This chapter covers Microsoft 365 Groups and Teams governance, a critical topic for the MS-102 exam that appears in approximately 15-20% of questions in the Tenant Management domain (Objective 1.3). You will learn the architecture of Groups, how they underpin Teams, and how to enforce governance through lifecycle policies, naming conventions, expiration policies, and guest access controls. Mastery of this content is essential for passing the exam and for real-world administration of enterprise Microsoft 365 environments.
Jump to a section
Imagine a company building with 500 employees. Each employee has an ID badge that grants access to specific floors and rooms. Now, the company wants to create project teams. Instead of issuing separate badges for each team, they create a shared filing cabinet for each project. Each cabinet has a list of authorized employees. When an employee approaches a cabinet, the system checks their badge against the cabinet's access list. If authorized, they can open the cabinet and access the files inside. Additionally, each cabinet has a connected whiteboard (a shared calendar) and a team chat channel. The cabinet also grants automatic access to a dedicated SharePoint document library and a OneNote notebook. The key is that the cabinet itself has an email address (the group's SMTP address) that can receive messages, and those messages are stored in a shared mailbox. When a new employee is added to the cabinet's access list, they automatically get access to the whiteboard, chat, document library, and mailbox. If an employee leaves the company, their badge is deactivated, and they lose access to all cabinets they were on. This is exactly how Microsoft 365 Groups work: a security principal (the group object) that provisions and manages access to a suite of connected services (SharePoint, Exchange, Teams, Planner, etc.). The group's membership is the single source of truth for permissions across all those services.
What Are Microsoft 365 Groups?
Microsoft 365 Groups (formerly Office 365 Groups) are the foundational membership object in Microsoft 365. They are not just a distribution list or a security group; they are a full-fledged identity object in Azure Active Directory (Azure AD) that provisions and manages access to a set of shared resources. Every Microsoft 365 Group has a unique object ID in Azure AD and can be assigned an email address (SMTP), a SharePoint site, a shared mailbox, a calendar, a OneNote notebook, and a Microsoft Teams team (if Teams-enabled). The group itself is the security principal; when you add a member to the group, that member automatically gains access to all connected resources.
How Groups Underpin Microsoft Teams
Each Microsoft Teams team is backed by a Microsoft 365 Group. When you create a new team, a Microsoft 365 Group is automatically created (unless you use an existing group). The team's membership is synchronized with the group's membership. The team's channels are stored in the group's SharePoint site (by default, a private channel creates a separate site collection). The group's Exchange calendar appears as the team's calendar. The group's shared mailbox is used for team email. This tight integration means that governance decisions made at the Group level directly affect Teams.
Lifecycle and Expiration Policies
To prevent accumulation of stale groups, Microsoft 365 Groups can have an expiration policy. You can set a default expiration period (e.g., 180, 365, or 730 days) for all groups in the tenant. The policy is configured in the Azure AD admin center under "Groups" > "Expiration". When a group reaches its expiration date, it is first flagged for renewal. Group owners receive an email notification 30 days, 15 days, and 1 day before expiration. If the group is not renewed (either by an owner or an administrator), it is deleted. The deletion is soft; the group is moved to the Azure AD recycle bin and can be restored within 30 days. After 30 days, it is permanently deleted. - Default expiration period: 365 days - Renewal notification schedule: 30, 15, and 1 day before expiration - Retention after deletion: 30 days in recycle bin - Only groups with owners can be renewed; if a group has no owners, it is automatically deleted unless an admin intervenes
Naming Policies
Naming policies enforce consistency and prevent inappropriate group names. They consist of two parts: a prefix/suffix and blocked words.
Prefix/Suffix: You can define one or more prefixes or suffixes that are automatically added to group names. For example, you might add "GRP_" as a prefix and "_2024" as a suffix. The policy can be applied to all groups or only to groups created by certain users.
Blocked words: You can define a list of words that are not allowed in group names. If a user tries to create a group with a blocked word, they receive an error.
