fbpx
Active Directory & Office 365 Reporting Tool

Azure AD Group Types Explained – Security / Microsoft 365 Groups. Microsoft’s current iterations of Azure and Microsoft 365 are the result of years of technological development aimed at providing a seamless experience for their customers. Hence, Microsoft created the groups feature in order to give users the ability to manage resources. However, this has led to the creation of many object types, for example, Microsoft 365 and Azure Active Directory security groups. 

Shall we start this article blog about Azure AD Group Types Explained – Security / Microsoft 365 Groups.

Often, the distinction between these two is not clear to users, and users are not always sure which group they should choose for a particular task. However, in this article, I aim to make things clear and provide you with information that guides your choice when deciding which of the two you should use.

What are Microsoft 365 Groups?

Primarily, Microsoft 365 is built with the goal of making it easier for its users to work together. Therefore, Microsoft 365 groups are built with that in mind. They ensure a seamless collaboration experience for users. These groups enable users to choose a set of people with whom they would like to collaborate and then set up a pool of resources to be shared between them. 

When using Microsoft 365 Security Groups, you grant uniform access to a set of resources for a specified set of users. All in all, Outlook, Skype for Business, Planner, SharePoint, OneNote, Power BI, and Dynamics CRM may all benefit from a unified set of permissions thanks to these. There is even the option of inviting users from outside your company using Microsoft 365 Security Groups.

What are Azure AD Security Groups?

Firstly, Azure security groups function in a manner analogous to that of on-premises Active Directory security groups. You create them by syncing them from Windows AD with Azure AD Connect or generate them natively in Azure AD. They have static membership options, or you use rules to define their membership. Additionally, AD Security Groups also come in handy when it comes to managing objects in Azure AD.

Each person in a group is given access to SharePoint resources, or the group as a whole can be given a license. You don’t have to give permission manually to each member of a security group. Instead, you apply a security policy to the group as a whole to give everyone the permissions you want.

An important point to note here is that while a security group includes users, devices, other groups, and even service principals as members, a Microsoft 365 group only include users.

Membership Categories

Okay, before delving further, let’s expound on the types of Azure memberships allowed for these groups. There are 3 types of memberships for these groups: assigned, dynamic user, and dynamic membership.

  • Assigned: It gives you the ability to add users to a group and assign them unique permissions.
  • Dynamic user: It gives you the ability to automatically add and remove users using dynamic membership rules. To do this, the system checks your dynamic group rules for the directory to see if a member matches the rule requirements (is added) or no longer does (is removed).
  • Dynamic device: It gives you the ability to automatically add and remove devices using group rules. To do this, the system checks your directory’s dynamic group rules if a device’s properties change to see if they match the rule requirements (the device is added) or not (the device is removed).

How Access Rights are assigned

The next step after creating a group is deciding on access rights. There are four ways of assigning access rights: direct assignment, group assignment, assignment by an external authority, and rule based assignment.

Direct assignment: Here the resource owner assigns the user directly.

Group assignment: The resource owner assigns an Azure AD group to the resource, which automatically grants all group members access. The group owner and resource owner has the ability to add or remove members. 

Assignment by an external authority: In this case, on-premises directories or SaaS apps provide access. The resource owner assigns a group to provide access to the resource, and the external source manages the group members.

Rule-based assignment. The resource owner creates a group and uses a rule to assign users to resources. User attributes determine the rules. In this case the resource owner decides which attributes and values are needed to access the resource.

Differences in their Management

Who manages these groups?

Azure AD Security Groups

When it comes to Azure AD Security Groups, there are several groups of users who manage these groups. These groups of users include Groups Administrators, User Administrators, Privileged Role Administrators, and Global Administrators. Worth noting, that these groups synced from on-premises Windows AD cannot be managed in Azure AD. You only manage these groups by using on-premises tools, for instance, computers and Active Directory users. Above all, Azure ADConnect comes in handy in these instances in that it will sync any changes made to Azure AD. 

