How to create a security group in Microsoft 365?
Security groups in Microsoft 365 are collections of users, devices, or other groups that allow admins to manage permissions and access to resources efficiently. They help admins streamline management by assigning permissions collectively rather than individually. This approach enhances security, simplifies administration, and ensures that policies & settings are applied consistently across multiple users or devices.
Are Security Groups Essential for Organizational Security?
No, but security groups are highly recommended to manage permissions, ensure consistent access rights, and reduce the risk of errors when handling large numbers of users or devices. Follow the steps described below using the Entra admin center or the PowerShell to create security groups in the Azure Active Directory.
Create a Security Group Using Microsoft Entra Admin Center
- Log in to the Microsoft Entra admin center and navigate to .
- By default, Security is selected in the Group type field. Next, enter a name for the group and provide a description.
- If you want to assign roles to the security group, switch the Microsoft Entra roles can be assigned to the group toggle to Yes. Once this setting is enabled, the group's eligibility for role assignment becomes permanent and cannot be reverted.
- Select the Membership type based on your preference:
- Assigned: This option enables you to manually assign members to the groups.
- Dynamic user: Using this option, you can automatically assign membership based on user attributes, such as department, location, etc.
- Dynamic device: With this option, you can automatically assign membership based on device attributes, such as operating system, device type, etc.
- Select the owners for the group by clicking the No owners selected link in the Owners section.
- Add members to the security group by selecting the No members selected option in the Members section.
- Review your settings and click Create to create the group.
Add a Security Group Using PowerShell
- Connect to the Microsoft Graph PowerShell using the cmdlet below.
Connect-MgGraph -Scopes "Group.ReadWrite.All", "GroupMember.ReadWrite.All"
- Use the New-MgGroup cmdlet below to create a new security group.
New-MgGroup -DisplayName "<GroupName>" -MailNickname "<MailNickname>" -Description "<GroupDescription>" -SecurityEnabled -MailEnabled:$False
- To add members to a group, use the New-MgGroupMember cmdlet with the Group ID and the User ID.
New-MgGroupMember -GroupId "<SecurityGroupID>" -DirectoryObjectId "<UserID>" #Make sure to replace <SecurityGroupID> and <UserID> with the appropriate values before executing the command.
- Use the New-MgGroupOwner cmdlet to add owners to a specific security group.
New-MgGroupOwner -GroupId "<SecurityGroupID>" -DirectoryObjectId "<UserID>"
Enhance security group tracking in Microsoft 365 with AdminDroid’s detailed insights, overcoming the limitations of Azure AD audit logs and the need for additional filtration.
- By applying a simple filter where GroupType equals SecurityEnabled in the created groups report, you can monitor all security group creations effortlessly.
- This allows you to see details such as who created the group, when it was created, the group name, and more, saving you time and effort while maintaining oversight.
Handy Hint: Save your customized view using the 'Save as view' option to quickly access the report without applying filters each time.