Naming policies are configured in the Azure AD admin center under "Groups" > "Naming policy". They apply to all Microsoft 365 Groups, including those created via Teams, Outlook, SharePoint, and other clients.
Guest Access
By default, guest users can be added to Microsoft 365 Groups. However, you can control guest access at the tenant level and per group. The tenant-level settings are in the Azure AD admin center under "External Identities" > "External collaboration settings". You can restrict guest invitations to specific admin roles or allow all users to invite guests. For groups, you can configure whether guests can be added via the "Microsoft 365 Groups" settings. Additionally, you can use dynamic membership rules to automatically add or remove guests based on attributes.
Governance via Azure AD Policies
Azure AD provides several policy types to govern groups:
Group settings: Configured via Azure AD cmdlets or the Azure portal. You can control whether users can create groups, whether owners can add guests, and more.
Access reviews: You can schedule recurring access reviews for groups to ensure membership is current. Owners or reviewers must confirm each member's access. If a member is not reviewed, they are removed.
Conditional Access: You can apply Conditional Access policies to groups, controlling how members access resources (e.g., require MFA for group members).
PowerShell and Graph API Management
Administrators can manage groups using PowerShell (AzureAD module or Microsoft Graph PowerShell SDK) and the Microsoft Graph API. Common tasks:
Create a new group:
New-AzureADGroup -DisplayName "Project X" -MailEnabled $true -MailNickname "ProjectX" -SecurityEnabled $false -GroupType "Unified"Set expiration policy:
Set-AzureADDirectorySetting -Id $settingId -Values @{"GroupLifetimeInDays"=365}Add a guest:
Add-AzureADGroupMember -ObjectId $groupId -RefObjectId $guestObjectIdIntegration with SharePoint and OneDrive
Every Microsoft 365 Group has a connected SharePoint team site. The site is created with a default document library and can be customized. When a group is deleted, the SharePoint site is also deleted (moved to recycle bin). The site's permissions are synced with the group; changes to group membership automatically update SharePoint permissions. The same applies to the group's OneNote notebook and Planner plan (if enabled).
Teams Governance
Teams governance builds on Groups governance but adds additional layers:
Teams lifecycle: Teams can be archived (read-only) instead of deleted. Archived teams can be restored.
Private channels: Each private channel creates a new SharePoint site collection and a separate Microsoft 365 Group (actually, it uses a subset of the parent group's membership). Private channels have their own lifecycle.
Teams policies: You can create messaging, meeting, and app policies that apply to groups of users. These policies are assigned to users, not groups directly.
Guest access in Teams: Guest access is controlled at the tenant level (enable/disable) and can be restricted per team by the team owner.
Common Misconfigurations
Not setting expiration policies leads to stale groups.
Allowing all users to create groups without naming policy leads to inconsistent naming.
Not reviewing guest access leads to security risks.
Confusing Microsoft 365 Groups with security groups or distribution groups.
Exam Relevance
The MS-102 exam tests your ability to configure and manage Microsoft 365 Groups and Teams governance. You need to know:
The relationship between Groups and Teams
How to configure expiration and naming policies
How to manage guest access
The default values and timers
How to use PowerShell and Graph API for governance
The difference between group types (Unified vs. Security vs. Distribution)
Summary of Key Values
Expiration default: 365 days
Renewal notifications: 30, 15, 1 day before
Delete retention: 30 days
Naming policy: prefix/suffix and blocked words
Guest access: tenant-level and per-group control
Group types: Unified (Microsoft 365), Security, Distribution, Mail-enabled Security
Create a Microsoft 365 Group
When a user creates a team in Microsoft Teams, an Azure AD security principal called a Microsoft 365 Group is created. The group object is assigned a unique GUID, an SMTP address (derived from the team name), and a display name. The group is created with the 'Unified' group type. Simultaneously, a SharePoint team site is provisioned with a default document library, an Exchange shared mailbox and calendar are created, and a OneNote notebook is prepared. The creator is automatically added as a member and owner. The entire process takes a few seconds to minutes depending on Azure AD replication and service provisioning.
