Ask Downloads
Domain 1 β€” Module 5 of 8 63%
5 of 28 overall
Domain 1: Deploy and Manage a Microsoft 365 Tenant Free ⏱ ~16 min read

Groups, Shared Mailboxes and Licensing at Scale

Master Microsoft 365 Groups, distribution lists, security groups, shared mailboxes, group-based licensing, and licence monitoring β€” the backbone of organised admin.

Groups and licensing β€” the connective tissue of M365

Simple explanation

Groups are how Microsoft 365 organises people. Licensing is how you give those people access to services. Get both wrong and you’ll spend your weekdays fixing permissions and your weekends explaining licence costs.

Think of groups like different types of meeting invitations: some give you access to a shared workspace (M365 Groups), some just put you on an email list (distribution lists), some control access to resources (security groups), and some do a bit of everything.

Licensing at scale means assigning licences automatically through groups instead of one user at a time β€” then monitoring for waste.

Group types compared

Microsoft 365 Group Types
FeatureM365 GroupDistribution ListSecurity GroupMail-Enabled Security
Primary purposeCollaborationEmail distributionAccess controlAccess control + email
Shared mailbox
SharePoint site
Teams teamYes (optional)
Planner
Can assign licences
Dynamic membershipYes (Entra P1+)Yes (Entra P1+)
Managed inM365/Entra admin centerExchange admin centerEntra admin centerExchange admin center
Can contain guests

When to use which group type

ScenarioBest Group TypeWhy
Project team needs shared email, files, and a Teams channelMicrosoft 365 GroupCreates the full collaboration stack automatically
All-staff announcements (one-way email)Distribution ListSimple email fan-out, no shared resources
Control access to a SharePoint site or Azure resourceSecurity GroupPurpose-built for access control
Finance team needs email AND access control for a SharePoint siteMail-enabled Security GroupCombines distribution with access control

Shared mailboxes

A shared mailbox is a mailbox that multiple users can access without needing individual credentials. Common uses: info@company.com, support@company.com, invoices@company.com.

FeatureShared MailboxM365 Group Mailbox
Licence requiredNo (up to 50 GB)No (for the group)
Send as / Send on behalfYesYes (Send As via PowerShell, Send on Behalf via admin center)
Shows in Outlook automaticallyYes (auto-mapped)Yes (if subscribed)
CalendarYes (shared calendar)Yes (group calendar)
Needs a passwordNo β€” accessed via delegationNo β€” accessed via group membership
Best forFunctional mailboxes (support, info)Team collaboration email
Exam tip: Shared mailbox size and licensing

Shared mailboxes are free up to 50 GB. If the mailbox exceeds 50 GB, you must assign a licence (Exchange Online Plan 2 or an M365 licence). This bumps the limit to 100 GB. The exam may ask: β€œThe support shared mailbox is at 48 GB and growing. What should Marcus do?” Answer: Assign a licence or implement a retention policy to manage mailbox size.

Also note: shared mailboxes should NOT have passwords or direct sign-in. If you need to sign in directly (e.g., for a service account), convert it to a regular user mailbox with a licence.

Group-based licensing

Instead of assigning licences to individual users, you assign licences to groups. When a user joins the group, they automatically get the licence. When they leave, the licence is removed.

How it works

  1. Create a security group or M365 Group β€” e.g., LIC-M365-E5-Users
  2. Assign licences to the group in Entra admin center > Groups > select group > Licences
  3. Add users to the group β€” directly or via dynamic membership rules
  4. Licences are assigned automatically β€” Entra processes the assignment
  5. Monitor for errors β€” Entra shows processing status and any conflicts

Dynamic groups for automatic licensing

Dev sets up dynamic groups for NimbleCloud’s clients:

# Dynamic membership rule example
(user.department -eq "Engineering") and (user.country -eq "United Kingdom")

When a new engineer in the UK is created, they automatically join the group and receive their M365 E5 licence. No manual intervention needed.

Licence monitoring

Where to MonitorWhat It Shows
M365 admin center > Billing > LicencesAvailable vs assigned per subscription
Entra admin center > Groups > Licence processingGroup-based assignment status, errors
Usage reportsLicensed vs actually active users
Microsoft Graph APIProgrammatic licence queries for dashboards

Common group-based licensing errors

ErrorCauseFix
Not enough licencesMore group members than available licencesPurchase more licences or remove users
Conflicting service plansUser is in two groups assigning conflicting servicesAdjust group membership or disable specific service plans on one group
Missing usage locationUser doesn’t have usage location setSet usage location before licence assignment
Service plan dependencyA disabled service plan is required by another enabled planEnable the dependent service plan
Deep dive: Managing licence conflicts

When a user belongs to multiple groups that assign licences, conflicts can occur. For example:

  • Group A assigns M365 E3
  • Group B assigns M365 E5

Since E5 includes all E3 service plans, this creates an over-assignment (cost waste, not a processing error). The resolution:

  • Remove the user from the E3 group β€” E5 already includes everything in E3, so no functionality is lost
  • Or use service plan toggles to disable specific plans in one assignment

The Entra admin center flags these conflicts in the group’s licence processing status. The exam expects you to identify and resolve these scenarios.

Key concepts to remember

Question

What resources are automatically created when you create a Microsoft 365 Group?

Click or press Enter to reveal answer

Answer

A shared mailbox (group mailbox), a SharePoint Online team site, a Planner plan, and a shared OneNote notebook. Optionally, a Teams team can be added. This is why M365 Groups are the preferred collaboration type β€” they create the full workspace stack.

Click to flip back
Question

Do shared mailboxes require a Microsoft 365 licence?

Click or press Enter to reveal answer

Answer

No β€” shared mailboxes are free up to 50 GB. If the mailbox exceeds 50 GB, you must assign a licence (Exchange Online Plan 2 or M365 licence) to increase the limit to 100 GB. Shared mailboxes should not have direct sign-in enabled.

Click to flip back
Question

What happens when a user is removed from a group that has group-based licensing?

Click or press Enter to reveal answer

Answer

The licence assigned through that group is automatically removed from the user. If the user has the same licence from another group or direct assignment, they keep it. Group-based licensing only manages licences assigned through that specific group.

Click to flip back
Question

What is a dynamic group membership rule?

Click or press Enter to reveal answer

Answer

A rule that automatically adds or removes users from a group based on user attributes (department, country, job title, etc.). Requires Microsoft Entra ID P1 or P2. Example: (user.department -eq 'Sales') automatically adds all Sales users to the group.

Click to flip back

Knowledge check

Knowledge Check

Dev needs to set up a functional email address (support@nimblecloud.com) that three help desk staff can monitor and respond from. No individual licence should be consumed. What should Dev create?
Knowledge Check

Marcus creates a security group called 'LIC-M365-E5' and assigns Microsoft 365 E5 licences to it. He adds 200 users but 15 users show a licence processing error. The error is 'Missing usage location.' What should Marcus do?

Next up: Automate with PowerShell: Bulk User Operations β€” why real admins script it once and never click again.