Skip to Content
EmailM365 GroupsGroup Settings

Group Settings

Configure tenant-wide and group-level settings for Microsoft 365 Groups. Control who can create groups, manage naming policies, expiration rules, and guest access settings. MedhaOps 365 provides centralized group governance with bulk configuration capabilities across managed tenants.

Note: Microsoft 365 Groups are the foundation for collaboration across Microsoft services. When you create a Team, SharePoint site, or Outlook group, an underlying Microsoft 365 Group is created. Group settings affect all connected services. Managing groups requires Group.ReadWrite.All and Directory.ReadWrite.All permissions in Microsoft Graph.

Group Creation Settings

Control who can create Microsoft 365 Groups in the tenant. By default, all users can create groups, but this can be restricted to specific users or security groups for better governance.

Creation Permissions

  • Allow all users to create groups — Any licensed user can create M365 Groups
  • Restrict to security group — Only members of specified group can create

Creation Sources

Groups can be created from multiple Microsoft 365 services. Restricting group creation affects all these sources:

  • Microsoft Teams
  • Outlook Groups
  • SharePoint
  • Planner
  • Yammer
  • Power BI

Naming Policy

Enforce consistent group naming across the organization with prefixes, suffixes, and blocked words. Naming policies require Azure AD Premium P1 or higher licenses.

Warning: Group naming policies require Azure AD Premium P1 licenses for users who create groups. Naming policies are not enforced for global administrators.

Prefix/Suffix Configuration

Configure automatic prefixes and suffixes for group names:

  • Prefix — String (e.g., GRP_) or attribute (e.g., [Department])
  • Suffix — String (e.g., _Team) or attribute (e.g., [CountryOrRegion])

Preview: GRP_Marketing_US

Blocked Words

Prevent specific words from being used in group names. Case-insensitive matching. Example blocked words: CEO, Payroll, HR, Salary, Confidential.

Blocked words prevent users from creating groups with names containing these terms. Admins can override this restriction.

Available Attributes

AttributeExample ValueDescription
[Department]MarketingUser’s department from Azure AD
[Company]ContosoUser’s company attribute
[Office]SeattleUser’s office location
[CountryOrRegion]USUser’s country or region code
[Title]ManagerUser’s job title

Expiration Policy

Configure automatic expiration for Microsoft 365 Groups to reduce sprawl. Group owners receive renewal notifications before expiration. Expired groups are soft-deleted and can be restored for 30 days.

Expiration Settings

  • Group Lifetime — 180 days, 365 days, or custom
  • Apply To — All groups, selected groups, or none (disabled)
  • Notification Email — Fallback email when group has no owners

Renewal Notifications

  • 30 days before expiration — First notification
  • 15 days before expiration — Second notification
  • 1 day before expiration — Final notification

Expiration Workflow

  1. Group Created — Expiration timer starts
  2. Notifications — Owners notified to renew
  3. Renewal or Expiry — Owner action or auto-expire
  4. Soft Delete — 30-day recovery window
  5. Permanent Delete — Group and data removed

Guest Access Settings

Control guest access to Microsoft 365 Groups. These settings apply tenant-wide and affect guest capabilities in Teams, SharePoint, and other group-connected services.

Guest Permissions

  • Allow guest access to groups — Guests can be added as group members
  • Allow owners to add guests — Group owners can invite external users
  • Guest access to group content — Guests can access files and conversations

External Collaboration

  • Guest Invite Restrictions — Anyone in the organization can invite, admins and users with inviter role, or admins only
  • Collaboration Restrictions — Allow collaboration with any domain, allow only specified domains, or deny specified domains

Classification and Sensitivity

Apply classification labels to groups for governance and compliance. Classifications can trigger specific policies for data protection and access controls.

ClassificationDescriptionApplied Policies
PublicNon-sensitive content, open collaborationGuest access allowed, external sharing enabled
InternalInternal business content, limited external sharingGuest access restricted, internal sharing only
ConfidentialSensitive business data, strict access controlsNo guests, encryption required, audit logging
Highly ConfidentialMost sensitive data, regulatory complianceMaximum restrictions, DLP policies, watermarking

Note: Microsoft 365 sensitivity labels provide more granular control than classic classifications. Sensitivity labels can apply encryption, content marking, access restrictions, and DLP policies automatically. Configure sensitivity labels in the Microsoft Purview compliance portal.

Usage Guidelines

Define usage guidelines that are shown to users when they create new groups. Guidelines help users understand governance policies and best practices.

Recommended Guidelines Content:

  • When to create a group vs. use an existing one
  • Naming conventions and required information
  • Classification requirements for sensitive data
  • Guest access policies and approval process
  • Ownership responsibilities and handoff procedures
  • Data retention and archival expectations

Cross-Tenant Configuration

MedhaOps 365 enables bulk configuration of group settings across multiple managed tenants. Deploy consistent governance policies with conflict detection and compliance reporting.

Bulk Deployment Workflow

  1. Define Policy — Create group settings template
  2. Select Tenants — Choose target tenants by tag
  3. Preview — Review changes and conflicts
  4. Deploy — Apply with rollback option

Best Practices

Governance

  • Restrict group creation to trained users
  • Enforce naming policies for discoverability
  • Set appropriate expiration periods
  • Require classifications for all groups
  • Document owner responsibilities clearly

Security

  • Review guest access policies quarterly
  • Use sensitivity labels for sensitive data
  • Monitor orphaned groups regularly
  • Audit group membership changes
  • Implement conditional access for groups

API Reference

# Get group settings (directory settings)
GET /groupSettings
# Update group creation restriction
PATCH /groupSettings/{setting-id}
{
  "values": [
    { "name": "EnableGroupCreation", "value": "false" },
    { "name": "GroupCreationAllowedGroupId", "value": "group-guid" }
  ]
}
# Configure naming policy
PATCH /groupSettings/{setting-id}
{
  "values": [
    { "name": "PrefixSuffixNamingRequirement", "value": "GRP_[GroupName]_[Department]" },
    { "name": "CustomBlockedWordsList", "value": "CEO,Payroll,HR" }
  ]
}
# Bulk group settings deployment
POST /api/groups/settings/deploy
{
  "tenantIds": ["tenant-1", "tenant-2"],
  "settings": {
    "enableGroupCreation": false,
    "groupCreationAllowedGroupId": "creators-group-guid",
    "guestAccessEnabled": true,
    "expirationDays": 365
  }
}
Last updated on
Expiration PolicyNaming Policy