Why records managers and IT need to understand Microsoft 365 groups better

Why records managers and IT need to understand Microsoft 365 groups better

Office (later Microsoft) 365 (M365) Groups were introduced to Office 365 in 2014. Although Microsoft Teams was introduced in March 2017, there has been a general lack of understanding about the relationship between Teams and M365 Groups on the part of both records managers and IT.

This post explains what both records managers and IT professionals need to understand about Microsoft 365 Groups, and their relationship with Teams, and what they should do about it.

What is a Microsoft 365 Group?

According to Microsoft’s definition, every M365 Group ‘… is an object in Azure Active Directory with a list of members and a coupling to related workloads including a SharePoint team site, shared Exchange mailbox, Planner, and OneNote notebook.’ (Source: ‘Microsoft 365 Groups and Microsoft Teams‘)

Image from the above Microsoft page

The conceptual model behind M365 Groups was that, instead of having to grant access separately (usually via Security Groups) to individual applications across the M365 ecosystem, a single M365 Group would give access to multiple applications. As we will see below, this includes Microsoft Teams.

Group membership (from the M365 Admin ‘Teams and Group’s section)

Every M365 has at least one owner and may have multiple members; both owners and members are referred to as ‘members’ of the M365 Group. Owners and members must have an active M365 licence.

Ever since they were first introduced, every M365 Group has always had an Exchange Online (EXO) mailbox and a SharePoint Online (SPO) site; these cannot be disconnected. All members of the M365 Group have access to the Group’s EXO mailbox (unless this has been hidden, see below), its SharePoint site and any other resources linked to the M365 Group.

Recordkeeping implications

From a recordkeeping point of view:

  • Every M365 Group may have both emails (if the mailbox is used) and SharePoint content directly and permanently associated with the Group. There is no requirement to copy the Group’s emails to its SPO site as there might be with shared mailboxes for example.
  • If the M365 Group has a Team (in MS Teams), a ‘compliance copy’ of any channel posts will be copied to a hidden folder in the Group’s EXO mailbox. (The ‘Files’ tab is simply an interface to the Group’s SharePoint site). If the Team was created first, the Group’s mailbox will be hidden in the Outlook client but it always exists (and can be made visible by IT).

End-users can access both the Group’s email and SharePoint content directly within their Outlook Online client, as can be seen in the screenshot below, ‘SharePoint Administration’ is the name of the Group. (In SharePoint, the ‘Conversations’ link on the left navigation opens the Group’s mailbox in Outlook Online).

IT implications

From an IT point of view, M365 Groups can be used instead of the following:

  • Security Groups used to give access to a SharePoint site. Note that Security Groups still have a key role and may be used to give access in this way.
  • Mail-enabled Security Groups. These are a kind of hybrid group that can be confusing – end-users see them as Distribution Lists in email and as Security Groups in SharePoint.
  • Distribution Lists. Why email a group of people when it would be easier to email a M365 Group with the same members?
  • Shared mailboxes. Every M365 Group has a mailbox, and in most cases the people who access a shared mailbox are very likely to be the same members of the M365 Group.

Many of these legacy objects have the potential to be re-created (not converted) to M365 Groups, especially DLs and shared mailboxes because both of these are very likely to have the same membership as an M365 Group (including one that was created as a Team first).

If a business area as either or both a DL and a shared mailbox AND a Team, check if they have the same membership. Enable folders in Group mailboxes and then make the Group’s mailbox visible. M365 Group’s owners will be responsible for managing its membership.

Where does Teams fit into this?

As noted above, Microsoft Teams was introduced in March 2017. Teams was not well known until the COVID-19 pandemic forced everyone to work from home and IT discovered that their Microsoft 365 licences included it.

Microsoft Teams has two main components:

  • Chat, replacing 1:1 and 1:many chat applications such as Slack and Skype (or even Facebook Messenger, Whatsapp, Wechat and other widely popular but unofficial chat applications). The Teams Chat service is perhaps the most popular part of the application as it allows end-users to chat privately, including in ‘group’s (NOT M365 Groups) and share content from their OneDrives (‘Files’ tab).
  • Teams. The Teams part of Microsoft Teams is directly linked with M365 Groups. The membership of every Team is based on the membership of an M365 Group. As already noted, every M365 Group has an EXO mailbox and a SPO site (as well as a Planner and OneNote). All these services are directly connected to the M365 Group. If you have a Team, you always have an EXO mailbox and a SPO site.

What happens if a Team is created first?

When a Team is created first (often by end-users), it creates:

  • An M365 Group with same name that contains all the following elements.
  • An EXO mailbox (and email address) with the same name, NOT visible in Outlook, but used for (a) calendaring and (b) the storage of compliance copies of Teams posts. The mailbox can be made visible in Outlook if required; Microsoft’s approach is that if a Team wants to post messages in the channels, they don’t need to see or use the mailbox.
  • A SPO site with the same name. In each channel, the ‘Files’ tab displays the folder with the same name as the channel contained in the default Documents library of the SharePoint site. Additional libraries added to the SPO site are not visible in the Teams channels unless they are pinned to the top menu (next to ‘Posts’ and ‘Files’). A bit confusingly, it is possible to email a channel; these emails do NOT pass through the tenant’s EXO system but instead are saved directly as emails in the ‘Email messages’ folder in the SharePoint Documents library.
  • A Planner and OneNote linked with the Group. End-users can create multiple plans and OneNotes for the Group.
  • The ability, if not disabled, for end-users to create private channels and shared channels, each of which creates a separate SharePoint site linked via naming to the parent SPO site. Compliance copies of both private channel and shared channel chats are stored in the EXO mailbox of individual members of the channels, NOT the M365 Group mailbox.

