Office 365 Distribution Group vs. Security Group: The Difference of the 2?

Intro – Office 365 Distribution Group vs. Security Group

While Office 365 is a powerful and extremely popular tool, the vastness of its features and options can be confusing! Today, we’ll explore the various permission group options in Office 365 and the difference between them. Making the right choice between these groups will help save you trouble down the road since it affects how to use groups. Choosing the appropriate permission group here in Office 365 will help you and your colleagues become more efficient.

Office 365 Distribution Groups

An Office 365 distribution group is a group of users that is mail-enabled (you can send emails to this group email account, and by doing that, all listed users will also be emailed automatically rather than having to email them all individually). Some advantages of using a distribution group for emailing is that you can set certain options, such as either permitting emails to be sent to external users in the group:

 

An Office 365 Distribution Group will get it’s own dedicated email address, and when a user wants to send an email to a group of people, e.g., the finance department with seven employees, the user will send an email to the group he created called “Finance,” instead of sending it to each of the seven members individually.

Another advantage is that the distribution groups you have are visible in the global address list, which means all users can see and find this group in Outlook, for example. Then, users don’t need to create their own email groups because users share them.

The first time the end user uses the distribution group, it gets cached in the Outlook profile so the next time the user won’t have to type the complete name or email address.

So the common questions are:
How are Office 365 Distribution Groups like Outlook Email/Contact Groups? What are the benefits of choosing distribution groups over Outlook Contact groups?

Outlook Contact Group

An Outlook Contact Group is local to your machine, it is created using Microsoft Outlook and you can store multiple contacts into a ‘group’:

 

 

 

 

 

 

 

 

Outlook Contact Group vs Distribution Group

  1. End users can easily create an Outlook group so they do not have to type the email address of every user to send an email.
  2. Outlook group is stored for the individual user (normally on their machine/laptop), unless they export or share it (creating a duplicate copy, which is not synced).
  3. The Distribution Group works similar to the Outlook group, but the distribution group is shared, this sharing of the groups is made possible because they are available in the GAL (Global Address List) for all users – so they can be shared (and updated) from one central location to multiple users.
  4. Distribution Groups also have an option for the administrator to specify the delivery methods, such as who can send ‘to’, and send ‘from’ this list, which can help prevent unwanted spam blasts! (see above screenshot under Distribution Groups)
  5. The owner of the distribution group has an option to add/remove users from the distribution group.

Dynamic Distribution Groups

Dynamic Distribution Groups behave just like regular Distribution Groups above, however the memberships are automatically calculated.

This is from Technet:

“Unlike regular distribution groups that contain a defined set of members, the membership list for dynamic distribution groups is calculated each time a message is sent to the group, based on the filters and conditions that you define. When an email message is sent to a dynamic distribution group, it’s delivered to all recipients in the organization that match the criteria defined for that group.”

Example, you can use PowerShell or the Office 365 Exchange Admin Center UI to create one of these and you have the options below to specify criteria that will dynamically build/grab the members. This can be very useful when dealing with many users and many frequent changes/additions/removals of users, and helps prevent mistakes since these are just created once and the OU structure should normally not change very often.

Dynamic Distribution Groups

Both Distribution Groups and Dynamic Distribution Groups require maintenance. Maintenance for a regular Distribution Group can be delegated out to the users, the Dynamic Distribution Groups changes would require someone more technical, such as someone on the IT team to either change the logic inside the list, or change entries in AD for one or more users.

Security Groups

There are two types of security groups: security groups and mail-enabled security groups

A) Security Group

A security group is used to assign permission to a set of users to grant access to things, such as to a SharePoint Site, Web Pages, an entire SharePoint List or Document Library, or even just some files, etc.

Also, a security group is for users who may have a common set of permissions. In this way, an Administrator can assign certain permissions (such as for SharePoint Site access) to all users in this group instead of having to enter each person individually.

Let’s say, for example, five members need the edit permission to a folder or SharePoint Library. The administrator can use a security group, which contains all the members who need access, instead of assigning the permissions to each user individually, and assign this  Security Group to the folder or SharePoint Library.

Once the admin assigns permission to a security group, and in case the admin wants to give the same level of permission to more users, he/she can select the security group itself and add members either from the Office 365 Admin Center, or using Exchange Admin Center, as show below:

Office 365 Admin Center to Manage Members

Below I have Office 365 groups listed, however your ‘Distribution Groups’ and ‘Security Groups’ can also be listed and managed here.

