Browse Tag

disable

Automatically Created Office 365 Groups Based on Direct Reports Coming Soon – (Now Limited Release)

group1

UPDATE 3/21/2017 from Microsoft

Microsoft has released a new update to this roll out stating: 

**We listened to your concerns and have decided to limit the rollout of this feature to a smaller set of customers (notified via MC94808) whom we will work with directly to ensure feedback is considered, and the feature has a positive impact. We thank you all for your constructive feedback, we have learned a few lessons and look forward to continued Group innovations in the future.**

So thankfully the voice of the community has been heard and this below information now relates to the original global release.  There was a ton of discussion around this on the MS Tech Community site and on Twitter. 

Here is the new message in the message center:

Now back to the original post with some slight tweaks….


Last Friday an interesting new message that caught me off guard popped up in my message center titled – Auto creation of Direct Reports group in Outlook

Here are the contents of the message:


Auto creation of Direct Reports group in Outlook
MC96611
Published On : March 17, 2017
Expires On : April 28, 2017
 
To help managers collaborate more effectively with their employees, we will automatically create Office 365 Groups containing the manager’s direct reports. Managers can easily update, delete, or modify the group at any time. This message is associated with Office 365 Roadmap ID 78174.
 
How does this affect me?
Beginning April 13th , 2017 We will automatically create direct reports groups in Outlook (leveraging the Office 365 Groups Service) for eligible managers. If you have Office 365 Groups disabled for your tenant, or if the manager in question doesn’t have permission to create groups, then no group will be created.
 
What do I need to prepare for this change?
If you are looking forward to this, there is no action you need to take. Get yourself familiar with Office 365 Groups, update your user training, and notify your helpdesk, as needed. If you would like to leave Office 365 Groups enabled for your organization but turn off direct reports groups creation, we have provided controls to enable and disable. Please click Additional Information to learn more.

Let’s go a little more into this…

At first glance this sounds like a good idea. The part that I disagree with is the auto opting-in of something like this and the very late notice. Normally things exist on the O365 Roadmap for awhile and fall intro their standard development and release cadence. This one is being rolled out within a month of the announcement and doesn’t have info if it will be first-release to start. This feature has the ability to create a whole ton of Groups depending on the size of your organization whether you are ready for them or not. The majority of the large clients I work with have not fully jumped into the Groups world yet and are working towards basic governance, adoption, and training strategies before they fully go. For those organizations, they could already have a plan to provision groups for specific teams – company teams not the product 🙂 – they will most likely get these new Groups created before they are ready. In the documentation currently they don’t list anything for the continued update of groups either. If this is a one time push there will need to be onus on the Managers to maintain their Groups post auto creation. I would still say there are more questions to be answered for this feature and there is already a good discussion on the MS Tech Community site
 
Another thing I noticed is the new naming of this release. The title specifically calls out that these are Groups in “Outlook”. This looks like a new way to refer to Email (Outlook) conversation based Groups vs Yammer conversation based Groups. 
 
As stated above this is no longer going to be rolled out to everyone and will be rolled out to a limited subset of tenants. 

How will the members of the Groups be determined?

The member population of these Groups is based on your Active Directory ManagedBy attribute. As you’re reading this, raise your hand if you think your ManagedBy attribute is accurate enough in you Active Directory environment? Now lower your hand because you are just reading this post and and someone near you might think you have a question. If you have any direct reports (i.e. your name is listed in someone’s ManagedBy attribute) you potentially could have a group auto created. The manager will be added as an Owner of the Group while everyone else will be added as Members. 

How can I control these auto provisioned Groups?

Some key things to note:
  • This is on by default. I felt like I just needed to repeat this one again. 
  • Office 365 Group creation must be enabled at the tenant.  I have highlighted how to manage this in a few posts on here
  • The manager must have the permission and ability to create an Office 365 Group.
  • The group will be named “<Manager’s Name>’s direct reports”, but that can be edited.
  • You can only turn this off via PowerShell and connecting through Exchange Online (unlike Azure AD for other Group management). 

Steps to manage auto provisioning of Direct Reports Office 365 Groups via PowerShell

1 – Connect to Exchange Online via PowerShell

2 – Review your current settings for the parameter “DirectReportsGroupAutoCreationEnabled” using the Get-OrganizationConfig cmdlet. 

 

2 – Set the value of “DirectReportsGroupAutoCreationEnabled” to false to disable auto group creation and true to enable it. Review your change with the same cmdlet above. 

Managing Office 365 Group Creation via Azure AD

group1

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

  • Email & Calendar
  • Security & Membership
  • Files & OneNote
  • Planner
  • PowerBI
  • and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.


Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

  1. Disable the default ability of everyone to create a new Office 365 Group
  2. Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
    • This group cannot have a group in it, must be individual users
    • Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History


Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false

4 – Review your updated settings; now Group creation is disabled for all users

group4


Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

group6


Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts