ASD's Blueprint for Secure Cloud

Groups

This section describes the design decisions associated with groups and group naming conventions for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Groups can be three types:

  • Privileged - Platform-owned administrative groups for access to the critical control and management security planes (e.g. subscriptions).
  • Security - Resource Owner managed groups for access to data and workload security plane resources (e.g. applications).
  • Microsoft 365 - User managed grouping for more fluid and temporary assignment for collaboration purposes (e.g. email groups, teams).

Users can be assigned to these groups in a number of ways:

TypeDescriptionUsage
DynamicallyBased on a set of fixed rules, usually user metadataUsed by the platform owners for administrative purposes.
Assigned DirectlyThe group’s owner or those with User Management Roles can assign users directly to the group using the Entra Portal or Group Access PanelUsed by Team Leads for ad hoc assignments to organisational / project based groupings for Microsoft 365 Groups.
Privileged Group ActivationSpecialised group where membership is activated for time-boxed periods using PIMUsed for privileged groups.
Entitlement PackagesAssigns users to groups through request and approval process using Access PackagesUsed by Resource Owners to assign users to Security Groups.

Microsoft 365 Groups

Microsoft 365 groups (as opposed to security groups) include a suite of linked resources that users can use for communication and collaboration. Groups always include a SharePoint site, a mailbox and calendar, and Stream. Depending on how the group is created other services such as Teams can be optionally added.

Microsoft 365 groups are designed to be user created, enabling them to choose the set of people with whom they wish to collaborate, and easily set up a collection of resources for those people to share. Groups can be created from multiple end-points including Outlook, SharePoint, Teams, and other environments. Adding members to the group automatically grants the needed permissions to all assets provided by the group.

Microsoft 365 Groups includes a variety of governance controls, including an expiration policy, naming conventions, and a blocked words policy, to help manage groups.

Microsoft recommends self-service to empower group owners and help users get their work done more easily. Limiting group and team creation can slow users productivity because many Microsoft 365 services require that groups be created for the service to function.

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra