Groups; used
to be managed by group owners in OWA, not sure where this is now
iii.
Can have
multiple email aliases
c.
Rights
i.
Creation: access
to create is governed by O365 roles; best to have only O365 admins create
groups for larger organizations
ii.
Owners: O365
admins can manage, or can delegate to owners that are email users or
email-enabled security groups
iii.
Membership
approval: can set to open (where anyone can join) or require owner approval
iv.
Delivery
management (Send-to): either only people within the organization, or also allow
people outside the org to send to, or allow a specific set of users or
mail-enabled security groups
v.
Message approval:
can be moderated (by an email user or group of moderators), and can specify
senders who don’t require message approval
vi.
Send-as: can
delegate (recipient sees messages as coming from the group itself)
vii.
Send on behalf:
can delegate (recipient sees who sent message on behalf of the group)
d.
Members: can be
users, email-enabled contacts, distro groups
e.
Content – no “group
content” storage; mail-enabled security groups only provide for mail flow and
for access to data stored elsewhere in sharepoint / onedrive for business
5. Security Group (think of it as a “pure
security group”) (*not what is called a “security group” in the Exchange Admin
Center! ) (like mail-enabled security groups, “Use to assign Sharepoint
permissions” in O365 Admin center)
a.
Used for: only used for Sharepoint/Onedrive file/sharing
permissions
b.
Management
i.
Created in:
1.
O365 Admin
Center > Groups
2.
can be pushed
from Okta,thus from AD based on name filters set in Okta, thus can leverage
existing organizational, geography, and project-based groups that have to be maintained
in AD, anyway, for file and Okta app access (_org- , _proj-, _geo- groups)
ii.
Managed in:
managed in O365 Admin Center, or pushed from Okta
c.
Rights
i.
Creation: access
to create is governed by O365 roles; best to have only O365 admins create
groups for larger organizations
ii.
Ownership: No
delegation of group administration is supported
iii.
Membership
approval: Not supported
d.
Members: can be
a user (with or without mailbox), an O365 group, security group, Distro group,
or email-enabled security group. (member cannot be dynamic distro group)
e.
Content – no “group
content” storage. Security groups only provide access to data stored elsewhere in
Sharepoint / onedrive for business
6. Site Mailbox
a.
I’m not clear
on these, exactly; seems to be a Sharepoint site with a mailbox added to it. But “users have to be added to a sharepoint
site individually in order to be able to access the site mailbox from Outlook”.
b.
Seems to be
inferior to Office 365 groups, and not needed.
7. Shared Mailbox
a.
Used for: Exchange
only, email is sent to this mailbox. Existing mail-enabled users may access the
mailbox. The mailbox cannot be authenticated to directly (e.g., for
POP3/IMAP/OWA)
b.
Management:
i.
Created in:
Exchange Admin Center > Recipients > Shared
ii.
Managed in:
Exchange Admin Center > Recipients > Shared
iii.
Can have multiple
aliases
c.
Rights
i.
Creation: access
to create is governed by O365 roles
ii.
Ownership: “Full
Access” can be delegated delegate to an mail-enabled user or email-enabled
group
iii.
Membership
approval: NA
iv.
Delivery
management (Send-to): Can set to anyone, only authenticated users, and/or can
block certain senders
v.
Message approval:
No
vi.
Send-as: can
delegate to an mail-enabled user or email-enabled group (recipient sees
messages as coming from the mailbox/email address itself)
vii.
Send on behalf:
No
d.
Membership: Shared
mailboxes can belong to O365 groups, distro groups, email-enabled security
groups, security groups, and perhaps dynamic distro groups.
e.
Mail flow
i.
Can forward or
forward&store
ii.
Can limit
message size
f.
Content
i.
Messages - All
messages are stored in a 50 GB mailbox.
ii.
Files – No file
storage; only attachments on messages
iii.
Access method: OWA,
pop3, imap, or Outlook client,
iv.
Access
restrictions: See “Ownership”
8. Email Contacts
a.
Used for: Exchange
only, for email forwarding or for Global Address List population
b.
Management
i.
Created in:
Exchange Admin Center > Recipients > Contacts
ii.
Managed in:
Exchange Admin Center > Recipients > Contacts
iii.
Can have
multiple aliases
c.
Delivery
management (Send-to): Can set to anyone, only authenticated users, and/or can
block certain senders
d.
Membership: Contacts
can belong to O365 groups, distro groups, email-enabled security groups,
security groups, and perhaps dynamic distro groups.
9. Mailbox (Mail-enabled User)
a.
Not going to
elaborate
10. Resource Mailbox
a.
Not going to
elaborate
11.
Access Definitions
a.
Joining group:
i.
Open: anyone
can join this group without being approved by the group owners
ii.
Closed: Members
can be added only by the group owners. All requests to join will be rejected
automatically
iii.
Owner Approval:
All requests are approved or rejected by the group owners
b.
Leaving Group:
i.
Open: Anyone
can leave this group without being approved by the group owners
ii.
Closed: Members
can be removed only by the group owners
All requests to leave will be rejected automatically