#Manage Groups

When you click a tenant name on the User management page, you switch to the tenant level. On the User management > Groups page of a specific tenant, you can find groups in different types and perform operations to manage groups.

• Microsoft 365 Groups

• Distribution groups

• Security groups

• Mail-enabled security groups

• Application groups

• Deleted groups

For a hybrid tenant, there is a dedicated Source column in each group list that explicitly identifies the origin of each group within that list.

• Cloud – Indicates that the group is stored and managed exclusively within Microsoft Entra ID (cloud-only), with no on-premises association.

• On-premises – Indicates that the group is hosted and managed in an on-premises Active Directory (AD) environment, without synchronization to the cloud.

• Hybrid – Indicates that the group is synchronized between an on-premises AD and Microsoft Entra ID. This synchronization is typically managed via directory synchronization tools like Azure AD Connect. During Azure AD Connect setup, administrators can choose which organizational units (OU) to synchronize with the cloud. If a newly created group (security group or distribution group) resides in an OU designated for synchronization, the group will be classified and managed as a hybrid group.

#Create a Group

On the User management > Groups page, you can create groups of different types. For more information about group types, refer to Compare types of groups in Microsoft 365.

#Create a Microsoft 365 Group

To create a Microsoft 365 Group, complete the following steps:

1. Under the Microsoft 365 Groups tab, click Create.

2. Complete the basics for this Microsoft 365 Group, including:

   • Display name – Enter the display name of this Microsoft 365 Group.

   • Group email address – Enter the email address for the group.

   • Description – Enter an optional description for the group.

3. Click Continue to proceed.

4. Manage membership, including:

   • Microsoft Entra roles can be assigned to the group – If this is turned on, you can assign roles defined in your Microsoft Entra ID to this group. For more information, refer to Use Microsoft Entra groups to manage role assignments.

   • Membership type – Select from Assigned and Dynamic user.

     For a group with Assigned membership type, you need to manually assign owners and members for this group.

     For a group with Dynamic user membership type, you can configure rules to automatically manage membership for this group.

     To manage the membership, complete the following steps:

     1. In the Owners field, configure the users you want to assign as owners.

     2. Click Customize rules for membership.

     3. To add a rule for the user membership management, select a condition and enter a value for the rule. If you want to add more than one rule, click Add rule to add more rules.

     4. Click Save to save the rules and go back to the Manage membership panel.

5. Click Continue to proceed or click Back to go back to the previous step.

   NOTE

   For both Assigned and Dynamic user, if you plan to add Microsoft Teams to this Microsoft group, all owners must have a license that includes Teams. For more information, refer to Manage Teams licenses.

6. Edit settings for this Microsoft 365 Group, including:

   • Privacy – Select from Public or Private.

     • Content in a public group can be seen by anybody in your organization, and anybody in your organization is able to join the group.

     • Content in a private group can only be seen by the members of the group, and people who want to join a private group have to be approved by a group owner.

   • Allow external senders to email this Group – Select to enable or disable.

   • Send copies of Group conversations and events to Group members – Select to enable or disable.

   • Hide from my organization’s global address list – Select to enable or disable.

   • Add Microsoft Teams to this Group – Select to enable or disable.

7. Click Save.

#Create a Distribution Group

To create a distribution group, navigate to the Distribution groups tab. For a hybrid tenant, click Create and then choose whether to create the distribution group in Microsoft 365 or in the on-premises Active Directory. For cloud tenants, you will only have the option to create a distribution group in Microsoft 365.

#Cloud Distribution Group

Complete the following steps to create a distribution group in Microsoft 365:

1. Create distribution group in – If the current tenant is a hybrid tenant, select Microsoft 365 tenantto create a distribution group in Microsoft 365. Skip this step if the current tenant is a cloud tenant.

2. Complete the basics for this distribution group, including:

   • Display name – Enter the display name of this distribution group.

   • Group email address – Enter the email address for this distribution group.

   • Description – Enter an optional description for the group.

3. Click Continue to proceed to the next step.

4. Manage membership, including:

   • Membership type – Select from Assigned or Dynamic user.

     For a group with Assigned membership type, you need to manually assign owners and members for this group.

     For a group with Dynamic user membership type, you can configure rules to automatically manage membership for this group. To manage the membership, complete the following steps:

     1. In the Owners field, select the users you want to assign as owners.

     2. Click Customize rules for membership. The Customize rules for membership window appears.

     3. Select the recipient type.

     4. To add a rule for the user membership management, select a condition and enter a value for the rule. If you want to add more than one rule, click Add rule to add more rules.

     5. Click Save to save the rules and go back to the Manage membership panel.

5. Click Continue to proceed or click Back to go back to the previous step.

6. Edit settings for the group, including:

   • Allow external senders to email this group – Select to enable or disable.