Configure Naming Policy
An administrator navigates to the Azure AD admin center > Groups > Naming policy. They define a prefix (e.g., 'GRP_') and a suffix (e.g., '_2024'). They also add blocked words like 'CEO', 'Admin', or profanity. The policy is saved as a directory setting. When a user creates a new group, the naming policy is enforced at creation time. For example, if a user tries to create a group named 'ProjectX', the system automatically renames it to 'GRP_ProjectX_2024'. If the name contains a blocked word, the creation fails with an error message. The policy applies to all group creation clients (Teams, Outlook, SharePoint, PowerShell).
Set Expiration Policy
The administrator configures the expiration policy in Azure AD > Groups > Expiration. They set the group lifetime to 365 days. They also specify an email address for notifications when a group has no owners. Once saved, the policy applies to all existing and new groups. The system schedules a background job that checks group age daily. For groups nearing expiration, the system sends renewal emails to owners at 30, 15, and 1 day before expiry. If no owner renews, the group is soft-deleted (moved to Azure AD recycle bin). The group's connected resources (SharePoint site, Exchange mailbox, etc.) are also deleted. An administrator can restore the group within 30 days.
Manage Guest Access
The administrator goes to Azure AD > External Identities > External collaboration settings. They set 'Guest invite settings' to 'Only users assigned to specific admin roles can invite guests' to limit who can add guests. Then, under 'Microsoft 365 Groups', they enable 'Allow group owners to add guest users to groups'. This allows group owners to invite guests. When a guest is added, they receive an email invitation. The guest must accept the invitation and authenticate using their own identity provider. Once added, the guest has access to the group's resources (SharePoint, Teams, etc.) according to the group's permissions. The administrator can also create a Conditional Access policy to require MFA for guests accessing group resources.
Perform Access Review
The administrator creates an access review in Azure AD > Identity Governance > Access reviews. They select the group to review, set the frequency (e.g., weekly, monthly, quarterly), and assign reviewers (group owners or selected users). The review starts on a scheduled date. Reviewers receive an email notification and use the Access Reviews portal to approve or deny each member's access. If a member is denied or not reviewed, their access is removed after the review duration. The results are logged in Azure AD audit logs. This ensures that only active and authorized members retain access to the group and its resources.
Enterprise Scenario 1: Large Multinational Corporation with 50,000 Employees
Problem: The company had thousands of Teams and Groups created without governance, leading to duplicate groups, inappropriate names, and security risks from stale groups.
Solution: The IT team implemented a naming policy with a standard prefix (e.g., 'CONTOSO_') and blocked words (e.g., 'confidential', 'HR-only'). They set an expiration policy of 365 days and configured access reviews every quarter for critical groups. They also restricted guest invitations to IT admins only.
Configuration: Using PowerShell, they created a directory setting for the naming policy:
$setting = New-AzureADDirectorySetting -TemplateId "62375ab9-6b52-47ed-826b-58e47e0e304b"
$setting["PrefixSuffixNamingRequirement"] = "GRP_[GroupName]_2024"
New-AzureADDirectorySetting -DirectorySetting $settingOutcome: Group creation became consistent, stale groups were automatically deleted, and guest access was controlled. The IT team reduced security risks and improved compliance.
Enterprise Scenario 2: Healthcare Provider with Strict Compliance Requirements
Problem: The organization needed to ensure that only authorized personnel could access patient data shared via Teams. They also needed to audit membership changes.
Solution: They enabled guest access only for business partners and required MFA for all external users via Conditional Access. They created an access review policy for groups containing sensitive data, with weekly reviews. They also used Azure AD audit logs to track membership changes.
