Back to when we only had SharePoint, we had SharePoint groups to configure security. Now that we have Office 365, we have a lot of groups and these groups all have differences. In this blogpost I will try to create a comparison of all groups combined with their advantages and disadvantages.
- SharePoint groups
- Security groups
- Mail enabled security groups
- Distribution lists
- O365 groups, or now named Microsoft 365 or M365 groups
- Domain groups
SharePoint groups
SharePoint groups are defined on site level. These groups are great but can quickly become complex and messy when you have a huge organization.
- SharePoint groups are automatically created when the site is created
- You cannot nest SharePoint groups
- You cannot add SharePoint groups to Active Directory Security groups
- You cannot share Power Apps or Flows with SharePoint groups
Tips
- Only add people in the SharePoint groups and not directly on the site to keep it clean
- Use the automatically created SharePoint groups, manual creation of SharePoint groups is used rarely. By default you have following SharePoint groups:
- Owners
- Members
- Visitors
Security groups
Security groups control access (SharePoint, Power Apps, Power Automate, …) and can be created based on the organizational chart. In the SharePoint groups we can add the security groups and not give permissions to individual users within the SharePoint groups.
- (Azure) Active Directory security groups can be added to/nested in SharePoint Groups
- Power Apps can be shared with (Azure AD) security groups
- Flows in Power Automate can be shared with (Azure AD) security groups
- You can manage these security groups on organizational level and avoid individual permissions
- You can nest security groups in other security groups. This can be great when you have an organization with hierarchies. You can create a security group “HR” and nest the “Payroll” security group in it.
- A security group can not be nested in a mail enabled security group,
- A security group cannot be nested in an O365 group
- A security group cannot be nested in a distribution list
Tips
- Manage the security groups well so that you can use them in SharePoint to avoid individual permissions and messy structures
- Synchronize your on-premise Active Directory with O365 so you don’t need to recreate it in Azure Active Directory
Mail-enabled security groups
Mail enabled security groups have all the functionality of a distribution list (to send emails to) and can also be used to control access (SharePoint, Power Apps, Power Automate, …). If you want a security group but also want to send emails to people in those security groups, use mail enabled security groups.
- Power Apps can be shared with mail enabled security groups
- Flows in Power Automate can be shared with mail enabled security groups
- Mail enabled security groups have an email address
- You can nest a mail enabled security groups in a SharePoint Group
- You can nest a mail enabled security group in another mail enabled security group
- You can nest a mail enabled security group in a normal security group
- You can nest a mail enabled security group in a distribution list
- You cannot nest a mail enabled security group in a O365 group
Tips
- When someone requests a list/group of people to send mails to, and this will also be used for access purposes, create a mail enabled security group
Distribution lists
Distribution lists are very simple and can just be used to send emails to multiple people. This list can also be created from the Microsoft 365 admin center. If you enable it, people outside your organization can also send an email to a distribution list.
- You can nest a distribution list in a security group
- You can nest a distribution list in a mail-enabled security group
- You can nest a distribution list in another distribution list
- You cannot use a distribution list for security or access control
- You cannot share a Power Apps with a DL
- You cannot share a Flow in Power Automat with a DL
- You cannot nest a distribution list in a SharePoint group
- You cannot nest a distribution list in an O365 group
Tips
- It can take up to an hour for your distribution list to appear in the “Active groups” list in the Microsoft 365 admin center
- Create a distribution list when users ask for a mailing list and do not require access control for this list
Office 365 Groups (Microsoft 365 groups or M365 groups)
O365 Groups are a successor of security groups with extra benefits.
An O365 Group allows teams (multiple people) to have a shared email and a set of collaboration tools (for example a Microsoft Teams team) that are automatically created.
An O365 group always has one or multiple owners.
- You can nest an O365 group in a SharePoint group
- You can share a Power Apps or Flow in Power Automate with an O365 Group if you make the O365 group security enabled with PowerShell, check my blogpost about Sharing Flow or Power App with O365 M365 group
- You cannot nest an O365 group in a distribution list
- You cannot nest an O365 group in a security group
- you cannot nest an O365 group in a mail enabled security group
Tips
- There’s a high chance that teams need a shared email address, a MS Teams team and the possibility to share Power Apps or Flows with O365 Groups. Create an O365 group for a all-in-one group when the people need everything in one package.
Domain groups
Domain groups cannot be created and exist by default.
- Everyone
- Everyone except external users
- Domain groups are a quick way to change something with everyone
- Power Apps and Flows in Power Automate can be shared with domain groups