How to Create a Group in OneDrive for Business (w/Examples) + FAQs

You create a group in OneDrive for Business by building a Microsoft 365 Group, a SharePoint site group, or an Entra ID security group inside the Microsoft 365 admin center, then pointing your OneDrive share link at that group. OneDrive for Business does not host groups on its own. It borrows identity from Microsoft Entra ID and collaboration scaffolding from SharePoint Online, which is why the “group” you create lives in one of those services and is then referenced when you share a file or folder.

The specific problem this solves is the chaos of one-by-one sharing. When a person leaves a team, their name lingers on every file they ever touched, and every new hire has to be added manually to dozens of folders. The governing framework here is role-based access control inside Microsoft 365, combined with the SharePoint permission inheritance model, which lets a single group identifier carry every permission a person needs.

According to the Microsoft Work Trend Index, the average Microsoft 365 user touches more than 250 shared files per month, and misrouted access is the single largest driver of help-desk tickets tied to OneDrive. That statistic matters because every misrouted share is a potential compliance event under laws such as HIPAA, SOX, and FERPA.

Here is what you will walk away with from this guide:

• 🧭 A step-by-step path to creating every group type that OneDrive for Business recognizes.
• 🔐 A plain-English map of how SharePoint permission levels flow into OneDrive shares.
• ⚖️ The U.S. legal angles (HIPAA, SOX, FERPA, GLBA, and state privacy statutes) that shape how you design groups.
• 🧪 Named scenarios, three full tables, and seven-plus mistakes to avoid before you click Share.
• 🛠️ Admin-level controls, PowerShell commands, and governance tips that keep your groups clean.

What “Group” Really Means in OneDrive for Business

OneDrive for Business is a personal cloud drive tied to a single user’s Entra ID account, so the platform does not, by itself, own a concept called “group.” When people say they want a group in OneDrive, they usually mean one of four different constructs that OneDrive can share to. The four are Microsoft 365 Groups, SharePoint site groups, Entra ID security groups, and Exchange distribution lists.

Each one answers a different question. A Microsoft 365 Group answers, “Who is on this team and what resources do they share?” A SharePoint site group answers, “Who can read, edit, or own this one site?” A security group answers, “Which people should receive this one permission assignment?” A distribution list answers, “Who gets this email?” and is the weakest for OneDrive sharing because it does not grant file permissions on its own.

The reason this matters is that Microsoft billing tiers, including Business Basic, Business Standard, Business Premium, E3, and E5, all include every group type. You do not need to upgrade to access the group model. You need to understand which model to use.

Microsoft 365 Groups

A Microsoft 365 Group is the most common container and is automatically tied to a SharePoint site, a shared mailbox, a Planner board, and, optionally, a Teams workspace. When you share a OneDrive folder with a Microsoft 365 Group, every member receives the permission through a single identifier managed by the group owner. The consequence of ignoring this model is that admins end up rebuilding permissions every time the team roster changes.

Consider Priya Patel, a marketing director at a 40-person agency. She creates a Microsoft 365 Group called “Q2 Product Launch” and shares her OneDrive folder “Launch Assets” with the group. When a new designer joins two weeks later, Priya adds the designer to the group and the designer instantly has folder access. A common misconception is that a Microsoft 365 Group is “just an email list.” It is not. It is a full identity object with a SharePoint backing.

SharePoint Site Groups

Every SharePoint site that was created by a Microsoft 365 Group also comes with three built-in SharePoint site groups: Owners, Members, and Visitors. These groups use SharePoint’s permission levels (Full Control, Edit, and Read) to decide what a person can do inside the site library. OneDrive for Business can share outward to any of these groups by pasting the group’s email alias or name into the share dialog.

The consequence of mixing them up is that a user dropped into Visitors can see a file but cannot edit it, and the file owner often blames OneDrive when the real cause is the SharePoint permission level. A common misconception is that adding a user as an “Owner” in SharePoint gives them control of the originating OneDrive folder. It does not, because OneDrive permissions are scoped to the owning user.

Entra ID Security Groups

Entra ID security groups are pure identity containers. They do not own a site, a mailbox, or a Teams chat. Their only job is to hold a list of people or devices that receive identical access. OneDrive treats a security group the same as any user during share evaluation.

Security groups shine when you need permission that spans many OneDrive folders owned by many users, such as granting a legal-hold team read access to documents owned by several custodians. A common misconception is that security groups automatically inherit Microsoft 365 licenses. They do not unless you add group-based licensing.

Distribution Lists

A distribution list is an email-only object. OneDrive can accept a distribution list in the share dialog, but the list is expanded at send-time and each recipient receives an individual sharing link. This means auditability is weak, because you cannot later see “who had access” by looking at the list.

The consequence is that distribution lists should be a last resort for file sharing. A common misconception is that they are interchangeable with Microsoft 365 Groups. They are not; the list has no SharePoint site, no Teams, and no group inbox that can be policed by an owner.

Pre-Work Before You Click Create

Before you create any group, confirm that your tenant allows group creation by non-admins or that you have the right admin role. The Groups Administrator and User Administrator roles can create groups in every workload, while standard users can only create Microsoft 365 Groups if the tenant toggle in Azure AD group settings is enabled.

You also need a naming policy. If you run a regulated workload under HIPAA or SOX, your naming convention should make the regulatory scope visible, such as “HIPAA-ClaimsReview” or “SOX-FinancialReporting.” The consequence of skipping a naming rule is that auditors cannot tell, at a glance, which groups touch regulated data.

Finally, decide privacy. A Microsoft 365 Group can be Public or Private. Public means anyone in the tenant can see the group’s content, which is a frequent source of accidental exposure under the FTC Safeguards Rule for financial institutions. Private means only members can see content, and should be the default for any group that will hold PII, PHI, or non-public financial data.

Step-by-Step: Create a Microsoft 365 Group

The fastest way to create a Microsoft 365 Group is through the Microsoft 365 admin center. Sign in as a Groups Administrator or Global Administrator, expand Teams & groups, and click Active teams & groups. Then click Add Microsoft 365 group and follow the wizard.

On the Basics page, type a name and description. Use a name that maps to a real project or department, because the name becomes the group’s SharePoint URL stub and cannot be changed cleanly later. The consequence of a sloppy name is a permanent mismatch between a project’s real identity and the URL.

On the Owners page, assign at least two owners. Microsoft recommends two so that the group survives an owner’s departure, and the consequence of a single owner is an orphaned group when the owner leaves the company. On the Members page, add the initial roster, and on the Settings page, choose the email alias, privacy level, and whether to create a connected Microsoft Team.

Creating the Group in Outlook

A Microsoft 365 Group can also be created from inside Outlook on the web. Click Groups in the left rail, then New group. Outlook asks for the same fields as the admin center but hides the Teams-connection checkbox. The result is the same object, so a self-service-created group and an admin-created group are identical in OneDrive’s sharing dialog.

A common misconception is that Outlook-created groups cannot be managed later by admins. They can, because every Microsoft 365 Group lives in the same Entra ID directory. If the tenant’s self-service policy allows standard users to make groups, your end users can build one in under a minute.

Creating the Group in Teams

When you create a new Microsoft Team, Microsoft 365 automatically creates an underlying Microsoft 365 Group with the same name. This is often the most convenient path for project teams, because you get a chat, a file tab, and a SharePoint team site in one action. The OneDrive sharing dialog will accept the Team name as a group identity because the underlying Microsoft 365 Group is recognized.

The consequence of this convenience is sprawl. Every Team creates a group, a SharePoint site, and a mailbox, so tenants that allow unchecked Teams creation can end up with thousands of orphaned objects. A common misconception is that deleting the Team deletes the group. Deleting a Team does delete the connected group, but only after a 30-day soft-delete window inside Entra ID.

Creating the Group with PowerShell

For bulk creation, use the Exchange Online PowerShell module and the New-UnifiedGroup cmdlet. A typical command looks like New-UnifiedGroup -DisplayName "HR-Policies" -Alias "hrpolicies" -AccessType Private. The consequence of scripting is a repeatable, auditable creation pipeline that proves to a SOX auditor that every group was stamped with the same attributes.

A real-world scenario is Marcus Johnson, an IT admin at a regional bank. Marcus uses a CSV and a foreach loop in PowerShell to create 42 SOX-tagged groups in one evening, each with a consistent owner pair, description, and naming prefix. A common misconception is that PowerShell-created groups behave differently in OneDrive’s share dialog. They do not, because the identity object is identical to a wizard-created group.

Step-by-Step: Create a SharePoint Site Group

If you only need permissions on one SharePoint site that backs a OneDrive share, create a SharePoint site group instead of a Microsoft 365 Group. Open the site, click the gear icon, choose Site permissions, and then click Advanced permissions settings. From the classic permissions page, click Create Group and define the group name, owner, and permission level.

The reason this is useful is that SharePoint site groups are scoped to a single site, so they are more surgical than a tenant-wide Microsoft 365 Group. The consequence of creating them without documentation is that new admins cannot tell why a site has four custom groups instead of the default three.

Choosing a Permission Level

SharePoint ships with four default permission levels: Full Control, Design, Edit, and Read. Full Control should be limited to Owners because it allows permission changes. Edit is the right level for most collaborators because it allows adding, updating, and deleting list items and files but not permission changes. Read is right for reviewers who must see but never alter files.

Consider Sofia Nakamura, an attorney who runs a litigation workroom. Sofia adds her paralegals to a custom SharePoint group called “Case-Paralegals” with Edit permission, and adds opposing-counsel reviewers to a “Case-Visitors” group with Read. A common misconception is that Read blocks downloading. It does not by default, so Sofia layers a sensitivity label on the folder to block downloads where required.

Adding Members to a Site Group

Once the group exists, click its name on the People and Groups page and choose New. Type the user’s name or the name of an Entra ID security group. Click Share and uncheck the email notification if you do not want to send a welcome note.

The consequence of forgetting to uncheck the notification is that users get flooded with share emails during bulk onboarding. A common misconception is that SharePoint site group membership flows back into Microsoft 365 Group membership. It does not, so a user added only to a site group never appears in the connected Teams chat or Outlook group.

Step-by-Step: Create an Entra ID Security Group

Security groups live in the Microsoft Entra admin center. Navigate to Identity > Groups > All groups, click New group, select Security as the group type, and give it a name and description. Choose Assigned if you want to manage members manually, or Dynamic User if you want membership to follow an attribute such as department.

The consequence of using Dynamic User membership is automatic, attribute-driven access. The consequence of using Assigned is predictable membership that requires manual upkeep. Pick based on how often the target population changes.

Dynamic Membership Rules

Dynamic membership rules use a compact query language. The rule user.department -eq "Finance" automatically makes every Finance employee a member. This is powerful for OneDrive sharing because a single folder shared with the group stays in sync with HR data.

The consequence of a broken rule is silent exclusion. A common misconception is that Dynamic groups are free on every license. They require Microsoft Entra ID P1 or P2, which ships with E3 and E5.

Nesting and Naming

Entra ID security groups can be nested inside Microsoft 365 Groups for “team-of-teams” scenarios, but nesting is not honored by every workload. OneDrive’s share dialog respects a nested security group when the group is added to a SharePoint site permission set, but it does not honor nested groups added directly to a file.

A common misconception is that every nested layer shows up in the Access Review. It does not, so deep nesting hides who really has access. Keep nesting shallow, and document it in a governance sheet.

Step-by-Step: Share OneDrive Content With a Group

Once the group exists, open OneDrive on the web and right-click the file or folder you want to share. Click Share, type the group name or email alias, and choose the permission level from the dropdown. Click Send or Copy link.

The reason this works is that OneDrive passes the group identifier to the underlying SharePoint permissions engine, which looks up the membership at access time. The consequence of sharing with an email alias that does not resolve is a silent failure where the link is created but no one has access.

Via the Desktop Sync Client

From the desktop OneDrive sync client, right-click a synced folder, choose OneDrive > Share, and complete the same dialog. The dialog is identical, and the resulting permissions flow to the cloud within seconds.

The consequence of sharing from the desktop is the same as the web, but the desktop path is familiar to non-technical users. A common misconception is that the desktop client uses a different permission engine. It does not.

Via the Mobile App

On iOS and Android, tap the three-dot menu next to a file, tap Share, and enter the group name. Mobile does not yet support all the advanced link settings, such as link expiration.

The consequence is that mobile shares should be reserved for quick grants. A common misconception is that mobile links bypass tenant sharing policy. They do not; every link is evaluated against the tenant external sharing settings.

Three Real-World Scenarios

Real scenarios are the fastest way to see how groups and OneDrive intersect.

Admin Controls That Shape Every Group

Group creation does not happen in a vacuum. The SharePoint admin center and the Microsoft 365 admin center hold policies that shape every share.

The most important toggles are external sharing scope, guest access, default sharing link type, and link expiration. Each toggle changes how a group-shared OneDrive folder behaves in the wild.

External Sharing Scope

The tenant-level external sharing control caps every site and every OneDrive. If the tenant setting is “Only people in your organization,” then sharing with a group that contains guests still silently blocks the guests. The consequence of mismatched scope is user confusion, because the share looks successful in the UI.

A real-world example is Elena Brooks, a project manager who adds an outside vendor to a Microsoft 365 Group and then cannot understand why the vendor never sees the folder. The fix is to align the tenant policy, the site policy, and the group’s guest-access flag.

Guest Access

The guest access flag on a Microsoft 365 Group must be on before a group can include outside users. The consequence of leaving it off while admitting a guest is that the guest is created in Entra ID but never resolves during permission checks.

A common misconception is that guest access costs extra. It is free under Entra External ID’s MAU model for the first 50,000 guests per month, which covers almost every small and mid-sized business.

Link Expiration and Default Link Type

Set a default link expiration at the tenant level, typically 30 or 90 days, using the SharePoint admin center. The consequence of never expiring links is that an old share with a long-gone contractor remains valid for years.

A common misconception is that changing the default link type from “Anyone” to “People in your organization” breaks existing links. It does not; it only affects new links.

Mistakes to Avoid

Many of the worst problems in OneDrive group sharing come from a short list of repeated errors. Avoid these nine.

• Creating a group with only one owner, because the group becomes orphaned when the owner leaves and a help-desk ticket is required to reassign it.
• Skipping the naming policy, because auditors cannot later identify which groups hold regulated data.
• Leaving a Microsoft 365 Group Public when it holds PII, because any tenant user can browse in and create a potential breach notification trigger.
• Sharing with a distribution list for convenience, because the list has no identity on the file and breaks auditability.
• Using “Anyone” links on a folder shared with a group, because the link supersedes group membership and creates a parallel, uncontrolled access path.
• Adding individuals directly to OneDrive alongside the group share, because permission sprawl returns within weeks.
• Forgetting to enable guest access before inviting a vendor, because the share looks valid but the guest never gains access.
• Relying on a distribution list for HIPAA-covered data, because the U.S. Department of Health and Human Services treats unauditable access as a HIPAA Security Rule violation.
• Nesting security groups too deeply, because access reviews cannot follow the chain and effective access becomes a mystery.

Do’s and Don’ts

Clear rules make group design easier.

• Do assign at least two owners to every Microsoft 365 Group, because the group survives an owner’s departure.
• Do use a naming policy that encodes regulatory scope, because auditors can filter in seconds.
• Do review group membership quarterly, because roles drift and stale membership is a common NIST 800-53 finding.
• Do train users to share to groups, not people, because one grant replaces dozens.
• Do monitor guest access with access reviews, because guests accumulate silently.
• Don’t reuse a group across unrelated projects, because permission history becomes unreadable.
• Don’t hand out Full Control casually, because it allows permission changes that bypass your design.
• Don’t let users create groups without a naming rule, because the tenant fills up with “Test1” and “Project.”
• Don’t rely on email alone to communicate access, because the audit trail lives in Entra ID and Purview, not Outlook.
• Don’t delete a group casually, because the 30-day soft delete still exposes files to restoration risk.

Pros and Cons of Group-Based Sharing

Every approach has trade-offs.

• Pro: One grant covers every current and future member, which eliminates most offboarding work.
• Pro: Audit tools can report on a single group rather than thousands of individual shares.
• Pro: Regulatory scope is visible in the group name and labels.
• Pro: Group-owned sites come with Teams, Planner, and a mailbox for free.
• Pro: Access reviews run cleanly against a group.
• Con: Group sprawl happens when any user can create a group, which forces governance effort.
• Con: Public Microsoft 365 Groups can leak content across the tenant.
• Con: Distribution lists masquerade as groups and confuse users.
• Con: Nested security groups complicate effective-access analysis.
• Con: Guest access adds attack surface that must be reviewed often.

U.S. Legal Lens on Group Design

U.S. federal law shapes how you architect groups, especially when OneDrive holds regulated data. Start with HIPAA’s Privacy Rule and Security Rule, which require access controls that limit PHI exposure to the minimum necessary. Group-based sharing is the most defensible way to meet the “minimum necessary” standard because it is documentable.

Next, consider Sarbanes-Oxley Section 404, which requires internal controls over financial reporting. Group-based access to SOX evidence folders, combined with access reviews, satisfies the control-evidence requirement that auditors expect.

For higher-education providers, FERPA restricts disclosure of student education records without consent. Scoping OneDrive shares to a named SharePoint site group, rather than a tenant-wide Microsoft 365 Group, is the cleanest way to show the Department of Education that access is limited.

Financial institutions fall under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule, which require a written information-security program. Group-based sharing, paired with Microsoft Purview DLP, supplies the technical side of that program.

State law also matters. The California Consumer Privacy Act and the New York SHIELD Act both require reasonable access controls, and a documented group design is the simplest way to show reasonableness. The consequence of ignoring state law is statutory damages that can stack per record.

Forms, Fields, and Choices in the Group Wizard

The Microsoft 365 admin center group wizard has five pages, and each one carries decisions with consequences.

• Basics > Name: becomes the group display name and email alias stub, and cannot be renamed cleanly once SharePoint URLs are baked in.
• Basics > Description: is optional but drives discoverability, and empty descriptions hide the group’s purpose.
• Owners > Names: must contain at least one owner, and best practice is two to avoid orphaning.
• Members > Names: can be empty at creation, because you can add members later, but leaving it empty delays access for early users.
• Settings > Email address: is the SMTP alias and cannot be changed casually because email history is attached.
• Settings > Privacy: is Public or Private, and Private is the right default for regulated data.
• Settings > Teams toggle: creates a connected Microsoft Team, which is helpful if the group will chat, and wasteful if not.

The consequence of rushing any one of these choices is a group that fights its owners for months. A common misconception is that every field can be edited later. The display name and privacy can change, but the email alias history and SharePoint URL cannot.

Key Entities You Should Know

Understanding the moving parts makes every decision easier.

• Microsoft Entra ID is the identity directory that stores every user, group, and guest.
• Microsoft 365 Admin Center is the primary management portal for groups and users.
• SharePoint Online supplies the site, the library, and the permission engine behind every Microsoft 365 Group.
• OneDrive for Business is the personal drive that borrows SharePoint’s permission engine when it shares.
• Microsoft Teams is the chat and meeting workload that auto-creates a Microsoft 365 Group when a team is built.
• Microsoft Purview is the compliance suite that applies sensitivity labels, DLP, and retention to group-shared content.
• Microsoft Planner is the task workload that every Microsoft 365 Group includes.
• Exchange Online is the mail workload that supplies the group mailbox and distribution list machinery.

The consequence of thinking any of these is optional is a blind spot in governance. A common misconception is that Entra ID is the same as “Azure AD.” The service was renamed in 2023, and the capabilities are continuous.

Rulings and Enforcement Precedents Worth Knowing

U.S. enforcement history shapes modern group design. The Anthem HIPAA settlement of $16 million in 2018 arose in part because access controls failed to limit who could reach 78.8 million member records. Group-based sharing, with owners and reviews, is a direct response.

The SEC’s action against R.R. Donnelley in 2024 for internal-controls failures after a cybersecurity incident reminded every public company that access design is not just an IT problem. A documented group architecture is part of the controls story an auditor wants to see.

The FTC’s Drizly consent order named the CEO personally for years of unremediated security gaps that included weak access controls. A clean OneDrive group design is part of the evidence a company can present to avoid similar exposure.

FAQs

Can I create a group directly inside OneDrive for Business?

No. OneDrive does not host its own groups; you create the group in the Microsoft 365 admin center, Entra ID, SharePoint, or Teams, and then reference that group when sharing a file or folder.

Does sharing with a Microsoft 365 Group automatically add people later?

Yes. A share to a Microsoft 365 Group is evaluated at access time, so every new member inherits the existing permission without re-sharing the folder.

Can I share a OneDrive folder with a distribution list?

Yes. The share dialog accepts a distribution list, but it expands at send time, grants individual links, and removes group-level auditability, so it is not recommended.

Is Microsoft 365 Group creation restricted to admins?

No. By default, any licensed user can create a Microsoft 365 Group, but admins can restrict creation to a specific security group using Entra ID group settings.

Do security groups include a SharePoint site?

No. Security groups are identity-only containers, so they do not ship with a site, mailbox, or Teams workspace.

Can I convert a distribution list into a Microsoft 365 Group?

Yes. The Exchange admin center offers an upgrade button on eligible distribution lists, which migrates the membership and creates the full Microsoft 365 Group stack.

Does deleting a group remove OneDrive shares?

Yes. Deleting the group removes the identity from access tokens, so existing group-based shares stop resolving as soon as the soft-delete window closes.

Can guests be added to a Microsoft 365 Group for OneDrive sharing?

Yes. Guests can join when the tenant, the group, and the SharePoint site all allow external sharing, and the guest identity is created in Entra External ID.

Is group-based sharing enough for HIPAA compliance?

No. Groups are one layer; you also need sensitivity labels, DLP, audit logging, and a signed business-associate agreement with Microsoft before storing PHI.

Do I need Microsoft Entra ID P1 for dynamic groups?

Yes. Dynamic membership rules require Entra ID P1 or P2, which are included in Microsoft 365 E3, E5, and Business Premium.

Can I audit who accessed a group-shared folder?

Yes. Microsoft Purview Audit captures file access events tied to the group identity, and the log is searchable by file, user, or group.

Will renaming a group break existing OneDrive shares?

No. The group’s object ID stays stable during a rename, so existing shares continue to resolve to the same identity.