Office 365 Exchange Admin Center to Manage Group Members

 

Exchange Admin Center to Manage Members

  1. Go to your Office 365 Admin Center, click on Admin Centers and click Exchange. Otherwise, you can also just use link below
  2. Office 365 Exchange Administration center (Outlook.office365.com/ECP)
  3. Go to recipient>groups>select the group
  4. Click Edit (Pencil icon)
  5. Click on the membership button as shown below and add members to the group

What is the difference between a security group and a distribution group?

Unlike the distribution group, a security group can manage permissions for the users. The distribution group is used only to send emails to multiple users (who are members of that distribution group).

Also, if you’re using synchronized identity through the AD, the security group is also used to assign permissions to users in the Active Directory.

B) Mail-Enabled Security Group

If we mail-enable the security group, we can send e-mail to all members of that group. For example, if you create a security group that gives members access to the RBAC (Role-based Access control) roles in Office 365, you may want to send an email to that group to notify them about their permissions.

How is a mail-enabled security group different from a distribution group?

Unlike a distribution group, a mail-enabled security group is used to BOTH manage permissions AND send emails to users.

Office 365 Groups

The latest addition to these ‘permission group’ options are ‘Office 365 Groups’.

An Office 365 group is used to communicate, collaborate and schedule meetings or events with group members. Users can create, find and join groups right from their inboxes. Once users create a group or join a group, they can start sharing files and collaborate with each other. Office 365 groups allows group emails like a distribution list so a user can send an email to the Office 365 group email account, and all members will receive the email (instead of having to email all users individually). Office 365 groups also allow you to use the group to set and apply permissions, like a security group. In addition, an Office 365 group has collaboration and social features built into it.

Social—Private and Public

When users first create an Office 365 group, they can choose to make the group public or private. Earlier in Office 365, they couldn’t change the privacy setting after they created the group. Now, users can change the privacy settings on an Office 365 group, in Outlook on the web, after they’ve created it. For example, a user creates a group for the human resources team in their organization and made it a public group, but now, the user would like to make it a private group. They can easily change the privacy settings in a few steps as shown below:

  • Open OWA (Outlook Web Access)
  • Navigate to the Office 365 Group that the user wants to change the privacy settings on
  • From the group page, click or tap Edit group tabUnder Privacy, choose Public or Private to match the setting you want

  • Click Save to and close the page

Integration with Microsoft Teams

You can use your Office 365 with Microsoft Teams to manage tasks using Planner, open files in SharePoint, set calendar dates for the teams, discuss projects and channels using chat, video or voice calling, which is built on top of Skype. To learn more about Microsoft Teams, visit here:

https://teams.microsoft.com

As an end user, you own any existing Office 365 group and can add it to Microsoft Teams here https://teams.microsoft.com. Otherwise, if you create a team from within the Microsoft Teams application or the team’s website here https://teams.microsoft.com, it automatically creates an Office 365 group with the same name for you.

For example:

  • I have an existing group, so it will show me the tab below when I open Microsoft Teams:

 

 

 

  • Click on Yes, add Microsoft Teams functionality, which will pop up a new window as below:

  • Select the group and proceed with selection of “choose team tab”
  • Once done, you created your Microsoft Teams site, and you can start with a conversation or file-sharing.

Note: if you opt out of an existing Office 365 group that you own, and you create a new team in Microsoft Teams, it will also create an Office 365 group as well.

With Teams Integration, organizations can empower individuals and teams to collaborate for teamwork, offer a chat-based work space and customization options.  The screenshot below shows a glimpse of Teams Integration with Office 365 Groups:

Benefits of Office 365 Groups

  1. You can post emails to the group just as you do for a distribution group.
  2. Members can upload or view/edit One Drive files.
  3. Discover, share and collaborate on a team site that’s as good as a SharePoint team site (Please note: The team site in the Office 365 Group is not part of SharePoint sites and the quotas that are available for them).
  4. Group members can stay updated with third-party apps like Twitter and Facebook by enabling the feeds from such sites through the Office 365 group.
  5. Post photos or ideas or any important information in the One Note app.
  6. You can assign tasks to group members through a planner.
  7. You can integrate with Microsoft Teams to get a centralized platform to manage the different Office 365 groups and the assets and resources encompassed within them.

 

 

Some how-to’s about Office 365 groups for administrators

(i) Team site created by Office 365 Groups—not found in Site Collections List in SharePoint Administration Site?

How do you find the Office 365 Group team site?

By default, team sites created with Office 365 group are hidden and not visible in SharePoint admin center for administrators.

As an admin, to view these sites, the administrator can use PowerShell (shown below) commands: This is the same way you would access and get information from normal team sites as well.

  • Connect PowerShell with SharePoint online admin center

Connect SPOService: https://mycompany-admin.sharepoint.com

Note: In this case the Office 365 group that I created was “test12”

 

After running this command, it will list all the sites that are hidden or visible in the SharePoint admin center (including the one that’s part of an Office 365 group, in this case it’s test23).

  • You can get the complete information about team sites using the command below:

Get SPOSite Identity https://mycompany.sharepoint.com/sites/test23

  • To get complete information of this team site, run the command below:

Get SPOSite Identity https://mycompany.sharepoint.com/sites/test23 |f1

  • To remove the team site, run the command below. (It’s the same as using PowerShell to remove a regular team site.)

Note: This is only going to remove the group team site.

(ii) As an administrator, how do I remove an Office 365 group using PowerShell?

a) Connect PowerShell to an exchange online

$credential = get-credential

$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $credential -Authentication Basic -AllowRedirection

Import-PSSession $session

b) Run the command below to get all the Office 365 groups listed

Get-unifiedgroup

c) Use the PowerShell command below to remove any of these Office 365 groups

Remove-unifiedgroup -identity group@domain.com

(iii) How do you hide an Office 365 group from the Global Address List/GAL?

Set-UnifiedGroup -Identity *contoso@mycompany.com -HiddenFromAddressListsEnabled $true

(iv) How do I create a library in an Office 365 group team site?

Navigate to the team site > New > document library

 

Limitations of Office 365 Groups

  1. Office 365 groups are not visible in Outlook 2013; they are only compatible and integrated with Outlook 2016.  In either case, the user can always  access the Office 365 groups from the Outlook web app.
  2. When an Office 365 group is removed, the team site created for the group is not removed by default. The administrator needs to use PowerShell to remove the team site.

Despite these limitations, Office 365 groups provide advanced security and compliance features, which make it an effective collaboration tool not only for enterprise customers but also small and medium-sized businesses.

Office 365 vs Distribution List vs Contact Group comparison
Feature Distribution List

(Global)

Contact Group

(Local)

Office 365 Group

(Global)

Send a copy of an e-mail message to all members. Yes Yes Yes
Store copy of each past message sent to the group in shared mailbox. No No Yes
Expand groups’ name into members in Outlook. Yes Yes No
Dedicated e-mail address. Yes No Yes
OneDrive storage for files. No No Yes
Dedicated Calendar. No No Yes
Dedicated OneNote Notebook. No No Yes
Planer, Site, Connectors. No No Yes
Web interface. No No Yes
Another Comparison: Office 365 Groups vs distribution lists
Distribution list Office 365 Group
Functionalities Enables users to send emails to all members of a group. In addition to the distribution list’s feature, integrates with SharePoint, Yammer, Team, Planner, OneNote, and PowerBI.
PowerShell management Yes, sample cmdlet: Set-DistributionGroup. Yes, sample cmdlet: Set-UnifiedGroup.
EAC management Yes. Yes.
Can send emails to all members of a list Yes, both for internal and external senders. Yes, both for internal and external senders.
Shared inbox No, emails are only distributed to members. Yes.
Defining access type Not available. The option is available.
Document library Not available. Set up automatically in SharePoint.
Shared calendar Not available. Set up automatically.
Required license Any AAD subscription (including free.) Free AAD subscription is enough for most Office 365 Groups’ features. For a full list of available features visit this article.
Restore a deleted group Not available. Office 365 group can be restored for up to 30 days after deletion.
Dynamic membership Possible with Dynamic Distribution Groups. Requires Azure AD premium subscription.
Do you use SharePoint? Try our toolkit
Download SharePoint Essentials Toolkit Now
Download the SharePoint Essentials Toolkit
Follow me

Chris Ang - CCNA, A+, MCPD, MCTS

Chris Ang (New York, NY USA) is a SharePoint Architect with 20 years experience in programming and network infrastructure.

Currently working at QIPoint (http://www.qipoint.com), he has helped architect and develop SharePoint Enterprise products for customers such as the U.S. Navy, U.S. Army, U.N. Security Council of Netherlands, Australian Government, U.S. Dept of Treasury, U.S. Dept of Justice, Canadian Dept of Defense, Scotiabank, JPMorgan CHASE Bank, Intel, Ford Motors, Microsoft, NASA, DARPA, SNC Lavalin, Penguin Books, and more.

He is a proud father of 2, and when he has any spare time, he loves to paint portraits of his kids.
Follow me

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.