Microsoft 365

Microsoft 365 Groups: Collaboration Features Guide

Microsoft 365 Groups are the shared identity that connects Teams, SharePoint, Outlook, Planner and other Microsoft 365 services into a unified collaboration workspace. Understanding how Groups work helps businesses manage access, reduce duplication and keep their Microsoft 365 environment organised.

NH

Nathan Hill-Haimes

Technical Director

7 min read·Mar 2026

By Nathan Hill-Haimes, Technical Director | 7 min read · Mar 2026

Most IT managers meet Microsoft 365 Groups by accident. Someone spins up a Team, and behind the scenes a Group, a SharePoint site and a shared mailbox appear without anyone asking for them. Multiply that across a year and you have an access-control problem hiding inside a collaboration tool. This guide explains what Groups actually are, how they relate to Teams, and how to keep them under control — the same approach we use across our managed Microsoft 365 security service.

What are Microsoft 365 Groups?

A Microsoft 365 Group is a shared identity: a membership list that acts as the foundation for several connected collaboration services. Creating one provisions a shared mailbox and calendar, a SharePoint team site, a OneNote notebook, a Planner board and — if you add it — a Teams workspace, all governed by the same members.

The membership list is the control point. According to Microsoft's own documentation, one group can back multiple workloads, so a single membership change cascades across every connected resource. That makes Groups a clean foundation for project teams, departments and working groups — but it also means a sloppy membership list quietly exposes a SharePoint site, an inbox and a Teams channel at the same time.

What you get with a single Microsoft 365 Group:

  • A shared mailbox and calendar in Outlook
  • A SharePoint team site for document storage
  • A OneNote notebook for shared notes
  • A Planner board for task management
  • A Teams workspace, if Teams is added to the Group

How do Groups relate to Microsoft Teams?

Every Team in Microsoft Teams is backed by a Microsoft 365 Group — they are the same object viewed through different surfaces. Create a Team and Microsoft creates the Group automatically; the Team's members are the Group's members, and the Team's Files tab is simply the backing SharePoint site.

This matters when you troubleshoot access. If a user can see a Team but not its files, the problem usually sits in the Group membership or the SharePoint permissions, not in Teams itself. Treating Teams and Groups as one identity — rather than two systems — makes both faster to administer and harder to misconfigure. We cover the access-control side of this in detail on our Microsoft Teams security page.

What are the different group types in Microsoft 365?

Microsoft 365 has four group types, and confusing them is a common source of misconfigured access. Microsoft 365 Groups are the modern collaboration object; distribution and security groups are older constructs that do narrower jobs. Choosing the wrong one either over-shares content or fails to provision the workspace people expect.

Group typeEmail?Shared workspace?Used forManaged in
Microsoft 365 GroupYesYes (Teams, SharePoint, Planner)Modern team collaborationAdmin Centre / Entra ID
Distribution groupYesNoRouting email to many recipientsExchange Admin Centre
Mail-enabled security groupYesNoResource access + emailExchange / Entra ID
Security groupNoNoAccess to apps, SharePoint, Intune policiesMicrosoft Entra ID

For new team collaboration, Microsoft 365 Groups are the recommended approach. Distribution groups still earn their place for simple routing — addresses like accounts@company.co.uk or marketing@company.co.uk — where no shared workspace is wanted. Security groups remain the right tool for assigning Intune policies and Conditional Access without provisioning a mailbox.

How are Microsoft 365 Groups created and managed?

Groups can be created from several entry points: Microsoft Teams, Outlook's New Group option, a new SharePoint Team Site, the Microsoft 365 Admin Centre, or Microsoft Entra ID for administrators working at scale. Each route provisions the same underlying object, which is exactly why uncontrolled creation produces duplicates.

Membership can be self-service (users request to join) or owner-managed (owners approve every member). For sensitive projects or compliance-controlled content, owner-managed membership is the safer default. The single most useful lever, though, is restricting who can create Groups at all — administrators can limit creation to a designated security group in Microsoft Entra ID, which stops the sprawl before it starts.

Why does Microsoft 365 Group sprawl happen?

Group sprawl happens because creation is frictionless and deletion is nobody's job. Every new Team spawns a Group, a SharePoint site, a mailbox and a Planner. After 12–18 months, organisations typically accumulate dozens of abandoned Groups — finished projects, departed staff, and duplicate Teams created because nobody checked whether one already existed.

Left unmanaged, sprawl is not just untidy; it is a data-governance liability. Each dead Group is a SharePoint site that still holds documents and a mailbox that still receives mail, often with stale membership. The controls that work:

  • Restrict Group creation to designated administrators or an approved-request process
  • Configure expiry policies so owners must re-confirm active Groups after a set period, with inactive Groups auto-deleted
  • Enforce naming policies for consistent, searchable names
  • Audit inactive Groups on a recurring schedule

If you have never run this exercise, a structured Microsoft 365 security audit is the fastest way to find dormant Groups and the data sitting inside them.

How do you secure Microsoft 365 Group membership?

Group membership controls access to potentially sensitive content — SharePoint sites, shared mailboxes and Teams channels — so it has to be reviewed when staff leave or change roles. The mechanism to automate this is access reviews, which periodically prompt owners to re-certify their membership lists rather than relying on memory.

Access reviews are part of Microsoft Entra ID Governance and require Microsoft Entra ID P2 (included in Microsoft 365 E5), per Microsoft's licensing documentation. Pair them with owner-managed membership and tight guest-access controls and the Group stops being a quiet back door. This is squarely the kind of ongoing hygiene we build into our managed IT support for UK SMEs — one provider, security-first, Microsoft-certified engineers keeping membership lists honest.

Is Your Microsoft 365 Environment Getting Out of Control?

AMVIA helps UK businesses establish governance policies for Microsoft 365 Groups and Teams before sprawl becomes a real problem.

Frequently Asked Questions