Managing Microsoft Teams Security in Active Directory

Published July 11 2018 by Irena Meilutyte

Congratulations, you want to start deploying Teams in your company but running into a devilish problem – governance and security. You’ve worked hard to ensure that SharePoint is well governed with all security groups managed through AD groups and is working well. Now comes along Teams threatening to wreak havoc with their special security model! Worry not, we have a solution.

Microsoft Teams is a great new tool for collaboration, bringing together a team of people that can have conversations, share files and gain access to other Office 365 resources such as Planner, SharePoint team site, outlook distribution list and customized channels. An Office 365 group has its own AD security group and does not support nesting. So in the middle of your beautifully managed governance through AD groups, sits a troubled child that does not want to play nice with others. Some background first:

Security Groups in Active Directory

Active Directory allows creation of following groups:

  • Office 365:
      • Every Office 365 group creates a security group of this type. It is then included in the Members SharePoint security group of the SharePoint team site that is created with the group.

  • Distribution List:
      • Crated for sharing information with a group of users through email messages. This group is not created for security purposes.

  • Mail Enabled Security:
      • Used to control access to OneDrive and SharePoint as well as email to all users on the list

  • Security:
    • Created for access management to OneDrive, SharePoint and are used for Mobile device Management for Office 365.

How It works – Default SharePoint Security

Out of the box, when a SharePoint site is created, the following SharePoint Security Groups are created:

  • {Site Name} Members – use this group to grant users Edit permissions
  • {Site Name} Owners – use this group to grant users Full Control permissions
  • {Site Name} Visitors – use this group to grant users Read permissions

Default SharePoint Security Groups


When Team site is created in O365 modern UI, behind the scenes Office 365 group is created in Active Directory (AD) and it is mapped to the SharePoint Site Members Group. When a site member adds additional members via SharePoint team site UI, newly added site members are added to the AD O365 group.

Team Site (Modern UI): Adding a new Member via UI


SharePoint2Team Site (Modern UI): Adding a new Member via UI

Default Security upon Creation of Department A team site in O365:

  • Active Directory
    • Department A O365 group is created
  • SharePoint
    • Three SharePoint security Groups are created:
      • Members
      • Owners
      • Visitors
    • Any member added via team site UI, Add Member to Group button is automatically added to Active Directory O365 group.

Default Security upon Creation of Department A team site in O365

Best Practices and Existing Gaps:

While one can add individual members to SharePoint group, many organizations consider it best practice to map AD Security group to SharePoint group to manage access to the site. 

Doing so will:

  • Remove the need for an Administrator to individually assign permissions to users in SharePoint
  • Will ensure that each user that is a member of the group has the same permissions

Security Management Via Active Directory

Desired Active Directory Set Up:

  • Manually create matching AD Security Groups, e.g. Department A Visitors
  • Add AD Security Groups to corresponding SharePoint Security Groups
  • Going forward, all group management is done via Active Directory


O365 functionality does not support O365 group nesting. O365 group cannot be added within AD Security groups or other O365 groups.

Desired Active Directory Set Up


Keep O365 groups and Active Directory groups in-sync:

  • Write a custom script to synch members from Active Directory Security group to Office 365 group (which we have ..)
  • Disable the feature in Teams UI enabling to add members to the O365 group

SharePoint 5
Disabling the feature to add Members to the Site:

SharePoint Access Requests Settings

  • #1: check to completely disable sharing for the site (including document sharing)
  • #2: Check to disable site sharing but allow sharing of documents. This option needs to be unchecked to not allow users to add additional members to O365 group.
  • #3: Uncheck to disable access sharing requests

AD Security group to Office 365 group synch solution closes existing challenge of not being able to nest O365 groups and enables full security management via Active Directory. Such solution works well for department or specific topic sites were user membership needs to be controlled centrally. To get more details and see if this method and script can help you in your SharePoint governance of Teams and Office 365 groups please contact us.

Learn more about security. Watch the webinar on Cybersecurity Qualification. One cannot eliminate the potential for a cyber-attack, but you can minimize the probability of a cyber-attack by changing your validation strategy. 

Irena is passionate, goal-oriented, and organized Project Manager with excellent planning, analytical and quality assurance skills, and attention to the detail. She has years of experience in project management and all aspects of the Project Development Life cycle, including analysis, design, development, quality delivery, implementation, documentation, training, and post-implementation support.

Contact us