Microsoft 365 Groups: Collaboration Features Guide
Microsoft 365 Groups are the shared identity that connects Teams, SharePoint, Outlook, Planner and other Microsoft 365 services into a unified collaboration workspace. Understanding how Groups work helps businesses manage access, reduce duplication and keep their Microsoft 365 environment organised.
Nathan Hill-Haimes
Technical Director
By Nathan Hill-Haimes, Technical Director | 7 min read · Mar 2026
Most IT managers meet Microsoft 365 Groups by accident. Someone spins up a Team, and behind the scenes a Group, a SharePoint site and a shared mailbox appear without anyone asking for them. Multiply that across a year and you have an access-control problem hiding inside a collaboration tool. This guide explains what Groups actually are, how they relate to Teams, and how to keep them under control — the same approach we use across our managed Microsoft 365 security service.
What are Microsoft 365 Groups?
A Microsoft 365 Group is a shared identity: a membership list that acts as the foundation for several connected collaboration services. Creating one provisions a shared mailbox and calendar, a SharePoint team site, a OneNote notebook, a Planner board and — if you add it — a Teams workspace, all governed by the same members.
The membership list is the control point. According to Microsoft's own documentation, one group can back multiple workloads, so a single membership change cascades across every connected resource. That makes Groups a clean foundation for project teams, departments and working groups — but it also means a sloppy membership list quietly exposes a SharePoint site, an inbox and a Teams channel at the same time.
What you get with a single Microsoft 365 Group:
- A shared mailbox and calendar in Outlook
- A SharePoint team site for document storage
- A OneNote notebook for shared notes
- A Planner board for task management
- A Teams workspace, if Teams is added to the Group
How do Groups relate to Microsoft Teams?
Every Team in Microsoft Teams is backed by a Microsoft 365 Group — they are the same object viewed through different surfaces. Create a Team and Microsoft creates the Group automatically; the Team's members are the Group's members, and the Team's Files tab is simply the backing SharePoint site.
This matters when you troubleshoot access. If a user can see a Team but not its files, the problem usually sits in the Group membership or the SharePoint permissions, not in Teams itself. Treating Teams and Groups as one identity — rather than two systems — makes both faster to administer and harder to misconfigure. We cover the access-control side of this in detail on our Microsoft Teams security page.
What are the different group types in Microsoft 365?
Microsoft 365 has four group types, and confusing them is a common source of misconfigured access. Microsoft 365 Groups are the modern collaboration object; distribution and security groups are older constructs that do narrower jobs. Choosing the wrong one either over-shares content or fails to provision the workspace people expect.
| Group type | Email? | Shared workspace? | Used for | Managed in |
|---|---|---|---|---|
| Microsoft 365 Group | Yes | Yes (Teams, SharePoint, Planner) | Modern team collaboration | Admin Centre / Entra ID |
| Distribution group | Yes | No | Routing email to many recipients | Exchange Admin Centre |
| Mail-enabled security group | Yes | No | Resource access + email | Exchange / Entra ID |
| Security group | No | No | Access to apps, SharePoint, Intune policies | Microsoft Entra ID |
For new team collaboration, Microsoft 365 Groups are the recommended approach. Distribution groups still earn their place for simple routing — addresses like accounts@company.co.uk or marketing@company.co.uk — where no shared workspace is wanted. Security groups remain the right tool for assigning Intune policies and Conditional Access without provisioning a mailbox.
How are Microsoft 365 Groups created and managed?
Groups can be created from several entry points: Microsoft Teams, Outlook's New Group option, a new SharePoint Team Site, the Microsoft 365 Admin Centre, or Microsoft Entra ID for administrators working at scale. Each route provisions the same underlying object, which is exactly why uncontrolled creation produces duplicates.
Membership can be self-service (users request to join) or owner-managed (owners approve every member). For sensitive projects or compliance-controlled content, owner-managed membership is the safer default. The single most useful lever, though, is restricting who can create Groups at all — administrators can limit creation to a designated security group in Microsoft Entra ID, which stops the sprawl before it starts.
Why does Microsoft 365 Group sprawl happen?
Group sprawl happens because creation is frictionless and deletion is nobody's job. Every new Team spawns a Group, a SharePoint site, a mailbox and a Planner. After 12–18 months, organisations typically accumulate dozens of abandoned Groups — finished projects, departed staff, and duplicate Teams created because nobody checked whether one already existed.
Left unmanaged, sprawl is not just untidy; it is a data-governance liability. Each dead Group is a SharePoint site that still holds documents and a mailbox that still receives mail, often with stale membership. The controls that work:
- Restrict Group creation to designated administrators or an approved-request process
- Configure expiry policies so owners must re-confirm active Groups after a set period, with inactive Groups auto-deleted
- Enforce naming policies for consistent, searchable names
- Audit inactive Groups on a recurring schedule
If you have never run this exercise, a structured Microsoft 365 security audit is the fastest way to find dormant Groups and the data sitting inside them.
How do you secure Microsoft 365 Group membership?
Group membership controls access to potentially sensitive content — SharePoint sites, shared mailboxes and Teams channels — so it has to be reviewed when staff leave or change roles. The mechanism to automate this is access reviews, which periodically prompt owners to re-certify their membership lists rather than relying on memory.
Access reviews are part of Microsoft Entra ID Governance and require Microsoft Entra ID P2 (included in Microsoft 365 E5), per Microsoft's licensing documentation. Pair them with owner-managed membership and tight guest-access controls and the Group stops being a quiet back door. This is squarely the kind of ongoing hygiene we build into our managed IT support for UK SMEs — one provider, security-first, Microsoft-certified engineers keeping membership lists honest.
Is Your Microsoft 365 Environment Getting Out of Control?
AMVIA helps UK businesses establish governance policies for Microsoft 365 Groups and Teams before sprawl becomes a real problem.
Frequently Asked Questions
A Microsoft 365 Group is a modern collaboration workspace with a shared mailbox, SharePoint site, Teams workspace and Planner board. A distribution list is a legacy email-routing mechanism that only delivers mail to its members — no workspace, no connected services. For new team setups, Microsoft 365 Groups are the recommended choice.
Yes. Every Team in Microsoft Teams is backed by a Microsoft 365 Group. The Group membership controls who can access the Team, its SharePoint site and shared resources. You cannot create a Team without an associated Group — they are the same object viewed through different surfaces, which matters when you troubleshoot access.
The most effective control is restricting Group and Team creation to approved administrators or a request process. The Microsoft 365 Admin Centre lets you limit creation to a specific Entra ID security group. Expiry policies add a second layer, prompting owners to confirm Groups are still active and removing those that are not.
Yes, if guest access is enabled in your tenant. External users (guests) can be added to Groups and given access to the associated Teams, SharePoint and other resources. Guest access can be controlled at both tenant and per-Group level, allowing granular control over which content external parties can reach.
Deleting a Team soft-deletes the associated Microsoft 365 Group. The Group — including its SharePoint site, mailbox and content — is retained for 30 days in a recoverable state before permanent deletion. Administrators can restore a deleted Group within this window from the Microsoft 365 Admin Centre.
Related Reading
Microsoft 365 Groups | Your Collaboration Partner
Using Microsoft 365 Groups to power team collaboration, shared calendars and document management.
Microsoft 365 Security | Hardening Your Business Tenant
Security best practices for your Microsoft 365 tenant including access management.
Instant Messaging with Microsoft Teams | Business Guide
Using Teams channels and chat for business communication.