Planning and Managing group-based identities and lifecycle can be very complex in an Azure AD environment due to the different types of groups available and the various group sources available in a tenant that is connected to on-premises identity infrastructure or even Exchange Online. Understanding the use cases for each group type and where its attributes and membership can be managed can be complex. Microsoft has published the “Compare groups” article which partially addresses this topic, but not with the level of detail that is required for those planning out the group identity management structure for a Microsoft 365 adoption. The information provided below is intended to fill that gap.
Group Sources and Types in a Microsoft 365 / Azure AD Tenant
Native Azure AD Group Types
First, groups in Azure AD can originate directly in Azure AD. Just two types of groups can originate directly in Azure AD:
- Security (native Azure AD)
- Microsoft 365
Other Azure AD Group Types
Additionally, Azure AD groups can originate outside of Azure AD by being synchronized into Azure AD from a connected source such as Exchange Online or from one or more on-premises Active Directory environments (which may also include Exchange on-premises organizations and attributes). Presently, many if not most enterprise organizations that have a Microsoft 365 / Azure Ad Tenant have configured on-premises identities to synchronize with Azure AD via Azure AD Connect or another identity management solution. Depending on the configuration of that identity synchronization solution, various on-premises group types will be synchronized to Azure AD (and connected Microsoft 365 services). Similarly, groups originating in Exchange Online can appear in Azure AD. Specifically, the group types that originate from these other sources, but which can appear in Azure AD include the following types:
- Security (synced from AD)
- Mail enabled Security (from AD/Exchange or Exchange Online)
- Distribution (from AD/Exchange or Exchange Online)
Group Characteristics and Capabilities by Type and Source
Group Types Listing
The following table describes the available characteristics and capabilities of a group based on its type and source (Origin/Master). The Group Types included are as follows:
- Security (regardless of source, Azure AD or AD): can be used as a security principal in various access control lists for permissions to folders, labels, policies, sites, applications, etc. Many other potential uses.
- Microsoft 365 (source is always Azure AD): can be used like a Security group (as a security principal) but also is the source of membership for Microsoft Teams, Planners, Group Mailboxes, Group based SharePoint Online sites, and other Microsoft 365 services.
- Distribution (source is always Exchange On-Premises /AD or Exchange Online): can be used for email distribution and some other applications like audience targeting in SharePoint Online.
- Dynamic Distribution (source is always Exchange On-Premises or Exchange Online): can be used for mail distribution. Does not sync from the source environment to Azure AD – never appears in Azure AD.
- Mail-Enabled Security (: same as security plus email distribution. Not considered a best practice to use in most cases (usually better to separate email distribution from security group applications).
Group Sources (Origin/Master) Listing
The following table describes the available characteristics and capabilities of a group based on its type and source (Origin/Master). The Group Sources included are as follows:
- AD: An Active Directory Forest (one or more domains) hosted outside Azure AD (usually on-premises but could be in hosted in a cloud environment).
- Azure AD: The directory service associated with a Microsoft Azure / Microsoft 365 Tenant
- EOP: Exchange On-Premises. An Exchange organization connected to an Active Directory environment.
- EXO: Exchange Online. An Exchange Online organization connected to the Exchange Online environment and connected to an Azure AD / Microsoft 365 Tenant
Type | Security | Distribution | Mail enabled Security | Dynamic Distribution | M365 | ||||
---|---|---|---|---|---|---|---|---|---|
Origin/Master Capability |
AD | Azure AD | EOP | EXO | EOP | EXO | EOP | EXO | Azure AD |
Direct Membership | x | x | x | x | x | x | x | ||
Dynamic Membership | x | x | x | x | |||||
Can Sync From AD to Azure AD | x | x | x | ||||||
Can Sync To AD From Azure AD | x | x | |||||||
Can Originate In Azure AD | x | x | |||||||
Can Originate in EXO | x | x | x | ||||||
Manage Membership in AD / EOP | x | x | x | ||||||
Manage Membership in EXO | x | x | |||||||
Manage Membership in Azure AD (Group Owner(s) can also manage membership from https://myaccount.microsoft.com/groups) | x | x | |||||||
Manage Attributes in AD / EOP | x | x | x | x | |||||
Manage Attributes in Azure AD | x | x | |||||||
Manage Attributes in EXO | x | x | x | ||||||
Scope Conditional Access in Azure AD | x | x | x | x | x | x | x | ||
Group Nesting | x | x | x | x | x | x | |||
Licensing via Azure AD | x | x | x | x | x | ||||
Audience Targeting in SharePoint Online | x | x | x | x | x | x | x | ||
Microsoft Teams, Planner, Group Mailbox, Group-based SharePoint Online Site | x | ||||||||
Group Owner with primary mailbox in Exchange Online can manage membership via Outlook Address Book | x | ||||||||
Group Owner with primary mailbox in Exchange On-Premises can manage membership via Outlook Address Book | x |