SOLVED

Office Group as Security Group

%3CLINGO-SUB%20id%3D%22lingo-sub-163261%22%20slang%3D%22en-US%22%3EOffice%20Group%20as%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163261%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3Bon%20Page%20535%20of%20you%20book%20it%20says%20%22%20%3CSPAN%20class%3D%22fontstyle0%22%3Ecannot%20use%20an%20Office%20365%20group%20as%20a%20security%3CBR%20%2F%3Egroup%22.%20I'm%20confused%2C%20SharePoint%20online%20uses%20the%20Office%20Groups%20owner%20and%20member%20attributes%20to%20assign%20accounts%20to%20the%20SharePoint%20Owner%20and%20Member%20groups%20which%20are%20used%20for%20security%20purposes.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22fontstyle0%22%3ECan%20you%20expand%20on%20the%20statement%20in%20the%20book%20to%20help%20me%20understand%20what%20was%20written%3F%3C%2FSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-163261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-326466%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Group%20as%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-326466%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Ecould%20you%20further%20explain%20how%20to%20achieve%20this%3F%3C%2FP%3E%3CP%3EThere%20is%20no%20variable%20like%20%22memberOf%22%20in%20the%20dynamic%20group%20membership%20settings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-207387%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Group%20as%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-207387%22%20slang%3D%22en-US%22%3E%3CP%3EWell.%20That%20worked.%20I%20created%20a%20dynamic%20security%20group%20based%20on%20a%20common%20variable%20and%20viola.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-206954%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Group%20as%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-206954%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20work%20around%20to%20this%20limitation%3F%20Maybe%20a%20dynamic%20security%20group%20that%20auto%20updates%20itself%20based%20on%20changes%20to%20Office%20365%20group%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163332%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Group%20as%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163332%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20to%20mention%20the%20places%20where%20you%20can%20select%20a%20distribution%20group%20from%20a%20picker%2C%20but%20not%20an%20Office%20365%20group...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163322%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Group%20as%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163322%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20different%20group%20types%20are%20such%20a%20clossal%20pain%2C%20there%20are%20three%20types%20and%20it%20seems%20like%20every%20app%20is%20allowed%20to%20randomly%20pick%201%20or%202%20of%20these%20not%20to%20support.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESkype%20call%20queues%20will%20use%20Unified%20or%20Mail%20Enabled%20Security%20Groups%2C%20but%20not%20Security%20Groups.%3C%2FLI%3E%0A%3CLI%3EPowerApps%20only%20seems%20to%20like%20Mail%20Enabled%20Security%20Groups%3C%2FLI%3E%0A%3CLI%3EFlow%20can%20update%20the%20members%20of%20Security%20Groups%2C%20Unified%20groups%20but%20not%20Mail%20Enabled%20Security%20Groups%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIt's%20time%20there%20was%20only%20one%20type%20of%20group%2C%20and%20collaboration%20features%20were%20options%20on%20each.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163310%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Group%20as%20Security%20Group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163310%22%20slang%3D%22en-US%22%3E%3CP%3EOffice%20365%20Groups%20can't%20be%20used%20in%20the%20same%20way%20as%20an%20AAD%20security%20group.%20For%20example%2C%20you%20cannot%20use%20an%20Office%20365%20Group%20as%20the%20basis%20for%20the%20RBAC%20permissions%20as%20deployed%20inside%20Exchange%20Online.%20But%20SharePoint%20Online%20has%20special%20code%20to%20allow%20it%20to%20use%20Office%20365%20Groups%20to%20manage%20membership%20for%20a%20site%20collection%20through%20the%20groups%20that%20you%20mention%20(a%20surplus%20of%20groups).%20These%20groups%20are%20a%20construct%20specific%20to%20SharePoint%20and%20do%20not%20appear%20when%20you%20look%20at%20Groups%20through%20the%20Office%20365%20Admin%20Center%20as%20they%20are%20not%20AAD%20groups.%20I%20guess%20to%20make%20SharePoint%20work%2C%20there's%20an%20internal%20mapping%20between%20the%20membership%20links%20exposed%20in%20Office%20365%20Groups%20to%20the%20owner%20and%20member%20groups%20for%20the%20site%20collection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Respected Contributor

@Tony Redmond on Page 535 of you book it says " cannot use an Office 365 group as a security
group". I'm confused, SharePoint online uses the Office Groups owner and member attributes to assign accounts to the SharePoint Owner and Member groups which are used for security purposes.

 

Can you expand on the statement in the book to help me understand what was written? 
  
 

6 Replies
Highlighted
Best Response confirmed by Dean Gross (Respected Contributor)
Solution

Office 365 Groups can't be used in the same way as an AAD security group. For example, you cannot use an Office 365 Group as the basis for the RBAC permissions as deployed inside Exchange Online. But SharePoint Online has special code to allow it to use Office 365 Groups to manage membership for a site collection through the groups that you mention (a surplus of groups). These groups are a construct specific to SharePoint and do not appear when you look at Groups through the Office 365 Admin Center as they are not AAD groups. I guess to make SharePoint work, there's an internal mapping between the membership links exposed in Office 365 Groups to the owner and member groups for the site collection.

 

 

Highlighted

The different group types are such a clossal pain, there are three types and it seems like every app is allowed to randomly pick 1 or 2 of these not to support.

 

For example

  • Skype call queues will use Unified or Mail Enabled Security Groups, but not Security Groups.
  • PowerApps only seems to like Mail Enabled Security Groups
  • Flow can update the members of Security Groups, Unified groups but not Mail Enabled Security Groups

It's time there was only one type of group, and collaboration features were options on each.

Highlighted

Not to mention the places where you can select a distribution group from a picker, but not an Office 365 group...

Highlighted

Is there a work around to this limitation? Maybe a dynamic security group that auto updates itself based on changes to Office 365 group?

Highlighted

Well. That worked. I created a dynamic security group based on a common variable and viola.

Highlighted

Hi,

could you further explain how to achieve this?

There is no variable like "memberOf" in the dynamic group membership settings.