   • Joining the group – Select from Open, Closed, and Owner approval.

     • Open – Anyone can join this group without owner approval.

     • Closed – Only group owners can add members. All requests to join will be automatically declined.

     • Owner approval – Anyone can request to join this group, and owners must approve the request.

   • Leaving the group – Select from Open and Closed.

     • Open – Anyone can leave this group without group owner approval.

     • Closed – Only group owners can remove members. All requests to leave will be automatically declined.

7. Click Save.

#On-Premises Distribution Group

Complete the following steps to create a distribution group in the on-premises Active Directory:

1. Create distribution group in – Select On-Premises environment to create a distribution group in the on-premises Active Directory.

2. Complete the basics for the distribution group, including:

   • Display name – Enter the display name of this distribution group.

   • Group name (pre-Windows 2000) – Enter the pre-Windows 2000 group name.

   • Domain – Select a domain for the group.

   • Group email address – Enter the email address for the group.

   • Company/Organization – Select the company/organization from the drop-down list.

3. Click Continue to proceed to the next step.

4. Manage membership, including:

   • Managed by – Select the user you want to assign as the manager.

   • Members – Select the users that you want to assign as members.

5. Click Save.

#Create a Security Group

To create a security group, navigate to the Security groups tab. For a hybrid tenant, click Create and then choose whether to create the security group in Microsoft 365 or in the on-premises Active Directory. For cloud tenants, you will only have the option to create a security group in Microsoft 365.

#Cloud Security Group

Complete the following steps to create a security group in Microsoft 365:

1. Create security group in – If the current tenant is a hybrid tenant, select Microsoft 365 tenantto create a security group in Microsoft 365. Skip this step if the current tenant is a cloud tenant.

2. Complete the basics for this security group, including:

   • Display name – Enter the display name of this security group.

   • Description – Enter an optional description.

3. Click Continue to proceed to the next step.

4. Manage membership, including:

   • Microsoft Entra roles can be assigned to the Group – If this is enabled, you can assign roles defined in your Microsoft Entra ID to this group.

   • Membership type – Select from Assigned or Dynamic user.

     For a group with Assigned membership type, you need to manually assign owners and members for this group.

     For a group with Dynamic user membership, you can configure rules to automatically manage membership for this group. To manage the membership, complete the following steps:

     1. In the Owners field, select the users you want to assign as owners.

     2. Click Customize rules for membership. The Customize rules for membership window appears.

     3. To add a rule for the user membership management, select a condition and enter a value for the rule. If you want to add more than one rule, click Add rule to add more rules.

     4. Click Save to save the rules and go back to the Manage membership panel.

5. Click Save.

#On-Premises Security Group

Complete the following steps to create a security group in the on-premises Active Directory:

1. Create security group in – Select On-Premises environment to create a distribution group in the on-premises Active Directory.

2. Complete the basics for the security group, including:

   • Display name – Enter the display name of the group.

   • Group name (pre-Windows 2000) – Enter the pre-Windows 2000 group name.

   • Domain – Select a domain for the group.

   • Group email address – Enter the email address for the group.

   • Company/Organization – Select the company/organization from the drop-down list.

3. Click Continue to proceed to the next step.

4. Manage membership, including:

   • Managed by – Select the user you want to assign as the manager.

   • Members – Select the users that you want to assign as members.

5. Click Save.

#Create a Mail-enabled Security Group

To create a mail-enabled security group, complete the following steps:

1. Under the Mail-enabled security groups tab, click Create.

2. Complete the basics for this mail-enabled security group, including:

   • Display name – Enter the name of this mail-enabled security group.

   • Group email address – Enter the group email address.

   • Description – Enter an optional description.

3. Click Continue to proceed to the next step.

4. Manage membership. The membership type can only be Assigned for a mail-enabled security group. Assign the owners and members manually.

5. Click Continue to proceed or click Back to go back to the previous step.

   NOTE

   You must have at least one owner. We recommend adding two to have coverage in the event one owner changes roles.

6. Edit settings for the group, including:

   • Allow external senders to email this Group – Select to enable or disable this setting.

   • Require owner approval to join the group – Select to enable or disable this setting.

7. Click Save.

#Create an Application Group

To create an application group, navigate to the Application groups tab. For a hybrid tenant, click Create and then choose whether to create the application group in Microsoft 365 or in the on-premises Active Directory. For cloud tenants, you will only have the option to create an application group in Microsoft 365. An application group is a (security group) indeed.

#Cloud Application Group

Complete the following steps to create an application group in Microsoft 365:

1. Create application group in – If the current tenant is a hybrid tenant, select Microsoft 365 tenantto create an application group in Microsoft 365. Skip this step if the current tenant is a cloud tenant.

2. Complete the information for this application group, including:

   • Display name – Enter the name of this application group.

