Office 365 - Use of Security Groups to Manage Permissions
There is a "pilot" currently running allowing users to manage permissions using security groups.
Note: This process is currently a manual one, and the Office 365 team continues to look into ways of automating any or all of these steps. These instructions will change as the process improves.
Who can take advantage of this feature?
Anyone wanting to grant a large number of users permissions to a NetID, Service, or Resource account.
What do you need to do?
- Create a security group
- Create a Manifest folder if you do not already have one: Manifest - Request a Manifest Folder.
- Create a Manifest group: Manifest - Create a Group.
- Add at least one member to the group: Manifest - Manage Group Members. Note: at this time, only user NetIDs can be added to the Manifest group; service accounts cannot be added as members.
- Request the group be AD-synced and wait for confirmation that the group has been synced successfully: Manifest - Publish Group to Active Directory Services
- Wait 24 hours from the group being synced.
- Email Office 365 Document and Support Team with the UUID and Group ID, and request an Office 365 Security Group be created.
Note: The UUID can be found in the url of the Manifest group. The Group ID will be displayed as the "Name" for this Manifest group.
As an example, here is a Manifest group url: https://manifest.services.wisc.edu/Group/Index/280abc5d36544efghi8j4k5lmn296770. The UUID for this example is 280abc5d36544efghi8j4k5lmn296770. The Group ID will be in the following format: uw:org:<dept>:<group_name></group_name></dept>
Important: After you have received confirmation that your Manifest group has been synced as a security group, you are now ready to assign the necessary permissions for the account. For instructions, expand the section, "Assign permissions using the security group", below.
- Assign permissions using the security group
Important: Before you proceed, please make sure you have a security enabled Manifest group. If not, follow the instructions in the section, "Create a security group", above.
- For user or service accounts: Office 365 - Getting Started with User and Service Account Permissions
- For resource accounts: Office 365 - Getting Started with Resource Account Permissions
More information on this feature/process
- All security groups are hidden from the GAL (and can’t be shown), so only Outlook on the Web will recognize them. Mail folder/calendar/resource permissions to a security group must first be assigned via Outlook on the web. You can paste in the email address when assigning the permissions and select “use this address” since it won’t be in the GAL.
- Once security group permissions are assigned in Outlook on the web, instead of seeing UUID@wisc.edu, you will see the Manifest Group ID.
- Once security group permissions are assigned in Outlook on the web, you can edit the permissions via an Outlook desktop client. This allows you to assign permission sets that are not available via Outlook on the web (e.g: Author, Owner...).
- To manage the members of the security group, use Manifest. Please wait 60 minutes for these changes to be reflected within Office 365.
- Even though security groups can be used as a mailing list, it is not recommended due to some of its limitations. If your primary goal is to email a group of users, it is recommended that you use on of these services/features: WiscList | Office 365 Groups | Google Groups.