Office 365 Groups, sometimes referred to as Unified Groups, have been around for a while now. Groups are excellent for collaboration, and allowing the end user to be in control of their own collaboration experience. Groups are bad news for IT workers who need control or are resistant to change. The latter group of IT workers will need to get on board though as it is evident that much of the Microsoft Office 365 ecosystem will be intertwined with Groups going forward.
For the past year, I have restricted group creation in production. There are a multitude of reasons for not using Groups upon their initial release but, ultimately, it was lack of enterprise controls. Most of those limitations have been remediated and the time for Groups is now.
In an effort to keep some form of structure around Groups, using a multi-domain approach is useful.
First Things First
Obviously (I hope), we need to start with an Office 365 tenant and be a global administrator. That aside, we will create the new domain using either PowerShell or the Office 365 Admin Center. The Admin Center provide an easy wizard for adding domains. However, if this is a subdomain of a domain that was previously added using PowerShell, you may run into the message below:
On to the ‘Shell!
Using PowerShell to add a new domain requires either the MSOnline or Azure Active Directory PowerShell Module. The new subdomain must match the authentication type (Federated or Managed) as the parent domain.
New-MSOLDomain -Name groups.techyleaks.com -Authentication federated
NOTE: If using the New-MSOLFederatedDomain, the command must be run from an ADFS server.
Viewing the domain list in the Admin Center will show that the status is “Setup in progress”.
Clicking on the new domain will allow you to select Continue Setup. This is where you will find a list of required DNS records that must be added with your public DNS host. Here you will find a mix of MX, CNAME, TXT, and SRV records related to your domain. Once all have been created and replicated, click Verify to complete setup.
But how do Groups know about this new domain?
Now that we have our groups domain setup, we can tell Groups where to be provisioned by creating a new email address policy in Exchange Online. Using this Microsoft support article as a guide, create a new EAP based on your requirements. For my scenario, we want all groups to be created in the new domain:
New-EmailAddressPolicy -Name Groups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates "SMTP:@groups.techyleaks.com" -Priority 1
That’s all folks!
Now any groups created will appear in your subdomain! Stayed tuned for a follow up post on configuring Group restrictions.