News

Microsoft Readies Office 365 Private Groups Feature for Outlook

• By Kurt Mackie
• March 20, 2017

A Microsoft policy change that affects how groups function in Outlook will hit Office 365 business subscribers this month.

According to the new Office 365 policy, so-called "manager" groups will automatically get a private group. This automated addition of a private group only will take place if the manager has "2-20 direct reports."

The new policy is described in this undated Office 365 support article. However, the change got flagged last week in a Microsoft Tech Community post.

The word, "groups," can mean different things, at least in terms of Microsoft technologies. It can refer to "Active Directory security groups, Exchange distribution lists, the new Office 365 Groups, SharePoint groups, and many more," explained Jeremy Thake, vice president of Hyperfish, in a February blog post about dynamic configuration aspects. Exchange Server has a dynamic membership feature, which has been around for a while, but Microsoft also has an emerging "dynamic configuration of security-group membership for Azure Active Directory" Premium feature, which is currently at the preview stage, Thake noted.

The terms, "manager" and "direct reports" are Active Directory terms, but they also refer to an organization's hierarchy of sorts. Here's how Microsoft MVP Andreas Baumgarten explained it in a Microsoft forum page:

Manager means: That's the "boss" of the user.
Direct Reports means: This user(s) are reporting to the user (he is the boss of the direct reports users).

Microsoft's support article doesn't say why Outlook manager groups will automatically get private groups. Presumably, it's a convenience for enhancing group communications in organizations. However, the private groups addition coming this month elicited some negative feedback among the Microsoft Tech Community participants.

For instance, Microsoft MVP Tony Redmond, an Exchange expert, called Microsoft's move a "rotten idea." It could lead to a "profusion of groups," he suggested:

Enterprise tenants like to control their GAL [global address list] and this sounds like a way to clutter that GAL up with a profusion of groups that will quickly become an uncontrollable mess. Unless, of course, Microsoft is going to update the newly-created groups on an ongoing basis to adjust membership based on changing reporting relationships. Creating groups is easy; maintaining them over time is bloody hard. That's why many enterprises have their own solutions (often integrated with HR processes) to do this kind of thing. It is a special challenge when organizations do not populate AAD [Azure Active Directory] with reporting relationships -- or keep this data current, a problem that is more prevalent than you might think.

Possibly, Microsoft could be thinking of expanding an Azure AD "dynamic groups" capability to make this update process more automatic. However, Redmond noted some caveats regarding that speculation:

The big flaw in all of this is the dependency on AAD. If you are 100% perfect in maintaining AAD, you have a chance that this plan will work. If not, it won't.

In addition, organizations would need to have the licensing for Azure AD Premium or Enterprise Mobility + Security, he noted.

Microsoft MVP Paul Cunningham called the new private groups addition a potentially "poor idea" since it's not designed as an optional feature for organizations to turn on.

This seems like a semi-useful feature if it was opt-in, so you could carefully set up your reports/manager relationships, turn it on, and have them automatically created and managed. But as an opt-out feature, I am concerned this will mess up the GAL of many organizations, and mess it up quite badly.

Microsoft's announcement didn't indicate when the change would arrive, but it's coming for Office 365 tenants. Organizations wanting to disable the private groups feature can do so in advance. They'll need to run a PowerShell script, as described in the Office 365 support article.