Configuration: They created a Conditional Access policy targeting all guest users:
$policy = New-AzureADMSConditionalAccessPolicy -DisplayName "Require MFA for guests" -State "Enabled"
$conditions = New-AzureADMSConditionalAccessCondition -Users @{IncludeUsers=["GuestsOrExternalUsers"]}
$controls = New-AzureADMSConditionalAccessGrant -Controls @{RequireMfa=$true}
Set-AzureADMSConditionalAccessPolicy -PolicyId $policy.Id -Conditions $conditions -GrantControls $controlsOutcome: Guest access was secured, and compliance requirements were met. The access reviews ensured that only current partners had access.
Common Pitfalls
Misconfiguring expiration policy: Setting too short a lifetime (e.g., 30 days) causes frequent renewals and user frustration. Too long a lifetime leads to stale groups.
Not assigning owners: Groups without owners cannot be renewed and are automatically deleted.
Overlooking guest access settings: If not configured, any user can invite guests, leading to potential data breaches.
The MS-102 exam tests Microsoft 365 Groups and Teams governance primarily under Objective 1.3: Manage tenant management and governance. Specific sub-objectives include:
Configure Microsoft 365 Groups settings (naming policy, expiration policy)
Manage guest access for Microsoft 365 Groups and Teams
Implement lifecycle management for Groups and Teams
Use Azure AD policies for governance
Common Wrong Answers and Why Candidates Choose Them
Confusing Microsoft 365 Groups with Security Groups: Many candidates think that Microsoft 365 Groups are just security groups with a mailbox. The exam tests that Microsoft 365 Groups are a distinct object type (Unified) that provisions multiple services. Wrong answers often suggest using security groups for Teams access.
Assuming expiration policy applies to all groups by default: Candidates may think that after setting a tenant-wide expiration policy, all groups immediately get that lifetime. Actually, the policy applies to new groups and existing groups that are not already expired. Some groups may have been created before the policy and have no expiration date until the policy is applied retroactively via PowerShell.
Thinking that deleting a group deletes all resources permanently: The exam tests that group deletion is soft; resources are recoverable within 30 days. Candidates often choose answers that say immediate permanent deletion.
Misunderstanding guest access restrictions: Some think that disabling guest access at the tenant level prevents all guest additions. In reality, the setting controls who can invite guests, not whether guests can be added. The per-group setting also matters.
Specific Numbers and Terms to Memorize
Default expiration: 365 days
Renewal notification schedule: 30, 15, 1 day before
Recycle bin retention: 30 days
Naming policy: prefix/suffix and blocked words
Group types: Unified, Security, Distribution, Mail-enabled Security
Guest access settings: External collaboration settings > Guest invite settings
Access reviews: Can be configured for groups with specific reviewers
Edge Cases and Exceptions
Groups without owners cannot be renewed; they are deleted automatically.
Private channels in Teams create separate SharePoint site collections and have their own lifecycle.
Naming policies do not apply to groups created via Graph API unless explicitly enforced.
Expiration policy can be applied to selected groups only using PowerShell.
How to Eliminate Wrong Answers
If an answer mentions 'distribution group' or 'security group' in the context of Teams, it's likely wrong because Teams requires a Microsoft 365 Group.
If an answer says 'immediate deletion' or 'no recovery', it's incorrect; there is a 30-day recycle bin.
If an answer suggests that guest access is controlled only at the tenant level, it's incomplete; per-group settings also exist.
Microsoft 365 Groups are the backbone of Teams; each team is backed by a group.
Expiration policy default is 365 days; groups are soft-deleted and recoverable for 30 days.
Naming policies consist of prefix/suffix and blocked words; they apply to most client-created groups.
Guest access is controlled at tenant level (who can invite) and per-group (whether owners can add guests).
Access reviews provide periodic recertification of group membership.
Groups without owners cannot be renewed and will be deleted automatically.
Private channels in Teams create separate SharePoint site collections and have their own lifecycle.
PowerShell and Graph API can be used for advanced governance tasks like applying expiration policy to specific groups.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft 365 Group (Unified)
Has an SMTP address and shared mailbox
Provisions SharePoint site, Planner, OneNote, etc.
