M365 Group Types — Pick Yours — Free Mind Map

M365 Groups for collaboration — when the team needs Teams + a SharePoint site + shared email + Planner together. Creating a Team auto-creates one. Security Groups for access control — granting permissions to apps, files, Conditional Access targeting, licence assignment. The two are NOT interchangeable: you can't use a Security Group to back a Team, and you can't easily use an M365 Group as a Conditional Access target without converting it. When in doubt: 'people working together' = M365 Group; 'people who need access' = Security Group.

It's a Security Group that ALSO has an email address — emails sent to the group reach all members AND the group can be used for permission assignment. Useful in narrow cases: e.g., a department where you need to send announcement emails AND grant SharePoint access to the same set of people without managing two groups. Limitations: static membership only (no dynamic rules), can't be backed by Teams. Most modern orgs convert these to M365 Groups when possible.

A DL is a mail-only group — sending email to the DL fans out to all members. It's a holdover from on-prem Active Directory days. Microsoft has been gently nudging admins to upgrade DLs to M365 Groups (with the 'Upgrade Distribution List' button in admin centre) because M365 Groups give you a shared mailbox, files, calendar, and Teams in one go. DLs aren't deprecated outright but they're 'legacy' — new mail-only needs are usually better served as M365 Groups.

Yes since 2023. CA policies can target M365 Groups directly. Earlier you had to use a Security Group, then mirror its membership to the M365 Group with a workflow. Now both work. The remaining gotcha: dynamic M365 Group membership (rules-based) requires Entra ID P1 just like dynamic Security Groups.