Microsoft 365 - Use Security Groups to Manage Permissions

Desired sample workflow: You have an account that you manage the calendar permissions for. Instead of having to manage the calendar permissions via the account calendar permissions screen every time you make a change, you can setup a Microsoft security group and manage the permissions via Manifest application.

What is a mail-enabled security group?

Mail-enabled security groups allow you to streamline the process for assigning and managing multiple permissions for a service/calendar.

What do you need to do?

Create a security group

  1. Create a Manifest folder if you do not already have one: Manifest - Request a Manifest Folder.
  2. Create a Manifest group: Manifest - Create a Group.
  3. Add at least one member to the group: Manifest - Manage Group Members. Note: at this time, only user NetIDs can be added to the Manifest group; service accounts cannot be added as members.
  4. Request the group be AD-synced and wait for confirmation that the group has been synced successfully: Manifest - Publish Group to Active Directory Services
  5. Wait 24 hours after confirmation that your group has been synced to AD before moving to the next step and contacting the Office 365 Team.
  6. After at least 24 hours have passed since receiving confirmation that your group has been synced to AD, send an email to Office 365 Document and Support Team with the UUID and Group ID, and request an Office 365 Security Group be created.

    Note: The UUID can be found in the url of the Manifest group. The Group ID will be displayed as the "Name" for this Manifest group.

    As an example, here is a Manifest group url: https://manifest.services.wisc.edu/Group/Index/280abc5d36544efghi8j4k5lmn296770.

    • The UUID is: 280abc5d36544efghi8j4k5lmn296770.
    • The Group ID is: uw:org:<dept>:<group_name></group_name></dept>.

    If the link above (in step 6) does not open a new mail message on your computer/device, please send an email manually with the following details:

    • To: wiscit@doit.wisc.edu
    • Subject: Office 365 request - security group to manage permissions (63382)
    • Body: include all the information listed above

Assign permissions using the security group

    • Do not proceed with this section unless you have received confirmation that your Manifest group has been synced as an Microsoft 365 security group.
    • When you adding the Manifest group to the calendar permissions screen, you need to copy and paste the entire UUID@wisc.edu (example:
      280abc5d36544efghi8j4k5lmn296770@wisc.edu). If you start typing and use the directory to auto-complete, the security group cannot be
      made a Delegate of the calendar. If you copy and paste the full address, it can be made a delegate. it will need to be added using the following format - UUID@wisc.edu (example: 280abc5d36544efghi8j4k5lmn296770@wisc.edu).

    For user and service accounts: Microsoft 365 - Getting Started with User and Service Account Permissions

    For resource accounts: Microsoft 365 - Getting Started with Resource Account Permissions

    For OneDrive data: OneDrive data

More information on this feature/process

  • All security groups are hidden from the Global Address List - GAL (and cannot be made visible), so only Outlook on the Web will recognize them. Mail folder/calendar/resource permissions to a security group must first be assigned via Outlook on the web. You can paste in the email address when assigning the permissions and select use this address since it wont be visible in the GAL.
  • After the security group is assigned with the desired calendar permissions, users will not receive an automatic email notifying them of their access to the calendar. Users within the security group will have to manually subscribe to the calendar. 
  • Once security group permissions are assigned in Outlook on the web, instead of seeing UUID@wisc.edu, you will see the Manifest Group ID.
  • To manage the members of the security group, use Manifest. Please wait 60 minutes for these changes to be reflected within Microsoft 365.
  • If you want to setup a data driven Manifest group, please contact Manifest team.
  • Security groups can be used as a mailing list, please see Microsoft 365 - Use Manifest email groups to moderate email messages for further details. IMPORTANT: Security groups are not the best tool to use for mail distribution. If your primary goal is to email a group of users, review distribution list options.
  • Once the process has been completed, this group will be published to Microsoft Azure.

Internal Notes

HD support staff

  • Classify these cases as Office 365 > Office 365 > Other and escalate to O365 Technical Team/PCS
  • Important: If a security group is used to assign full-mailbox permissions within WAA, all Outlook clients (Windows/Mac) will need to add the account manually within the profile - auto-mapping will NOT occur - Shawn provided the following reason: "Currently not possible since automapping leverages auto discovery. The auto discovery piece would need the ability to expand the group ( and expand it each time it ran) and that's not part of the specification."
  • Can an alternate address be assigned to a MS security group?
    Yes - domain administrators can create/assign alternate address to a MS security group.
    Note: If the alternate address needs to be assigned as the primary address on the security group, please escalate case to M365 team.

PCS support staff

We should follow these steps when receiving the email sent in step 6 above:

NOTE: we are doing these steps so that it does not cause emails flying around when users have OOO configured.

  1. Sync AD group to O365 (must be mail admin to perform this step):

    Important: If you do not have access to this tool, contact doc&support staff and provide them with the UUID to be synced as a security group.

    1. Log into WAA.
    2. Go to Tools | Reports and Information.
    3. Select Sync AD group to O365.
    4. Enter the UUID (must be UUID) of the group and submit the form - if unsuccessful, make sure you entered correct string or confirm with customer they completed the above steps.
  2. After it has been synced, wait about 30 minutes, then modify 'allowed sender' setting.
    1. Log into WAA.
    2. Search for the security group: something@wisc.edu.
    3. Select Sending Permissions.
    4. Within "Add Allowed Sender" field, enter the NetID of the requestor and click Add. This will only allow the requestor to send to the group.

      IMPORTANT: If they are looking to use the group as a mailing list, please review 65991 and 90349 and have a discussion with them. Security groups are not the best tool to use for mail distribution.

  3. Notify the customer that it is ready for use.

Further details regarding the change above - see teams thread with tech team.

Can a security group be used to manage sharing permissions for PowerApps ---> YES (confirmed by Shawn - related to case 7333923).

If customer is attempting to assign sending permissions within WAA using a security group, please see Security Group for Permissions Requests  (Web view)

If customer is requesting change to primary address of security group, follow these steps:

  • Search for the security group in WAA
  • Go to Email Addresses page
  • Assign the desires address as the primary

See Also


Keywords:
microsoft office365 o365 m365 microsoft 365 manifest resources calendars folders email assign requesting ad active directory syncing onedrive data service accounts storage allowed senders sending restrictions alternate address primary
Doc ID:
63382
Owned by:
O365 S. in Microsoft 365
Created:
2016-05-12
Updated:
2025-05-13
Sites:
DoITHelpDesk-external, DoITHelpDesk-internal, Microsoft365-external, Microsoft365-internal