Can be used to create a Teams team
Supports expiration and naming policies
Membership automatically grants access to all connected services
Security Group
No mailbox or calendar
Does not provision any services
Cannot be used to create a Teams team directly
Does not support expiration or naming policies (by default)
Used only for assigning permissions to resources
Mistake
Microsoft 365 Groups are the same as security groups.
Correct
Microsoft 365 Groups (Unified groups) are different from security groups. They are backed by Azure AD and provision multiple services (SharePoint, Exchange, Teams, etc.). Security groups are only used for permissions and do not have a mailbox, calendar, or SharePoint site.
Mistake
When a Microsoft 365 Group expires, it is permanently deleted immediately.
Correct
When a group expires, it is soft-deleted and moved to the Azure AD recycle bin. It can be restored within 30 days. After 30 days, it is permanently deleted.
Mistake
Naming policies apply to all groups, including those created via Graph API.
Correct
Naming policies apply to groups created via the Azure portal, Outlook, Teams, and other clients. However, groups created via Graph API or PowerShell can bypass the naming policy unless the policy is explicitly enforced in the API call.
Mistake
Disabling guest access at the tenant level prevents all guest additions to groups.
Correct
The tenant-level setting controls who can invite guests. If set to 'Only admins can invite', only admins can add guests. However, group owners can still add guests if the per-group setting allows it. To fully prevent guest additions, both tenant and per-group settings must be configured.
Mistake
Expiration policies apply retroactively to all existing groups.
Correct
By default, expiration policies apply to new groups and to existing groups that do not already have an expiration date. Existing groups that were created before the policy may not have an expiration date until the policy is applied retroactively using PowerShell.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A Microsoft 365 Group (Unified group) is a modern collaboration object that includes a shared mailbox, calendar, SharePoint site, and other services. It is used for teamwork and can be connected to Teams. A distribution group is an older email-only object used for sending emails to multiple recipients. Distribution groups do not have a SharePoint site, calendar, or Teams integration. For the MS-102 exam, remember that Teams requires a Microsoft 365 Group, not a distribution group.
By default, the expiration policy applies to all groups. To apply it to specific groups, you must use PowerShell. First, create a directory setting for the expiration policy with the desired lifetime. Then, use the Set-AzureADGroup cmdlet to assign the policy to specific groups by setting the 'ExpirationDate' property. Alternatively, you can use the Microsoft Graph API to update the 'expirationDateTime' property for individual groups.
Yes, you can rename a group by changing its display name. However, the SMTP address (email) does not automatically change. You can also change the SMTP address using Exchange admin tools. Note that renaming a group does not affect the underlying SharePoint site URL or Teams team name. The SharePoint site URL is based on the initial group name and does not change when the group is renamed.
When the Microsoft 365 Group expires and is deleted, the Teams team is also deleted. The team and its channels become inaccessible. The group and team are moved to the recycle bin and can be restored within 30 days by an administrator. After 30 days, they are permanently deleted. It is important to renew the group before expiration to avoid disruption.
You can restrict group creation in the Azure AD admin center under 'Groups' > 'General' > 'Users can create Microsoft 365 groups'. Set it to 'No' to prevent all non-admin users from creating groups. You can also create a custom directory setting to allow specific users or groups to create groups. For Teams, you can use the Teams admin center to control who can create teams.
The default expiration period is 365 days. However, you can configure it to any value between 30 and 730 days. The policy is set at the tenant level and applies to all Microsoft 365 Groups. If you do not configure an expiration policy, groups do not expire.
Deleted groups are stored in the Azure AD recycle bin for 30 days. To restore, go to the Azure AD admin center > Groups > Deleted groups. Select the group and click 'Restore'. You can also use PowerShell: Restore-AzureADMSDeletedDirectoryObject -Id <objectId>. The group's connected resources (SharePoint, Teams, etc.) are also restored.
You've just covered Microsoft 365 Groups and Teams Governance — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?