Groups are directory objects used to perform operations, grant rights or permissions, or communicate with one or more users collectively. In Azure Active Directory, there are several kinds of groups:
- Security groups – This type of group is typically used for granting permissions to resources, either on-premises or in Azure AD.
- Distribution lists or distribution groups – These groups are usually used for sending emails to multiple recipients, though they can also sometimes be used to restrict the scope of rules or for filtering purposes in Azure AD, SharePoint Online, and Exchange Online.
- Microsoft 365 groups– Formerly called modern groups (and sometimes still referred to as unified groups), this is an all-purpose group type that can be used as a security group for assigning permissions to resources or a distribution group for handling email. Microsoft 365 groups are special objects that are connected to SharePoint Online sites and form the basis for teams in Microsoft Teams. In addition, each Microsoft 365 group is connected to an Exchange group mailbox, allowing it to store persistent messages (such as email or, in the case of Microsoft Teams, channel conversations). Microsoft 365 groups are only available in Azure AD. There is no on-premises equivalent.
Each of these groups has certain capabilities and benefits. One or more types of groups may be appropriate for a specific task. In Azure Active Directory, security groups can be mail-enabled (or not), while distribution groups and Microsoft 365 groups are always mail-enabled.
In Azure Active Directory, any of the cloud-based groups can be configured to have their membership assigned or dynamic. With assigned membership, an administrator is responsible for periodicallyupdating group members. Dynamic groups are built by creating an object query that is periodically used to add or remove members. For example, you may choose to create a dynamic group called Sales that automatically includes users whose job title or department value is set to Sales. Groups in Azure AD can contain users, contacts, devices, and other groups. Groups can be converted between assigned and dynamic membership.
When working with groups, there are several important things to remember:
- An Azure AD tenant can have groups that are synchronized from on-premises environments as well as cloud-only groups.
- Both security and distribution groups can be synchronized from on-premises environments. The exception to this is on-premises dynamic distribution groups. Because they can be based on queries that aren’t possible in Azure AD, they are not synchronized. You will have to either recreate the dynamic groups in Azure AD using supported query parameters or modify the on-premises group to be based on assigned membership.
- Microsoft 365 groups, due to their unique construction, cannot be a member of a group nor can they have other groups of any type nested in them.
- Microsoft 365 groups are the only type of object with a cloud source of authority that can be written back on-premises.
You’ll next look at configuring and administering groups in Azure AD.