   • Mail nickname – Enter the mail nickname.

3. Click Create.

#On-Premises Application Group

Complete the following steps to create an application group in the on-premises Active Directory:

1. Create application group in – Select On-Premises environment to create an application group in the on-premises Active Directory.

2. Complete the information for this application group, including:

   • Display name – Enter the name of this application group.

   • Domain – Select a domain.

   • Company/Organization – Select the company/organization from the drop-down list.

3. Click Create.

#View and Edit a Group

To view the details of a group, on the User management > Groups page, locate the target group within the corresponding tab and click the group name to open the Group details page. Information and manageable settings are displayed in tabs:

• Basics – Basic information of the group.

• Members – Lists all members of this group. You can add, remove, or update memberships.

• Settings – Displays the settings of the group.

  NOTE

  This tab is not available for security groups, and the settings displayed in this tab are dynamics based on the group type.

• Licenses – Lists the license assignment of cloud or hybrid security and mail-enabled security groups.

• Shared mailboxes – This tab displays all shared mailboxes within the tenant.

  • To add the current distribution group as a member of a specific shared mailbox, enable the toggle next to the target shared mailbox.

  • To remove the current distribution group from a specific shared mailbox, disable the toggle next to the target shared mailbox.

  A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  NOTE

  This tab is only available for hybrid distribution groups.

• Nested groups – This tab displays all local and hybrid distribution groups within the tenant, excluding the current distribution group itself. Use this tab to manage the current distribution group's membership in other distribution groups:

  • To add the current distribution group as a member of another distribution group, enable the toggle next to the target distribution group.

  • To remove the current distribution group from a specific distribution group, disable the toggle next to the target distribution group.

  A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  NOTE

  This tab is only available for local and hybrid distribution groups.

• Audit logs – This tab displays all action records performed to the current group.

Refer to the following sections for the available management operations and the steps to manage them.

#Update Group Basic Information

To update the basic information of a group, complete the following steps:

1. Click the group name to enter the Group details page.

2. To edit the basics for the group, stay at the Basic information tab and click the Edit button to the right of each editable field after hovering over it. The following fields are editable:

   • Name

   • Group email address

   • Description

   • Aliases

   NOTE

   Group email address and Aliases are not available for security groups.

3. Click Apply changes on the top of the tab after you make changes to save and apply the changes.

#Manage Group Owners and Members

To add owners or members, complete the following steps:

1. Click the display name of a group to navigate to the Group details page.

2. Switch to the Members tab.

3. Click Add in the ribbon.

4. In the Add users panel, search users by display name or email address and select users to add. You can only add a maximum of 20 users at a time. The selected users appear below the Users.

5. Select Member and Owner for the users to add them as members or owners of the Group.

6. Click Save.

To remove owners or members, complete the following steps:

1. Select the owners or members to remove.

2. Click Remove on the ribbon,

3. In the Remove users confirmation window, click Remove.

#Update Group Settings

To update settings of a group, complete the following steps:

1. Click the display name of a group to navigate to the Group details page.

2. Switch to the Settings tab.

3. Edit the group settings as required.

4. Click Apply changes on the top of the tab after you make changes to save and apply the changes.

#Update License Assignment

To update license assignment for a security group, complete the following steps:

1. Click the display name of a security group to navigate to the Group details page.

2. Switch to the Licenses tab.

3. Edit the license assignment as required.

4. Click Apply changes on the top of the tab after you make changes to save and apply the changes.

#Add a Team to a Group

The Team status column under the Microsoft 365 Groups tab shows whether a team is connected to a specific Microsoft 365 Group. To connect a team to a Microsoft 365 Group, select the desired Group and click Add Teams. Click Add in the pop-up confirmation message.

During the creation of a Microsoft 365 Group, you could specify if roles defined in Microsoft Entra ID can be assigned to the Group. For security purposes, Microsoft 365 Groups that are eligible for administrative roles cannot have a team associated with them.

#Convert Group Type

You can change the group type for a group as needed. To convert a security group to an application group or functional role, or to convert an application group to a security group or functional role, select the desired group, and click Convert. Choose the appropriate target group type and click Convert to complete the process.

#Delete Groups

To delete one or multiple groups, on the User management > Groups page, locate the target groups within the corresponding tab, select the groups, and click Delete. Click Delete in the pop-up confirmation window. A process will start to delete the groups. Navigate to Process center to view the process progress.

#Delete Groups Permanently

Under the Deleted Groups tab, select one or multiple groups that you want to delete permanently and click Delete permanently above the table. The process will start to delete the groups permanently. Navigate to the Process center to view the process progress.

#Export Groups

To export the groups currently shown in a tab, click Export. Choose whether to export the visible columns or all columns, select a file format (.xlsx or .csv), and then click Export. A process will start to export the groups. To view the process status, you can go to Process center