Microsoft 365 security groups, formerly known as Office 365 security groups, allow admins to easily manage access to e.g. SharePoint sites by grouping together users that require identical permissions. This way you only need to assign access once for the entire group, not for each user individually. In this article, we will show you how to create a security group as well as add and remove members from this group using Microsoft/Office 365 admin center and how to streamline the process using PowerShell cmdlets.
Quick navigation
- How security groups work
- Security groups vs Microsoft 365 / Office 365 groups vs distribution groups
- How to create and manage security groups
How security groups work
The way security groups work in Microsoft 365 is quite simple. First, create a security group and add members to this group. This group can then be used e.g. to grant access to a specific site in SharePoint to these members only. Each of the users within the security group will have the same permissions to that site. If a group’s access to a resource is revoked, the changes will affect all of its members. If a member is removed from a group, so are their permissions. This offers some obvious time savings in terms of access management, especially in the case of larger organizations with many users. In addition, a security group can also be converted into a mail-enabled security group and used to send notifications (emails) to all members of this group.
Security groups vs Microsoft 365 / Office 365 groups vs distribution lists
Similarly to every other tool, security groups have their intended purpose. It is for the admins to manage access rights to various resources. However, they are not designed for sending and receiving emails. Another group type, a mail-enabled security group, has an email address for communication with security group members and allows for managing access rights. If you need to create a group just for communication with a set of users (based at a specific location, from a specific department, etc.), it is better to use a distribution list. And if you need a group for collaboration between users (with a group email as well as a shared workspace for conversations, files, calendar events, etc.), a Microsoft 365 group will be the best option. If you would like to learn more about Microsoft 365 groups and distribution lists, take a look at this article.
How to create and manage security groups
There are a few ways to create a security group in your organization. Below, we will look at how to do that in the Microsoft 365 admin center and by using PowerShell cmdlets.
How to create and manage security groups in Microsoft 365 admin center
To create a security group in the Microsoft 365 admin center, go to Groups > Active groups and click Add a group.
A three-step wizard opens on the right side of the window. In the Group type step, select Security and click Next to continue.
In the Basics step, enter the name of your group (mandatory) and a short description (optional). Click Next to continue.
Review the group settings in the Finish step and click Create group.
When your new security group is created, click Close to return to the Active groups page.
Now, you can add members to that group. To do so, select the group, go to the Members tab, and click View all and manage members. The pane that opens allows you to edit group membership.
Click Add members and select users, groups or other resources you want to add to the security group. Use the search box to find specific members quickly. When you are done, click Save. You can now close this pane and return to the Active groups page.
If you want to remove group members, select your security group, go to the Members tab, and click View all and manage members as above. Click the X button next to the member you want to delete from the group. Once done, close the pane.
Finally, if you want to delete a security group, find it on the Active groups page, click the More actions button and select Delete group from the drop-down list.
How to create and manage security groups using PowerShell cmdlets
It is possible to use either Exchange Online or Azure Active Directory cmdlets to manage Microsoft 365 security groups. In this article, we will show you how to use the AAD cmdlets. First, before you are able to use them, you need to connect to your Microsoft Entra ID (Azure Active Directory) and sign-in by using the cmdlet below:
Connect-MsolService
Create a security group
You can now create a security group by running the following cmdlet:
New-MsolGroup -DisplayName "Your security group name" -Description "Security group created in with PowerShell"
Use the -DisplayName parameter to specify the group’s name and the -Description parameter (optionally) to enter additional information you need. To confirm that the security group was created, use:
Get-MsolGroup -SearchString "Your security group name"
By using -SearchString “Your security group name“, you can display only the newly created group. To display all security groups, use -GroupType “Security“.
Add members to a security group
The following cmdlet is used to add a member to the group:
Add-MsolGroupMember -groupobjectID <GUID> -groupmembertype User -groupmemberobjectID <GUID>
Where:
- -groupobjectID is used to identify the group (using GUID),
- -groupmembertype is the type of group member (User or Group)
- -groupmemberobjectID is the GUID of the user.
To add (or remove) members from a security group, you need to know the globally unique identifier (GUID) of the group and of the users you want to add (or remove ). You can use the following cmdlets to display the identifier of a particular user:
$(Get-MsolUser -UserPrincipalName "User’s UPN").ObjectID
To display the GUID of a group, use:
Get-MsolGroup -SearchString "Your security group name"
Since you do not want to manually copy and paste these identifiers, create two separate variables. The first one will provide the GUID of the user:
$UserID = (Get-MsolUser -UserPrincipalName "User’s UPN").ObjectID
The second will provide the GUID of your security group:
$GroupID = (Get-MsolGroup -SearchString "Your security group name").ObjectID
When using variables to add a new user, the cmdlet will look as follows:
Add-MsolGroupMember -groupobjectID $GroupID -groupmembertype User -groupmemberobjectID $UserID
The biggest advantage of using PowerShell to manage groups is the fact that it is possible to add many users to a group at the same time. To do so, first prepare a list of all users you want to add to a group:
Get-MsolUser -Title "User’s job title"
In this example we are using the -Title parameter, that will display a list of all users whose Job title field in Active Directory matches the parameter value. A different parameter you might want to use instead is ‑Department, that will list all users with the specified information in the Department AD field.
We will now use this cmdlet to create a variable that contains a list of GUIDs of all users that meet the defined criteria:
$UserList = (Get-MsolUser -Title "User’s job title").objectID
Next, create a loop that will apply each of the objects in $UserList to the cmdlet that adds new users to a group:
foreach ($user in $UserList) {Add-MsolGroupMember -groupobjectID $GroupID -groupmembertype User -GroupmemberobjectID $user}
To check if new members were added to the group, you can display all group members by running:
Get-MsolGroupMember -groupobjectID $GroupID
It is also possible to add another security group as a member of a security group. First create a variable:
$AddedGroupID = (Get-MsolGroup -SearchString "Name of group you want to add").objectID
Then use it in the cmdlet that has been previously used to add members to a group:
Add-MsolGroupMember -groupobjectID $GroupID -groupmembertype Group -groupmemberobjectID $AddedGroupID
Note that the -groupmembertype has a different value: Group.
Remove group members and the security group itself
If you would like to remove a user from a security group, prepare variables identically as when adding members and use the following cmdlet (you can also remove multiple members, or groups as discussed above):
Remove-MsolGroupMember -groupobjectID $GroupID -groupmembertype User -groupmemberobjectID $UserID
Finally, to remove the security group itself, you need to use the following cmdlet:
Remove-MsolGroup -objectid $GroupID
Additionally, you can add the -Force parameter at the end of the above cmdlet if you don’t want to be prompted to continue this operation.
CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.