Chat now with support
Chat with Support

On Demand Group Management Current - User Guide

Policies

The following settings are available on the Group tab:

Group Security Level

The group security level is a part of Group Category. Group automatic attestation can be enabled in the Group Security Level setting to run group attestation regularly. When you enable the automatic attestation, you are allowed to define the attestation interval, scope, and duration. For information about the available group attestations, see Group attestations.

TIP: Enabling automatic attestation for the "Default" group category is not recommended. The "Default" group category will be automatically assigned to a group without a specified group category, for example, the groups synchronized from an on-premises AD. Such groups might have members who do not have an Azure account to log in to the self-service portal to respond to an attestation request.

Group Naming Rule

The group naming rule is a part of Group Category, and defines the syntax to name a group when Adding a group. When you edit a group naming rule, the following data types are available for each field in the syntax:

  • Flexible Text: Allows users to input flexible text in the field.
  • Fixed Text: Specifies the field with fixed text.
  • Lookup Values: Specifies the field with a value set. Users will need to select a value from the specified value set for the field. To manage lookup values, see Lookup Values.
  • User Attribute
    • Job title: The Job title attribute of the current user automatically applies.
    • Office: The Office attribute of the current user automatically applies.

Group Creation Template for Self-Service

The group creation template is a part of Group Category, and defines the following attributes for groups created via self-service. A group category can include one or multiple group creation templates. When creating a group in the self-service portal, users must select one to apply the configured attributes to the new group.

  • Group Location: Specifies where the new group will be created, in the Azure or local domain.
  • Group Type: Specifies the group type.
  • Group Scope: Specifies the group scope for the new on-premises group.
  • Domain: Specifies the domain for the new on-premises group.

NOTE: A group creation template will not be available to a user in the self-service portal if the domain specified in the template is not connected to the tenant the user belongs to.

Group Privacy Rule

The group privacy rule is a part of Group Category and allows you to define whether groups are visible to non-group members in the self-service portal. By default, when a user signs in to the self-service portal, all the groups associated with the tenant are visible. This rule also defines which groups users can view, and request to join, via the New RequestJoin Group feature in the self-service portal. You can manage the visibility of groups by adding group privacy rules and choosing one of the following options:

  • Public: A group assigned a category with a privacy rule set to public is visible to all users in the self-service portal.
  • Private: A group assigned a category with a privacy rule set to private is only visible to owners and members of that group.

NOTE: The privacy setting of a group privacy rule cannot be changed after the rule is saved.

Adding exceptions to group privacy rules

For each group privacy rule, you can create one or more exceptions. An exception defines the groups in a tenant in an organization that are exempt from the group privacy rule setting. Exceptions can be made by group name, group owner, or group member.

For example, Tenant 1 contains some groups, including Group A, which is owned by User 1 and has User 2 as a member. Group A is created using Category A, which is assigned a group privacy rule that is set to private. But, the group privacy rule contains an exception for groups with User 1 as the group owner and User 2 as a group member. This means that Group A is an exception to the private group privacy rule and is visible in the self-service portal. The other groups created using Category A are not visible in the self-service portal.

You can add exceptions for groups in different tenants to one group privacy rule. So, if multiple tenants exist in your organization, you can use one privacy rule to specify exceptions for all tenants.

You can add multiple rules within one exception. The default operator between rules within one exception is "AND". For example, you can add an exception for groups owned by User 1 and also have User 2 as a group member.

If you add multiple exceptions, the default operator between exceptions is "OR". For example, you can add two exceptions that include groups named "Marketing" or groups named "Sales".

To add exceptions to group privacy rules

  1. On the Group tab of the Policies page, click ADD next to the Group Privacy Rule heading.
  2. Give your group privacy rule a name and select the privacy setting.
  3. In the Exceptions section, click CHOOSE A TENANT TO ADD EXCEPTIONS.
  4. From the Tenant drop-down list, select the tenant that contains the groups you want to add as exceptions to the rule and click the check mark.
  5. From the first drop-down list, select one of the following options:
    • Group Name - allows you to define an exception for a group by name or by text contained in the group name.
    • Group Owner - allows you to define an exception for a group owned by a specified user.
    • Group Member - allows you to define an exception for a group containing a specified member.
  6. From the last drop-down list, type the name of the group or select the user.
  7. Click the plus sign (+) to add the exception.

Group Category

A group category includes a Group Security Level, a Group Naming Rule, one or multiple Group Creation Template for Self-Service, and a Group Privacy Rule. You must specify a group category when you create a group.

Self-Services

The Self-Services page allows you to manage approval processes for Group Management self-services.

Approval Processes

Group Management provides the following default approval processes on the Approval Processes tab:

  • First manager: Requires approval from the user's manager.
  • Second manager: Requires approval from the manager of the user's manager.
  • Owner: Requires approval from one of the group owners.
  • Directory administrator: Requires approval from one of the Group Management administrators.
  • No approval required: No approval is required.

TIP: Users who are assigned the permission Group ManagementCan Approve, Reject or Cancel a Request by the Access Control interface on the On Demand Home site can also approve a request as a Group Management administrator.

Group Management checks the availability of the approvers in the approval process when a user submits a request. If an approver is not available for the user (for example, a request needs approval by the user's manager, but the user does not have a manager in Active Directory), the user gets an error when submitting the request.

You can edit or delete the default approval processes if necessary, or create your own approval processes by clicking ADD at the top right of the page.

NOTE: You cannot delete an approval process that is currently associated with a self-service.

Services

The Services tab lists all the Group Management self-services, and each of them comes with a default approval process. You can change the approval process for a self-service by associating the service with another approval process defined on the Approval Processes tab.

NOTE: For self-services that do not need any approvals, associate them with the default approval process "No approval required".

Service Accounts

Group Management requires a service account to manage mail-enabled security groups and distribution lists from your tenants.

Prerequisites

The role group Organization Management in Exchange must be assigned the roles “Distribution Groups” and "Security Group Creation and Membership".

To configure the service account for a tenant

  1. Navigate to the Group Management > Settings > Service Accounts page, and click the edit button in the Action column on the tenant.
  2. Provide the Exchange admin credentials in the Service account column.
  3. Click the check mark.

Organizational Units

The Organizational Units page allows you to configure the default organizational unit (OU) for your on-premises domains. The default OU applies to on-premises groups created in Group Management. You must configure the default OU before creating groups for an on-premises domain.

To configure the default OU for an on-premises domain

  1. Navigate to the Group Management > Settings > Organizational Units page, click the edit button in the Action column on the domain.
  2. Enter the default OU in the Default OU column.
    NOTE: Make sure the default OU has been synchronized to Group Management. It takes about 10 minutes to synchronize a newly-added OU from your local domain to Group Management.
  3. Click the check mark.
Related Documents