An overview of different types of security groups in SharePoint and Office 365
Just a few years back, managing SharePoint Security was a pretty straightforward affair. Before you jump at me and start telling me how complicated security management in SharePoint is and how your boss hates SharePoint for this, please note that I said “straightforward,” not easy. In the past, we only had to worry about SharePoint groups. With the evolution of Office 365, things changed, and now we have all sorts of groups available. So with this post, I would like to clarify the available options as well as the difference between the various security groups in SharePoint and Office 365.
SharePoint Groups
These are the good-old groups that we had forever in SharePoint. You would create a site and apply SharePoint Security Groups with corresponding permissions to it. Nice and easy. By the way, here is a post that explains step by step how to apply security to a site, in case you are wondering.
Example of SharePoint Security Groups (modern sites/pages)
Example of SharePoint Security Groups (classic sites/pages)
How to create
- SharePoint Groups are created for you automatically when the site is created
- You can also create them manually in the Site Collection, but this is usually done in very rare occasions
Ability to nest
- You cannot nest (embed) a SharePoint security group inside another SharePoint security group
- You cannot nest (embed) a SharePoint security group inside any other security group in Office 365
Best Practice
- It is considered a best practice always to have individuals be a part of a SharePoint Security group and not individually assigned to a site
Security Groups
SharePoint Groups are great for maintaining security at a site level, but for larger organizations, maintaining security by adding individual users can become a huge pain in a butt. This is where Security Groups (also known as Active Directory Security Groups) come in. You can use these groups to centralize various verticals/groups of users per your org chart and then use those groups when you maintain security on a SharePoint site.
How to create
- Navigate to Office 365 Admin Center by clicking App Launcher, then Admin
- Once in Office 365 Admin Center, expand Groups, then click on Groups, Add a group, choose Security from a drop-down, then give it a name, then click Add
Ability to nest
- You can nest (embed) an Active Directory Security Group inside a SharePoint Group. This significantly improves and simplifies your security management since you can use the role-based Security Groups as people join and leave the organization in one central location
- You can nest (embed) an Active Directory Security Group inside another Active Directory Security Group. This is HUGE because you can build role-based hierarchies for your departments. For example, you can create a Security Group for Payroll and nest it inside of the Finance Security Group (+ add other groups that are part of Finance). This allows you to centralize security management globally based on your org chart
- You cannot nest (embed) an Active Directory Security Group inside a Distribution list, Mail-enabled security group or an Office 365 Group
Best Practice
- For those organizations that already maintain an on-premises Active Directory, you can synchronize those AD Groups to Office 365 (Azure AD). This way, you do not need to create new groups and can take advantage of AD Groups you already have.
Distribution List
This is not a security group, but I cover it here because it is one of the choices available when you create a group from the Office 365 Admin Center.
It is essentially a mailing list for a group of users that you can use from within Outlook. Also, external users can email to the distribution list if you allow for that during list creation.
How to create
- Use the same instructions as above, just choose Distribution List for the group type
Ability to nest
- You cannot nest (embed) a Distribution List inside a SharePoint group
- You can nest (embed) a Distribution List inside another Distribution List
- You can nest (embed) a Distribution List inside Office 365 Security Group or Mail-enabled security group
- You cannot nest (embed) a Distribution List inside of an Office 365 Group
Best Practice
- Use this Group type (list to be precise) anytime users request a mailing list for multiple individuals but do not require this to be a group that will define access to a SharePoint site
Mail-enabled security groups
This type of group is what happens when a Distribution list falls in love with an Active Directory Security Group. Essentially, it is the above two types of groups married together. With this type of group, you get a little bit of both worlds: a distribution list for email communication and a security group for site security.
How to create
- Use the same instructions as above, just choose Mail-enabled security for the group type
Ability to nest
- You can nest (embed) a Mail-enabled security group inside a SharePoint group
- You can nest (embed) a Mail-enabled security group inside another Mail-enabled security group
- You can nest (embed) a Mail-enabled security group inside an Active Directory Security group or a Distribution list
- You cannot nest (embed) a Mail-enabled security group inside of an Office 365 Group
Best Practice
- Use this Group type anytime users request a mailing list for multiple individuals + need to use the same group to define access to a SharePoint site
Office 365 Groups
Office 365 Groups are a new breed of security groups. It is not just a security group, but a security group with “benefits.” You can read more about an Office 365 Group here. With SharePoint Security Groups described above, you first create a site and then SharePoint groups. With Office 365 Groups, it is the other way around. When you create an Office 365 Group, it creates a security group tied to various Office 365 apps, like Planner, SharePoint Site, Teams, Outlook. It is a brilliant idea if you think about this. Everything we do in SharePoint and Office 365 for that matter, is tied to security and membership. So Office 365 Group is essentially a membership group that allows a team to collaborate using various apps tied to it. Once again, you can read more about Office 365 Groups here.
How to create
I am glad you asked, because there are a zillion ways to create an Office 365 Group. Instead of me listing them all here, please reference this post (make sure you grab some coffee first to read it all).
Ability to nest
- You can nest (embed) an Office 365 Group inside a SharePoint group
- You cannot nest (embed) an Office 365 Group inside of another Office 365 Group
- You cannot nest (embed) an Office 365 Group inside Office 365 Security Group, Mail-enabled security or a Distribution List
Best Practice
- Since Office 365 Group is a relatively new entity in Office 365, there is an ongoing debate on whether to create an Office 365 Group-connected SharePoint site or a “regular” subsite/site collection. I answer this question in this post.
- Create this type of group when your folks need everything in a single package (site, security group, distribution list, etc.)
Domain Groups
There is another group I wanted to mention here as well. Everyone except external users. This is not a group you will or can create, but rather a group that already exists in your environment by default. You can read about it here. I thought I would mention it here since it is a great way to add Everyone in your organization to a SharePoint site without specifically creating any of the above groups for the whole population.
So here we go. Hopefully, this post clarifies how security groups in SharePoint and Office 365 work. I do not know about you, but I am ready for a drink! :-)