How about Microsoft 365 Groups?

In Microsoft 365 groups, group owners have the ability to control group membership in any of the applications that are supported by the group. For example, a group owner can add a member to a group from within the Teams app, Outlook, Outlook Online, or the SharePoint site itself.

Any modifications to the group that are performed in one app will automatically be synced in the remaining apps that the group supports.

Important to note, that because the experience of using different applications for management is different. Well, an owner might need to use a particular app in order to complete a particular task. For example, if you want to update the privacy settings for a group, you will need to utilize Outlook or Outlook online. This is because SharePoint does not allow for the modification of this setting.

Users with the right administrative roles also create Microsoft 365 Groups through the Azure Portal and PowerShell. Additionally, these admin users are also able to control the settings and membership of groups using the same interfaces.

Improve your Active Directory Security & Azure AD

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

Azure AD Security groups

Also, Azure has good, well documented APIs which give users a wide range of ways of managing these groups. With a graphical user interface, the Azure Portal is the go to for managing these resources. Users with the proper permissions edit, create, view and delete Azure AD Security Groups by using the Azure Portal.

Azure Active Directory Security Groups can also be managed with PowerShell using the Azure AD Module. However, a Windows PowerShell 5.x host is necessary for this module because it is incompatible with .Net Core.

Microsoft 365 groups

Microsoft 365 Groups are created from many different applications, including Outlook, Outlook on the Web, Outlook Mobile, SharePoint, Planner, Teams, and many more. Which tool you use to create these groups largely depends on what you intend to use the group for. 

For example, Outlook is your preferred choice for creating a group if you need to create an office-wide email and calendar based group. Yammer groups are the best option if you need to get the word out to everybody in the workplace. I would also recommend using Microsoft Teams if you want to create a chat based group project.

When it comes to availability, groups are either private or public. It is up to the group’s owner to decide whether the group will be publicly accessible or kept private. Any user can view the contents of a public group and also join the group. In a private group, only members view the content, and new members must be approved by the group’s administrator.

It is important to note that except for invited guests, neither public nor private groups allow access to people who are outside your organization.

Differences in their usage

Azure AD Security Groups

Importantly, Azure AD Security Groups are rarely used in Microsoft 365. However, when they do, they are used to assign group based licenses to users. This is often useful when you need to automate Microsoft 365 licensing during onboarding. Another point of usage is with SharePoint groups. 

Basically, SharePoint groups can add Azure AD security groups to access SharePoint resources. However, this is considered risky because the administrators and owners of the SharePoint site do not have the knowledge of who can access the site or who is a member of the Azure AD Security Group.

Microsoft 365 Groups

It is clear that Microsoft is positioning Microsoft 365 groups as the future of resource permissioning. Microsoft 365 groups have the distinctive advantage of allowing Microsoft 365 users to utilize the entire Microsoft 365 suite of applications with minimal administration. 

They give group owners a clear vantage point when it comes to viewing what their group is doing. Microsoft 365 Groups, in a nutshell, secures and manages SharePoint files, Teams real-time collaboration, and Exchange email discussions.

Azure AD Group Types - Security / Microsoft 365 Groups Conclusion

For a long time, Microsoft 365 and Azure AD security groups have been necessary tools for Microsoft users. These groups have different features, management methods, and limitations in their usage. It is therefore always advisable to be aware of their distinctions before using them.

While it’s clear that Microsoft wants users to transition to Office 365 groups for resource management in its applications, knowledge of Azure AD security groups may also come in handy in situations where their use is deemed necessary.

InfraSOS-AD-Tools

Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Picture of Josiah Mutuma

Josiah Mutuma

Josiah is a tech security expert and has been a writer for over 5 years. Follow this blog to learn more on Microsoft and Cyber security.

Leave a comment

Your email address will not be published. Required fields are marked *