Browse Author

Drew Madelung

This is my site!

Managing Office 365 Groups Using Azure AD Powershell V2

group1

Introduction

Azure AD PowerShell is an incredibly useful tool for management.  V2 was released as GA (general availability) in Dec 2016.  
This means that you could begin to utilize the new cmdlets in your production environment.  There is currently not dual functionality from the V1 MSOL cmdlets so both will still need to be used as V2 continues to develop.  There is also a preview set of cmdlets that you can download and use that has some extended features beyond just V2.  The V1 module will begin to be deprecated as V2 continues to advance.  I would recommend working with V2 when possible and only going back to V1 as needed.  

I won’t be going through all of the differences between these versions but will be shedding some light on the differences for Office 365 Group management from V1 to now.  This is a follow up to my original post: Managing Office 365 Group Creation via Azure AD

Links:

Quick V1 vs. V2 Examples

The big difference from V1 to V2 is that the majority of cmdlets that used *-MSOL* cmdlets are now *-AzureAD*.  The full list of cmdlets can be found through the links above. 

To connect using V1 you would use:

V2 you now use:

To get a user in V1 you would use:

V2 you now use:


Managing Groups using Azure AD PowerShell V2

To perform Group management you will need to use the V2 Preview cmdlets (download above) until they are rolled into V2.  The same Office 365 groups settings in Azure AD PowerShell available in V1 are currently not available in V2.  Hopefully when that happens they won’t change much from when I am writing this. 

The primary cmdlets utilized in V1:

Their comparison in V2:

The way that these are updated are also different.  That means you can not simply replace “MsolAllSettings” with “AzureADDirectorySetting” in your scripts.  There are different parameters that you need to pass and functions not available.  


You can currently see these values but not all can bet set. 

Name : ClassificationDescriptions – NOT YET SUPPORTED
Description : A comma-delimited list of structured strings describing the classification values in the ClassificationList. The structure of the string is: Value: Description

Name : DefaultClassification – NOT YET SUPPORTED
Description : The classification value to be used by default for Unified Group creation.

Name : PrefixSuffixNamingRequirement – NOT YET SUPPORTED
Description : A structured string describing how a Unified Group displayName and mailNickname should be structured. Please refer to docs to discover how to structure a valid requirement.

Name : AllowGuestsToBeGroupOwner
Description : Flag indicating if guests are allowed to be owner in any Unified Group.

Name : AllowGuestsToAccessGroups
Description : Flag indicating if guests are allowed to access any Unified Group resources.

Name : GuestUsageGuidelinesUrl
Description : A link to the Group Usage Guidelines for guests.

Name : GroupCreationAllowedGroupId
Description : Guid of the security group that is always allowed to create Unified Groups.

Name : AllowToAddGuests
Description : Flag indicating if guests are allowed in any Unified Group.

Name : UsageGuidelinesUrl
Description : A link to the Group Usage Guidelines.

Name : ClassificationList
Description : A comma-delimited list of valid classification values that can be applied to Unified Groups.

Name : EnableGroupCreation
Description : Flag indicating if group creation feature is on.


Steps to Create new Directory Settings for Groups template

There are multiple templates that are part of your Azure AD tenant.  This template can contain a settings object which has a collection of values.  Within these values are where we can set the parameters above.  This needs to be done before you can set any values.  If you already have this you can move to the section below.  

1 – Connect to Azure AD via PowerShell

2 – Review if you have any settings currently configured in your tenant

3a – If you have directory settings returned it will look like this (properties subject to change over time)

 

3b – If you have NO settings returned it will look like this and new directory settings will need to be created

Run this command to create the new directory settings

4 – Review your updated settings; you can now see the default values for the directory settings object created for the Groups template


Steps to set Group Settings

1 – Connect to Azure AD via PowerShell

2 – Review if you have any settings currently configured in your tenant

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created and follow the steps above

4 – Examples of Group settings

All settings below will use the Get-AzureADDirectorySetting cmdlet and store that in a variable and then use the Set-AzureADDirectorySetting cmdlet with the updated settings.  The full command to run a setting update is:

I will walk through some of the common scenarios and how to configure the settings parameters.  If you run any of the

Restricting Group Creation for all except users in a specific group

Enter the group you want to use in the “ENTER..” section.

Setting Group classification

Use comma delimited values for the classifications.

Setting Guidelines URL

Enter a valid URL to a page or document that holds your guidelines.

Restrict all access for guest users to Groups including ones that were already granted access

Restrict the ability to add any new guest users but not restrict existing

Setting all Group settings

With some examples.

5 – Review your updated settings


Steps to remove Group Settings

1 – Connect to Azure AD via PowerShell

2 – Remove your directory settings, follow the steps above to create new


More Scripts

All of these Office 365 Group scripts for V2 can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for their work they have already done and multiple supporting scripts.  The scripts from this post are under the file: DrewO365GroupsScripts – Azure AD Cmdlets

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Hide Sync for Sites via PowerShell in SharePoint Online – Offline Client Availablity

Offline Client Availability is built within SharePoint to “Prevent users from downloading content from a site” via MS support.   There is not a way that I am aware of to fully stop existing syncs, but what is capable is to hide the Sync option from the views within the document library.  This setting can be done at the site and the library level.  

When working at the site level, this setting actually exists at the “Web” level within SharePoint.  This means its not a site collection level and needs to be set per site, including all subsites. 


What it looks like when done

This is what you will see with this setting set to NO:

Modern experience (no sync option)

Classic experience (sync option greyed out)


This is what you see with this setting set to YES:

Modern experience

Classic experience


Setting via Browser

The Offline Client Availability option can be set by single site under…

  1. On the site, click Settings > Site Settings.
  2. Under Search, click Search and offline availability.
  3. In the Offline Client Availability section, select No.


 

Setting via PowerShell powershell2

There was a good discussion going on within the MS Tech Community site around the ability to restrict sync via scripting and I tried to put together what I could to support it.  Obviously it would be tedious to try to set that for all sites and subsites across your tenant.  This was my first published attempt for CSOM so I used some great references to get me through it and this is probably rough around the edges.  All feedback is helpful!

Setting this CSOM web property (ExcludeFromOfflineClient) to true does not disable synchronization. Instead, it represents a recommendation to the client not to attempt synchronization via technet.

Ensure that you update the <script path> section near the header with the path to your CSOM files. Ensure you have at least the August 2016 version of CSOM.  Link to latest Nuget for download.

Link to download most recent version of powershell script from TechNet gallery

16235-illustration-of-a-green-download-button-pv


Used helpful references 

So much good info already out there that helped me get started; Thank you!

Get-SPOSite Now Returns Office 365 Group and Video Site Collections

For the longest time it was not possible to see Office 365 Group and Office 365 Video site collections in PowerShell using the SharePoint Online Management Shell and the Get-SPOSite cmdlet.  If you declared the site directly you could see the site.  Also if you used the Set-SPOSite cmdlet to set values of the site it would work but you couldn’t see all sites with one cmdlet.  As of a recent release this is now possible. 

You can also now use a -Template command to limit the query based on the site collection template which will allow you to get only Office 365 Video or Group site collections

Get all Office 365 Group site collections

Get all Office 365 Video site collections

Locking a SharePoint Online Site Collection

Within SharePoint Online you have the ability to completely lock down a site collection so no one can get access to it.  This is set via PowerShell and the SharePoint Online Management Shell.  Here are instructions on how to get started using connecting to SharePoint Online via PowerShell.  This lock can also be set on a user’s OneDrive for Business site collection.

Along with the ability to lock a site collection you can also set a redirect URL for the tenant for any locked sites that are accessed.  That means that when a user tries to access that locked site they will be redirected to the URL that you provided at the tenant level.  This could be helpful to provide instructions or further info for anyone letting them know that the site they were trying to access has been locked.  If no redirect URL is set they will receive a 403 error. 

NOTE: As of writing this post you are not able to set a lock state of a site provisioned with an Office 365 Group even though the PS cmdlets say it should be possible.  I will demo the actions later in this post but I have contacted Microsoft on this error and they state it is currently as designed and the error received is incorrect. 

The PowerShell cmdlets that are used to set this up are:


Steps to lock or unlock a site collection

1 – Connect to SharePoint Online

2 – Locking – Set the -LockState of the site collection to “NoAccess” while replacing the domain and sitecollection info to lock the site

  • This can also be a OneDrive for Business site collection (i.e. https://domain-my.sharepoint.com/personal/usersite)

 

2(a) – Unlocking – Set the -LockState of the site collection to “Unlock” while replacing the domain and sitecollection info to unlock the site

3 – Navigate to the URL to confirm and use PowerShell to confirm locked state


Steps to set a tenant redirect URL

1 – Connect to SharePoint Online

2 – Set the NoAccessRedirectURL of the tenant to a URL while replacing the domain and sitecollection info

3 – Navigate to the URL to confirm the redirect.  This may take a few minutes

To remove the NoAccessRedirectURL you can pass in an empty string


Trying to lock an Office 365 Group site

Here is the error you receive when trying to lock a group site:

 

Set-SPOSite : https://domain.sharepoint.com/sites/drewtesto365group is a OneDrive for Business site collection. The only valid parameters for this type of site collection are ‘-Identity’, ‘-StorageQuota’, ‘-StorageWarningLevel’, ‘-LockState’ and ‘-SharingCapability’.
At line:1 char:1
+ Set-SPOSite -Identity https://domain.sharepoint.com/sites/dre …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

The error declares it as a OneDrive for Business site collection and says that -LockState is a valid parameter yet still doesn’t work.  I opened a support ticket with Microsoft and this was their resolution:

“It is by design Issue. We can lock a site collection however we cannot lock a unified group site.”

If this is something that you need I would recommend adding to to Uservoice.  If you need to “lock” an Office 365 Group site the best way as it exists when I am writing this is to remove permissions within the group.


Getting status of all locked site collections in a tenant

At this point Get-SPOSite will not return any OneDrive for Business or Group sites.  There is new parameter called “-IncludePersonalSite” which at some point should return OneDrive sites via this cmdlet.  If you run this now you get the error:

WARNING: SharePoint Online does not support these new features yet.

 

Woah, I’m a Microsoft MVP

I got an email this morning that I never really thought I would see.  I was honored with being awarded the Microsoft MVP award under the Office Servers and Services community.  

I have been working with Microsoft technologies since I started my career in the IT industry as an intern at a manufacturing company.  I was doing PC tech support at that point and since then have worked across the Microsoft stack.  I moved through development and infrastructure jobs and slowly settled into the world of SharePoint.  I quickly found the SharePoint community to be a vital, interesting, fun, close-knit group of people all centered around SharePoint.  I began going to my local user group and SharePoint Saturdays to learn as much as I could.  I finally took the plunge and submitted to speak and was accepted.  That started a train that hasn’t stopped since!  

I have met and am thankful for so many folks in this community.  Without the mentorship and assistance from the SharePoint community there’s no way I would be where I am now.  The world of SharePoint and Office 365 is growing at a lightning pace and I can’t wait to see what’s next!


What is the Microsoft MVP award?

The MVP award is unique in that there is not a test or certification path.  It is based on contributions to the community.  These range but can be such things as forums, blogs, speaking, books, and everything in between. 

Here is a link the overview straight from Microsoft.