An M365 Group linked with a Team may be used to create or capture any or all of the following records:

  • Standard (not private or shared) channel posts. Compliance copies of these posts are copied by the Teams database to a hidden folder in the M365 Group’s EXO mailbox.
  • Digital objects (usually documents) stored in the Teams SPO site Documents library and another other library that may be created. This will include emails sent to the Teams channel email address. If Teams meetings are scheduled via a channel, any recordings will be stored in the Documents library of the SPO site.
  • List-based content.
  • If used, emails in the M365 Group’s EXO mailbox.
  • Calendaring information.
  • Plans in Planner. Every Planner is based on a M365 Group; when you create a new Plan, you will be asked which Group this will belong to or, if you have the option, to create a new Group.
  • OneNotes. These are stored in the SharePoint site.

What if the Group is created first?

When not connected to a Team, an M365 Group may be used to create or capture all of the above except Teams channel posts and Teams meetings recordings.

Why M365 Groups should ideally aggregate records by a single business context

This combination of record types all connected to a single M365 Group should underscore the requirement to ensure that M365 Groups should be create or capture records relating to the same business context and with the same retention period.

A common mistake, especially with Teams, is to allow business areas or end-users to create Teams at will AND to use the channel-linked folder structure in the SPO site to store records relating to entirely different contexts and retention – for example, a ‘corporate’ team that stores financial records via one channel and HR/staff files in another.

While it is of course possible to use channel-linked folders in Teams to create or capture records that have different contexts and different retention requirements it will be much harder to manage these records in the future, especially if your disposition review process requires the review of a complete set of metadata for an aggregation of related records, not individual items. Aim to aggregate records by context per Team or SPO site/library, NOT the folders in the libraries.

What should records managers do about this?

As a starting point, records managers need to have access to or know the following information on a regular basis, and use that information to make informed decision about retention and disposal, including the destruction of entire M365 Groups that are inactive and contain no records:

  • The details of all M365 Groups. Every one of these has an EXO mailbox and a SharePoint site.
  • The details of all SPO sites, accessed directly or extracted from the SP Admin center. This listing shows all the sites linked with both M365 Groups and Teams (and whether the Team has any private and shared channels) and shows (a) Last activity date and (b) the number of files in the site. Note that some M365 Groups may be created when a Plan is created in Planner, or a Team, but the actual SPO site may never be used.
  • The details of all Teams, including private and shared channels.
  • The number of Plans that exist in Planner.

Based on the information above, records managers, not IT, should be responsible for the final decision to destroy a M365 Group (or SharePoint site) as there may be records in any part of the Group. It is not IT’s role to determine whether or not digital objects stored across M365 Groups are records.

Records managers need to consider how to apply retention to the content created or captured in M365 Group applications. This may include the following:

  • An M365 Groups retention policy. This ‘safety net’ policy will ensure that content (including deleted content) in the Group’s EXO mailbox (but NOT the Teams content – see next point) and SPO site are retained for minimum periods based on date created or modified, and then either deleted automatically or ‘do nothing’. Note that the ‘do nothing’ option will allow an item already deleted to be deleted once it reaches the minimum retention period. Also note that any emails sent to a channel, OneNotes, and Teams meetings recordings that are all stored in the Group’s SPO site will also be retained for this period. (The auto-expiry of Teams recordings will not apply).
  • A Teams channel messages retention policy. This is also a ‘safety net’ policy. It will ensure that any channel post (even if deleted) will be retained for a minimum period in a hidden folder of the Group’s mailbox (yes, the same one as in the previous point), based on date created or modified.
  • In addition to the above, retention labels may also be applied either manually, via adaptive scopes, or automatically to any individual item in the Group’s mailbox or SPO site, or Teams channel messages.

There is currently no retention capability for Plans in Planner.

To support the above, records managers with responsibility for managing records in M365 should have the following roles:

  • Global Reader. This allows them to see all settings in all M365 Admin centers, including the Usage Reports in the primary M365 Admin centre. This role is more useful than Reports Reader.
  • Compliance Administrator. This role (which can be assigned temporarily via Privileged Identity Management) gives access to the Microsoft Purview Compliance Admin center that contains the unified audit logs, the global content search and eDiscovery section (that includes the content search and additional required functionality), and the options to create and apply records retention policies, retention labels and label policies (with additional options for E5 licences), and information protection labels and policies. It also allows the records manager to work with IT and Information Security to establish things like Data Loss Prevention policies. Furthermore, with an E5 licence, records managers have the ability to make full use of the Data Classification area, in particular Content Explorer.
  • SharePoint Site Collection Administration access on every SPO site. This can be achieved by creating a Security Group that includes both the SP Admins and records managers who need to access and manage the content on every SPO site, including those linked with Teams. Note that this role also gives the records managers access to the Preservation Hold library on sites when a retention policy has been applied.
  • SharePoint Administration, if the person has strong technical skills and/or was a system admin (preferably with an EDRMS) in the recent past and has undertaken the required training.

Feature image: Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s