Create and Manage Groups in Microsoft 365
Cloud and systems engineer with a strong foundation in networking, automation, and infrastructure design. I write about real-world challenges, best practices, and evolving trends in cloud computing, system administration, and network architecture.
๐น Why Groups Matter
Groups in Microsoft 365 allow admins to organize users for permissions, collaboration, communication, and licensing. Instead of assigning settings individually to each user, groups let you do it once for many people at once.
Example: Instead of granting each Marketing employee access to the Marketing SharePoint site โ you create a Marketing Security Group and give that group permission.
๐น Best Practices for Managing Groups
Naming conventions โ Keep names simple, clear, and consistent (e.g., Dept_HR_Team instead of random names).
Policies and procedures โ Define rules for who creates groups, how often theyโre reviewed, and when they should be deleted.
Use groups inside groups โ Add security groups to SharePoint roles instead of adding individual users.
Account provisioning โ Make sure thereโs a consistent process for creating/deactivating accounts.
Two owners per group โ Prevents โorphanedโ groups if one owner leaves.
๐น Creating a Group in the Microsoft 365 Admin Center
The wizard process:
Go to Microsoft 365 admin center โ Groups โ Active groups โ Add a group.
Choose group type (Microsoft 365 group, distribution group, security group, etc.).
Set up basics โ Enter name + description. (You must click in description to enable Next.)
Assign owners โ Pick at least one person responsible for managing the group.
Edit settings:
Assign email address (if mail-enabled).
Choose Public or Private visibility. (Public = anyone can join, Private = owner approval needed).
Choose whether to create a Microsoft Team linked to the group.
Review and Finish โ Confirm everything โ Create group.
โ ๏ธ Note: If groups are synced from on-premises Active Directory, you cannot edit them in the cloud admin centerโyou must use local AD tools.
๐น PowerShell for Group Management
Sometimes admins use PowerShell instead of the GUI.
- Create group:
New-MgGroup -DisplayName 'Test Group' -MailEnabled:$False -MailNickName 'testgroup' -SecurityEnabled
- View groups:
Get-MgGroup
- Delete group:
Remove-MgGroup -GroupId <ID>
๐น Determining Group Types
In Microsoft 365 admin center, the Type column shows whether itโs:
Microsoft 365 Group
Distribution Group
Security Group
Mail-enabled Security Group
In PowerShell, use Get-MgGroup to retrieve the same info.
๐น Group Nesting (Adding Groups Inside Groups)
You can add one group as a member of another group. This is called nesting.
But Microsoft 365 limits nesting. See allowed combinations:
| Group type | Can be member of M365 groups? | Distribution groups? | Security groups? | Mail-enabled Security groups? |
| Microsoft 365 groups | โ No | โ No | โ No | โ No |
| Distribution groups | โ No | โ Yes | โ Yes | โ Yes |
| Security groups | โ No | โ No | โ Yes | โ No |
| Mail-enabled Security grp | โ No | โ Yes | โ Yes | โ Yes |
โ ๏ธ Caution: Nested groups can sometimes cause permissions issues โ plan carefully before using.
๐น Deleting and Restoring Groups
Delete group (Admin Center):
Go to Groups โ Active groups.
Select the group โ More actions (โฆ) โ Delete group.
Confirm deletion.
Restore Microsoft 365 Groups (only this type!)
Deleted groups go into a 30-day soft-delete period.
You can restore them within 30 days (restores mailbox, SharePoint site, OneNote, Teams, etc.).
After 30 days โ permanent deletion.
โ ๏ธ Other group types (like Security or Distribution groups) cannot be restored once deleted.
๐น Group-Based Licensing in Microsoft Entra ID
Instead of assigning licenses to each user individually, admins can assign them to groups, and all members inherit the licenses.
โจ Benefits
Automatic assignment โ When a user joins/leaves group, licenses update automatically.
Less admin work โ No manual PowerShell automation needed.
Supports all Microsoft cloud services (M365, Dynamics 365, EMS).
Conflict handling โ If a license is assigned from multiple groups, it counts only once.
โ ๏ธ Requirements
Must have Microsoft Entra Premium P1 or higher, OR certain Microsoft 365 enterprise/business licenses.
Need enough licenses for all unique group members.
Example:
If group has 1,000 members โ you must own at least 1,000 licenses.
Features
Assign licenses to security groups (synced or cloud-only).
Disable certain services in a license (e.g., assign M365 E3 but turn off Yammer).
Automatic license updates when group membership changes.
Admins can review errors if a license couldnโt be assigned (e.g., not enough licenses available).
โ Quick Recap (Exam Points):
Groups are managed via Microsoft 365 Admin Center, Microsoft Entra ID, or PowerShell.
Best practice โ add users to security groups, then grant permissions to groups, not individuals.
Nesting rules limit which groups can be inside others.
Only Microsoft 365 Groups can be restored (within 30 days).
Group-based licensing only available in Microsoft Entra Admin Center.
