Using Hidden Membership for Microsoft 365 Groups

Keeping Group Membership Secret

Customers expressed the desire to hide the membership of Microsoft 365 Groups soon after Microsoft launched Office 365 Groups in November 2014. Microsoft duly shipped the feature in early 2015.

Many scenarios exist to cloak the membership of a group. Some educational establishments don’t like revealing the full membership of classes; corporations engaged in confidential activities (like a merger and acquisition project) might like to hide the fact that external advisors have joined an internal team. Other organizations like to hide the membership of some committees, and so on.

Creating Groups with Hidden Memberships

Only PowerShell supports the creation of a Microsoft 365 group with hidden membership. This code creates a new group with the New-UnifiedGroup cmdlet and adds some members and a second owner with the Add-UnifiedGroupLinks cmdlet. The account that runs the New-UnifiedGroup cmdlet automatically becomes an owner:

New-UnifiedGroup -Alias "Super.Secret.Team" -PrimarySmtpAddress Super.Secret.Team@office365itpros.com -HiddenGroupMembershipEnabled:$True -Name "Super Secret Team"
Add-UnifiedGroupLinks -Identity Super.Secret.Team -LinkType Member -Links Sean.Landy, Terry.Hegarty, James.Ryan, Jackson.Hoare, Jane.Sixsmith, Michael.King
Add-UnifiedGroupLinks -Identity Super.Secret.Team -LinkType Owner -Links Michael.King

When a group has hidden membership, it means that Exchange Online only reveals details of the group membership to its members (through client interfaces) and tenant administrators (through administrative interfaces). This statement isn’t 100% true. As shown in Figure 1, when users browse an address list, they can’t see the group membership, but they can see one of the group owners, who are also group members. This means that part of the group membership is exposed.

Distribution lists also support hidden membership. Like Microsoft 365 Groups, you can set hidden membership when creating a new distribution list or you can hide membership for an existing distribution list. For example, this command creates a new distribution list with hidden membership.

New-DistributionGroup -Alias "SecretDL" -Name "Secret Distribution List" -DisplayName "Secret Distribution List" -PrimarySmtpAddress SecretDl@office365itpros.com -HiddenGroupMembershipEnabled:$True

When a Microsoft 365 group has hidden membership, its membership cannot be revealed by updating group properties. The Set-UnifiedGroup cmdlet doesn’t support updating the HiddenGroupMembershipEnabled setting. However, you can restore visible membership for a distribution list. For example:

Set-DistributionGroup -Identity SecretDL -HiddenGroupMembershipEnabled:$False

And if you make a mistake, you can reverse course and hide the membership again.

Set-DistributionGroup -Identity SecretDL -HiddenGroupMembershipEnabled:$True

Remember that Exchange Online must generate updated OAB files for Outlook to download and apply before changes to membership visibility become completely effective in Outlook desktop.

Sensitivity Labels and Hidden Group Privacy

Only a private Microsoft 365 group can have hidden membership. PowerShell and the other administrative interfaces will stop administrators changing the access type from private to public. Another thing to consider is what sensitivity label the new group should receive. Remember that sensitivity labels can control the privacy type for a group. If you assign a sensitivity label that applies container management settings, the access type set by the label must be Private. If not, you’ll see an error.

Figure 2 shows the group settings in the Microsoft 365 admin center. The group sensitivity label is Confidential Access, which is fine because it sets the access type to Private. Any attempt to use a label that sets the access type to Public will result in a cryptic error message that’s not very clear.

In addition, attempts to change the privacy (access type) through this interface won’t work because “visibility of a group with hidden membership cannot be updated.”

Hiding Groups from Address Lists

The “don’t show team email address in Outlook” setting controls the group’s HiddenFromAddressListsEnabled property. By default, the value of the property is False, meaning that Exchange Online includes the group in its address lists, including the Offline Address Book (OAB) and Global Address List (GAL). The effect of choosing this option is to stop users finding an entry for the group (and therefore being able to see its SMTP address) when they browse Outlook address lists. For example, there’s no sign of the group in the Outlook address book (Figure 3).

To make the group visible in address lists, update the setting in the admin center or run Set-UnifiedGroup to update the property:

Set-UnifiedGroup -Identity Super.secret.team -HiddenFromAddressListsEnabled $False

Remember that hiding the SMTP address of a group doesn’t stop people from sending messages to the group. It’s a visual block, not a hard block imposed in the transport service. If you want to restrict the people who can send messages to a group, use the AcceptMessagesOnlyFromSendersOrMembers property. This example stops the group accepting messages from anyone but group members.

Set-UnifiedGroup -Identity Super.secret.team -AcceptMessagesOnlyFromSendersOrMembers "Super.Secret.Team@Office365itpros.com"

Teams and Hidden Membership

Teams supports Microsoft 365 Groups with hidden membership. To team-enable our group, use the Add Teams option in the General tab of the group’s properties in the Microsoft 365 admin center. Alternatively, connect to Teams with PowerShell and run the New-Team cmdlet with the GroupId parameter pointing to the Azure AD identifier for the Microsoft 365 group:

Connect-MicrosoftTeams
New-Team -GroupId (Get-UnifiedGroup -Identity Super.Secret.Team | Select-Object -ExpandProperty ExternalDirectoryObjectId)

As only team members can access a team, they’re the only ones who can see the membership.

Impact on Reporting

Because administrative interfaces always have access to group membership data, setting group membership to be hidden might or might not affect the data returned by PowerShell cmdlets and Graph API requests. For example, the script to generate a report of Teams membership includes hidden membership because the code accesses each team to retrieve its membership. However, because the Graph TransitiveMemberOf API doesn’t include hidden membership in its results, the script to generate a report of membership of Microsoft 365 Groups (and Teams) doesn’t include groups and teams with hidden membership data.

Hidden is Good for Some

I don’t come across many situations where tenants use groups with hidden memberships and Office365ITPros.com hasn’t had many questions about this topic over the years. The feature is there, it works, and it solves a problem for some. I guess that’s all we need to say about it.

---

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.