ASD's Blueprint for Secure Cloud

Microsoft 365 Groups

This section describes the design decisions associated with Microsoft 365 groups for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Microsoft 365 Groups are an extension on the traditional mail distribution lists, Mail-enabled Security groups and Shared Mailboxes.

Microsoft 365 Groups enable members to collaborate with a group email, shared a workspace for conversations, files, calendar events, and a Planner. Unlike Shared Mailboxes, Microsoft 365 groups can be accessed via mobile applications. Microsoft 365 groups are also integrated with Microsoft Teams and are created when a Team is created.

Membership of an Microsoft 365 Group can be dynamically updated using user attributes available in Microsoft 365. This removes some of the management overhead involved with managing the traditional group structures.

Management of Microsoft 365 Groups can be streamlined through the enforcement of a Naming Policy, Microsoft 365 group expiry, and creation restrictions. An Microsoft 365 Group Naming Policy enables the enforcement of a consistent naming strategy across Microsoft 365 Groups. It consists of two parts:

  • Prefix-Suffix Naming Policy – Setting of prefixes or suffixes for groups names. The prefixes/suffixes can be either fixed strings or user attributes; and
  • Custom Blocked Words – Blocking of words in the name based on a custom list.

Within Microsoft 365 applications, group names can display as a prefix or suffix, such as a Microsoft Teams team name. While naming policies for Microsoft 365 groups can assist with governance of group resources, it is therefore also important to select a naming standard that is meaningful to the user group.

In order to create an effective Microsoft 365 group naming strategy, consider adopting a naming standard that assists users with identifying the group purpose or function. Dynamic attributes such as the user who created the group, or group department or office locations can also be substituted, for example:

  • <Team Name> - Human Resources Dept
  • Organisation - <Project Name> - Sydney

Microsoft 365 groups can also be given expiration dates which assists with unused group clean-up activities. The expiration period commences from group creation and can be renewed at the end of the period. The owner, or contact for groups with no owners, has 30 days to renew the group. When a group expires, it is soft deleted for 30 days. Retention policies will however hold the data for the period defined by the retention policy. An expiration policy can be applied globally to all groups or to specific groups.

Microsoft 365 Groups, by default can be created by any user. This can be restricted to Administrators and members of a security group. This restriction prevents the needless creation of groups. It is advisable to develop a workflow to control the provisioning process.

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra