How to create and manage security groups in Microsoft 365

Microsoft 365 security groups, formerly known as Office 365 security groups, allow administrators to easily manage access to, for example, SharePoint sites, grouping users who require identical permissions. That way, you only need to assign access once for the entire group, not for each individual user. In this article, we'll show you how to create a security group, how to add and remove members of that group using the Microsoft / Office 365 admin center, and how to streamline the process using PowerShell cmdlets.

Read more:

How to prevent sending attachments in Microsoft 365
How to hide user from address list (AD Connect)
Microsoft 365 vs G Suite: which productivity package is best for your business?
Configuring Microsoft Advanced Threat Analytics (ATA)
LibreOffice 7: Now more compatible with Microsoft - and still free

How security groups work

The way security groups work in Microsoft 365 is quite simple. First, create a security group and add members to this group. This group can then be used, for example, to grant access to a specific site in SharePoint only to those members. Each user within the security group will have the same permissions for that site. If a group's access to a resource is revoked, the changes will affect all of its members. If a member is removed from a group, their permissions will also be removed. This offers obvious time savings in terms of access management, especially for larger organizations with many users. In addition, a security group can also be converted to an email-enabled security group and used to send notifications (emails) to all members of that group.

Security groups vs Microsoft 365 groups vs distribution lists

As with any other tool, security groups have their intended purpose. Administrators are responsible for managing access rights to various resources. However, they are not designed to send and receive e-mails. Another type of group, an email-enabled security group, has an email address for communication with members of the security group and allows access rights management. If you need to create a group just to communicate with a set of users (based on a specific location, a specific department, etc.), it is best to use a distribution list. And if you need a group for collaboration between users (with a group email, as well as a shared workspace for conversations, files, calendar events, etc.), a Microsoft 365 group will be the best option.

How to create and manage security groups

There are a few ways to create a security group in your organization. Next, we'll look at how to do this in the Microsoft 365 admin center and using PowerShell cmdlets.

How to create and manage security groups in the Microsoft 365 admin center

To create a security group in the Microsoft 365 admin center, go to Groups > Active groups and click Add a group.

A three-step wizard opens on the right side of the window. In the Group type step, select Security and click Advance to continue.

In the Basic step, enter your group name (required) and a brief description (optional). click in Advance to continue.

Review the group settings in the Finish step and click Create group.

When your new security group is created, click Close to return to the Active Groups page.

You can now add members to that group. To do this, select the group, go to the Members tab and click See all and manage members. The panel that opens allows you to edit the group membership.

click in Add members and select users, groups, or other features you want to add to the security group. Use the search box to find specific members quickly. When finished, click To save. You can now close this panel and return to the Active Groups page.

If you want to remove members from the group, select your security group, go to the Members tab and click View all and manage members as above. Click on the button X next to the member you want to exclude from the group. Once this is done, close the panel.

Finally, if you want to delete a security group, find it on the Active groups page, click the button More Actions and select Delete group in the drop-down list.

How to create and manage security groups using PowerShell cmdlets

You can use Exchange Online or Azure Active Directory cmdlets to manage Microsoft 365 security groups. In this article, we’ll show you how to use AAD cmdlets. First, before you can use them, you need to connect to Azure Active Directory and sign in using the cmdlet below:

Connect-MsolService

Create a security group

You can now create a security group by running the following cmdlet:

New-MsolGroup -DisplayName "Security Group Name" -Description "Security Group created via Powershell"

Use the parameter -DisplayName to specify the group name and parameter -Description (optionally) to enter the required additional information. To confirm that the security group has been created, use:

Get-MsolGroup -SearchString "Security Group Name"

Using -SearchString “Security Group Name“, you can display only the newly created group. To display all security groups, use -GroupType "Security".

Add members to a security group

The following cmdlet is used to add a member to the group:

Add-MsolGroupMember -groupobjectID -groupmembertype User -groupmemberobjectID

Where:

  • -groupobjectID is used to identify the group (using GUID)
  • -groupmembertype is the type of group member (user or group)
  • -groupmemberobjectID is the user's GUID

To add (or remove) members of a security group, you need to know the globally unique identifier (GUID) of the group and the users you want to add (or remove). You can use the following cmdlets to display the identifier for a particular user:

$ (Get-MsolUser -UserPrincipalName "User UPN"). ObjectID

To display a group's GUID, use:

Get-MsolGroup -SearchString "Security Group Name"

Since you do not want to manually copy and paste these identifiers, create two separate variables. The first will provide the user's GUID:

$UserID = (Get-MsolUser -UserPrincipalName "User UPN"). ObjectID

The second will provide your security group's GUID:

$GroupID = (Get-MsolGroup -SearchString "Security Group Name"). ObjectID

When using variables to add a new user, the cmdlet will look like this:

Add-MsolGroupMember -groupobjectID $GroupID -groupmembertype User -groupmemberobjectID $UserID

The biggest advantage of using PowerShell to manage groups is the fact that you can add many users to a group at the same time. To do this, first prepare a list of all users that you want to add to a group:

Get-MsolUser -Title "User Title"

In this example, we are using the parameter -Title, which will display a list of all users whose Title field in Active Directory matches the parameter value. A different parameter that you may want to use instead is -Department, which will list all users with the information specified in the Department AD field.

We will now use this cmdlet to create a variable that contains a list of GUIDs for all users who meet the defined criteria:

$UserList = (Get-MsolUser -Title "User Title"). ObjectID

Then, create a loop that will apply each of the objects in $UserList to the cmdlet that adds new users to a group:

foreach ($user in $UserList) {Add-MsolGroupMember -groupobjectID $GroupID -groupmembertype User -GroupmemberobjectID $user}

To check if new members have been added to the group, you can view all members of the group by running:

Get-MsolGroupMember -groupobjectID $GroupID

You can also add another security group as a member of a security group. First create a variable:

$AddedGroupID = (Get-MsolGroup -SearchString "Name of the Group you want to add"). ObjectID

Then use it in the cmdlet that was used previously to add members to a group:

Add-MsolGroupMember -groupobjectID $GroupID -groupmembertype Group -groupmemberobjectID $UserID

Notice that -groupmembertype has a different value: Group.

Remove the group members and the security group itself

If you want to remove a user from a security group, prepare the variables in the same way as adding members and use the following cmdlet (you can also remove multiple members or groups as discussed above):

Remove-MsolGroupMember -groupobjectID $GroupID -groupmembertype User -groupmemberobjectID $UserID

Finally, to remove the security group itself, you need to use the following cmdlet:

Remove-MsolGroup -objectid $GroupID

In addition, you can add the parameter -Force at the end of the cmdlet above if you don't want to be asked to continue this operation.

Want to check out the courses that our team has separated on Microsoft 365?
Visit our courses section by clicking here!

Was this article helpful?

To maintain a quality standard for you, we have invested in a great hosting plan, Paid CDN, Website Optimization Plugins, etc ...

Help us to keep the project active! 

Follow the news in real time. Follow our Instagram profile..

Felipe Santos
Felipe Santos is a Cloud and Security Architect, with experience in Windows Server, Cluster, Storages, Backups Veeam and Office 365 environments.
en_USEnglish

UP TO 90% DISCOUNT

TAKE OFF YOUR CAREER !!

Do you want to upgrade your career? 

Invest in yourself and get ahead! Get that dream job in 2022!