The following settings are available on the Group tab:
- Group Security Level
- Group Naming Rule
- Group Creation Template for Self-Service
- Group Privacy Rule
- Group Category
The group security level is a part of Group Category. Group automatic attestation can be enabled in the Group Security Level setting to run group attestation regularly. When you enable the automatic attestation, you are allowed to define the attestation interval, scope, and duration. For information about the available group attestations, see Group attestations.
TIP: Enabling automatic attestation for the "Default" group category is not recommended. The "Default" group category will be automatically assigned to a group without a specified group category, for example, the groups synchronized from an on-premises AD. Such groups might have members who do not have an Azure account to log in to the self-service portal to respond to an attestation request.
The group naming rule is a part of Group Category, and defines the syntax to name a group when Adding a group. When you edit a group naming rule, the following data types are available for each field in the syntax:
- Flexible Text: Allows users to input flexible text in the field.
- Fixed Text: Specifies the field with fixed text.
- Lookup Values: Specifies the field with a value set. Users will need to select a value from the specified value set for the field. To manage lookup values, see Lookup Values.
- User Attribute
- Job title: The Job title attribute of the current user automatically applies.
- Office: The Office attribute of the current user automatically applies.
The group creation template is a part of Group Category, and defines the following attributes for groups created via self-service. A group category can include one or multiple group creation templates. When creating a group in the self-service portal, users must select one to apply the configured attributes to the new group.
- Group Location: Specifies where the new group will be created, in the Azure or local domain.
- Group Type: Specifies the group type.
- Group Scope: Specifies the group scope for the new on-premises group.
- Domain: Specifies the domain for the new on-premises group.
NOTE: A group creation template will not be available to a user in the self-service portal if the domain specified in the template is not connected to the tenant the user belongs to.
The group privacy rule is a part of Group Category and allows you to define whether groups are visible to non-group members in the self-service portal. By default, when a user signs in to the self-service portal, all the groups associated with the tenant are visible. This rule also defines which groups users can view, and request to join, via the New Request > Join Group feature in the self-service portal. You can manage the visibility of groups by adding group privacy rules and choosing one of the following options:
- Public: A group assigned a category with a privacy rule set to public is visible to all users in the self-service portal.
- Private: A group assigned a category with a privacy rule set to private is only visible to owners and members of that group.
NOTE: The privacy setting of a group privacy rule cannot be changed after the rule is saved.
Adding exceptions to group privacy rules
For each group privacy rule, you can create one or more exceptions. An exception defines the groups in a tenant in an organization that are exempt from the group privacy rule setting. Exceptions can be made by group name, group owner, or group member.
For example, Tenant 1 contains some groups, including Group A, which is owned by User 1 and has User 2 as a member. Group A is created using Category A, which is assigned a group privacy rule that is set to private. But, the group privacy rule contains an exception for groups with User 1 as the group owner and User 2 as a group member. This means that Group A is an exception to the private group privacy rule and is visible in the self-service portal. The other groups created using Category A are not visible in the self-service portal.
You can add exceptions for groups in different tenants to one group privacy rule. So, if multiple tenants exist in your organization, you can use one privacy rule to specify exceptions for all tenants.
You can add multiple rules within one exception. The default operator between rules within one exception is "AND". For example, you can add an exception for groups owned by User 1 and also have User 2 as a group member.
If you add multiple exceptions, the default operator between exceptions is "OR". For example, you can add two exceptions that include groups named "Marketing" or groups named "Sales".
To add exceptions to group privacy rules
- On the Group tab of the Policies page, click ADD next to the Group Privacy Rule heading.
- Give your group privacy rule a name and select the privacy setting.
- In the Exceptions section, click CHOOSE A TENANT TO ADD EXCEPTIONS.
- From the Tenant drop-down list, select the tenant that contains the groups you want to add as exceptions to the rule and click the check mark.
- From the first drop-down list, select one of the following options:
- Group Name - allows you to define an exception for a group by name or by text contained in the group name.
- Group Owner - allows you to define an exception for a group owned by a specified user.
- Group Member - allows you to define an exception for a group containing a specified member.
- From the last drop-down list, type the name of the group or select the user.
- Click the plus sign (+) to add the exception.
A group category includes a Group Security Level, a Group Naming Rule, one or multiple Group Creation Template for Self-Service, and a Group Privacy Rule. You must specify a group category when you create a group.