Creating and Managing Groups in SharePoint Online Using Microsoft Graph API
When working with Microsoft 365 and Azure Active Directory (Azure AD), managing groups is an essential task for organizing teams and controlling access to resources. Whether we’re setting up collaboration spaces or managing security, understanding the differences between Microsoft 365 Groups and Security Groups, and knowing how to create them programmatically, is vital. In this post, we’ll break down the process of creating these groups using the Microsoft Graph API and when to use each type.
What Are Microsoft 365 Groups and Security Groups?
1. Microsoft 365 Groups
Microsoft 365 Groups are built for collaboration. When we create a Microsoft 365 Group, we get access to a variety of integrated tools, making it ideal for teams working together on projects. The features include:
- Shared Mailbox and Calendar: Helps group members coordinate and share emails and events.
- SharePoint Site: Automatically provides a space for document storage, ensuring everyone has access to shared files.
- Teams Integration: A Microsoft Teams workspace is created for real-time communication and collaboration.
- Planner: Manages tasks and keeps the team on track with project goals.
2. Security Groups
Security Groups are primarily used for access control. Unlike Microsoft 365 Groups, Security Groups do not provide collaboration features. These groups are essential for:
- Managing Permissions: Control access to SharePoint sites, applications, files, or other resources.
- Assigning Roles or Policies: Use Security Groups to assign roles or set up policies in Azure AD.
Although they can be mail-enabled to receive emails, they are not designed for collaboration, making them perfect for security and resource management.
Key Differences Between Microsoft 365 Groups and Security Groups
| Feature | Microsoft 365 Group | Security Group |
|---|---|---|
| Purpose | Collaboration (Teams, SharePoint, shared mailbox) | Access control and permissions management |
| GroupTypes Property | GroupTypes = new List<string> { "Unified" } |
GroupTypes = new List<string>() |
| Mail-Enabled | Always mail-enabled | Can be mail-enabled or non-mail-enabled |
| Security-Enabled | SecurityEnabled = false |
SecurityEnabled = true |
| Use Case | Team collaboration, project management | Managing access to resources, applications, or services |
How to Create Groups Programmatically Using Microsoft Graph API
The Microsoft Graph API offers a comprehensive approach to managing groups in Azure AD and Microsoft 365. Below, we’ll walk through how to create both Microsoft 365 Groups and Security Groups programmatically using C#.
1. Prerequisites
Before we begin, we need to ensure the following:
- Register an App in Azure AD: Go to the Azure Portal, navigate to Azure Active Directory > App Registrations, and create a new app registration. Make a note of the Client ID, Tenant ID, and Client Secret.
- Grant Permissions: Ensure the app has the following permissions:
Group.ReadWrite.AllUser.ReadWrite.All
- Install the Microsoft Graph SDK:
To interact with Microsoft Graph, install the SDK using:
dotnet add package Microsoft.Graph
2. Create a Microsoft 365 Group
Microsoft 365 Groups are created by setting the GroupTypes property to “Unified”. This specifies that the group will have collaboration features like Teams, SharePoint, and a shared mailbox.
Here’s a C# example of how to create a Microsoft 365 Group:
public static GraphServiceClient GetGraphServiceClient(string tenantId, string clientId)
{
var scopes = new[] { "https://graph.microsoft.com/.default" };
var options = new InteractiveBrowserCredentialOptions
{
TenantId = tenantId,
ClientId = clientId,
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
RedirectUri = new Uri("https://login.microsoftonline.com/common/oauth2/nativeclient"),
};
var interactiveCredential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(interactiveCredential, scopes);
return graphClient;
}
public static async Task CreateMicrosoftGroupAsync(string groupDisplayDescription, string groupDisplayName,
List<string> groupType, string tenantId, string clientId)
{
try
{
var graphServiceClient = GetGraphServiceClient(tenantId, clientId);
var requestBody = new Group
{
Description = groupDisplayDescription,
DisplayName = groupDisplayName,
GroupTypes = groupType,
MailEnabled = true,
MailNickname = "library", // Can be customized based on your requirements
SecurityEnabled = false,
};
await graphServiceClient.Groups.PostAsync(requestBody);
}
catch (Exception ex)
{
Console.WriteLine($"Error creating group: {ex.Message}");
}
}
Key Configuration:
GroupTypes = new List<string> { "Unified" }indicates a Microsoft 365 Group.SecurityEnabled = falsebecause this is not a security group.- The group will have features like a shared mailbox, calendar, and Teams integration.
3. Create a Security Group
Security Groups are created by leaving the GroupTypes property empty. Security Groups are ideal for access control but do not include collaboration tools.
Here’s the code to create a Security Group:
public static async Task CreateSecurityGroupAsync(string groupDisplayDescription, string groupDisplayName,
string tenantId, string clientId)
{
try
{
var graphServiceClient = GetGraphServiceClient(tenantId, clientId);
var requestBody = new Group
{
Description = groupDisplayDescription,
DisplayName = groupDisplayName,
MailEnabled = false, // Non-mail-enabled security group
MailNickname = "financeaccess",
SecurityEnabled = true, // Indicates this is a security group
GroupTypes = new List<string>() // No "Unified" type for security group
};
await graphServiceClient.Groups.PostAsync(requestBody);
}
catch (Exception ex)
{
Console.WriteLine($"Error creating group: {ex.Message}");
}
}
Key Configuration:
GroupTypes = new List<string>()specifies a Security Group.SecurityEnabled = truebecause this is a security group.
4. Create a Mail-Enabled Security Group
If we need a Security Group that can receive emails, we can set MailEnabled = true. This group will still function as a Security Group but will have the ability to receive email communications.
public static async Task CreateMailEnabledSecurityGroupAsync(string groupDisplayDescription, string groupDisplayName,
string tenantId, string clientId)
{
try
{
var graphServiceClient = GetGraphServiceClient(tenantId, clientId);
var requestBody = new Group
{
Description = groupDisplayDescription,
DisplayName = groupDisplayName,
MailEnabled = true, // Mail-enabled security group
MailNickname = "marketingteam",
SecurityEnabled = true,
GroupTypes = new List<string>() // Specifies a Mail-Enabled Security Group
};
await graphServiceClient.Groups.PostAsync(requestBody);
}
catch (Exception ex)
{
Console.WriteLine($"Error creating group: {ex.Message}");
}
}
When to Use Which Group?
Use Microsoft 365 Groups when:
- We need collaboration features like Teams, SharePoint, or a shared mailbox.
- We are setting up a project team or department where communication and collaboration are key.
Use Security Groups when:
- We need to manage access to resources (e.g., applications, files, or folders).
- We don’t require collaboration features.
Conclusion
Creating and managing groups in Microsoft 365 and Azure AD is crucial for organizing our teams and controlling access. By using the Microsoft Graph API, we can automate the creation and management of both Microsoft 365 Groups and Security Groups, making it easier to integrate collaboration and access control into our applications.
Whether we need a collaborative workspace for a team or a security group for controlling access to resources, understanding these group types and their differences will help us optimize our Azure AD management.
Happy coding!
Leave a comment