Browse Tag

Security

Managing Office 365 Groups Using Azure AD Powershell V2

group1

Introduction

Azure AD PowerShell is an incredibly useful tool for management.  V2 was released as GA (general availability) in Dec 2016.  
This means that you could begin to utilize the new cmdlets in your production environment.  There is currently not dual functionality from the V1 MSOL cmdlets so both will still need to be used as V2 continues to develop.  There is also a preview set of cmdlets that you can download and use that has some extended features beyond just V2.  The V1 module will begin to be deprecated as V2 continues to advance.  I would recommend working with V2 when possible and only going back to V1 as needed.  

I won’t be going through all of the differences between these versions but will be shedding some light on the differences for Office 365 Group management from V1 to now.  This is a follow up to my original post: Managing Office 365 Group Creation via Azure AD

Links:

Quick V1 vs. V2 Examples

The big difference from V1 to V2 is that the majority of cmdlets that used *-MSOL* cmdlets are now *-AzureAD*.  The full list of cmdlets can be found through the links above. 

To connect using V1 you would use:

V2 you now use:

To get a user in V1 you would use:

V2 you now use:


Managing Groups using Azure AD PowerShell V2

To perform Group management you will need to use the V2 Preview cmdlets (download above) until they are rolled into V2.  The same Office 365 groups settings in Azure AD PowerShell available in V1 are currently not available in V2.  Hopefully when that happens they won’t change much from when I am writing this. 

The primary cmdlets utilized in V1:

Their comparison in V2:

The way that these are updated are also different.  That means you can not simply replace “MsolAllSettings” with “AzureADDirectorySetting” in your scripts.  There are different parameters that you need to pass and functions not available.  


You can currently see these values but not all can bet set. 

Name : ClassificationDescriptions – NOT YET SUPPORTED
Description : A comma-delimited list of structured strings describing the classification values in the ClassificationList. The structure of the string is: Value: Description

Name : DefaultClassification – NOT YET SUPPORTED
Description : The classification value to be used by default for Unified Group creation.

Name : PrefixSuffixNamingRequirement – NOT YET SUPPORTED
Description : A structured string describing how a Unified Group displayName and mailNickname should be structured. Please refer to docs to discover how to structure a valid requirement.

Name : AllowGuestsToBeGroupOwner
Description : Flag indicating if guests are allowed to be owner in any Unified Group.

Name : AllowGuestsToAccessGroups
Description : Flag indicating if guests are allowed to access any Unified Group resources.

Name : GuestUsageGuidelinesUrl
Description : A link to the Group Usage Guidelines for guests.

Name : GroupCreationAllowedGroupId
Description : Guid of the security group that is always allowed to create Unified Groups.

Name : AllowToAddGuests
Description : Flag indicating if guests are allowed in any Unified Group.

Name : UsageGuidelinesUrl
Description : A link to the Group Usage Guidelines.

Name : ClassificationList
Description : A comma-delimited list of valid classification values that can be applied to Unified Groups.

Name : EnableGroupCreation
Description : Flag indicating if group creation feature is on.


Steps to Create new Directory Settings for Groups template

There are multiple templates that are part of your Azure AD tenant.  This template can contain a settings object which has a collection of values.  Within these values are where we can set the parameters above.  This needs to be done before you can set any values.  If you already have this you can move to the section below.  

1 – Connect to Azure AD via PowerShell

2 – Review if you have any settings currently configured in your tenant

3a – If you have directory settings returned it will look like this (properties subject to change over time)

 

3b – If you have NO settings returned it will look like this and new directory settings will need to be created

Run this command to create the new directory settings

4 – Review your updated settings; you can now see the default values for the directory settings object created for the Groups template


Steps to set Group Settings

1 – Connect to Azure AD via PowerShell

2 – Review if you have any settings currently configured in your tenant

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created and follow the steps above

4 – Examples of Group settings

All settings below will use the Get-AzureADDirectorySetting cmdlet and store that in a variable and then use the Set-AzureADDirectorySetting cmdlet with the updated settings.  The full command to run a setting update is:

I will walk through some of the common scenarios and how to configure the settings parameters.  If you run any of the

Restricting Group Creation for all except users in a specific group

Enter the group you want to use in the “ENTER..” section.

Setting Group classification

Use comma delimited values for the classifications.

Setting Guidelines URL

Enter a valid URL to a page or document that holds your guidelines.

Restrict all access for guest users to Groups including ones that were already granted access

Restrict the ability to add any new guest users but not restrict existing

Setting all Group settings

With some examples.

5 – Review your updated settings


Steps to remove Group Settings

1 – Connect to Azure AD via PowerShell

2 – Remove your directory settings, follow the steps above to create new


More Scripts

All of these Office 365 Group scripts for V2 can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for their work they have already done and multiple supporting scripts.  The scripts from this post are under the file: DrewO365GroupsScripts – Azure AD Cmdlets

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Locking a SharePoint Online Site Collection

Within SharePoint Online you have the ability to completely lock down a site collection so no one can get access to it.  This is set via PowerShell and the SharePoint Online Management Shell.  Here are instructions on how to get started using connecting to SharePoint Online via PowerShell.  This lock can also be set on a user’s OneDrive for Business site collection.

Along with the ability to lock a site collection you can also set a redirect URL for the tenant for any locked sites that are accessed.  That means that when a user tries to access that locked site they will be redirected to the URL that you provided at the tenant level.  This could be helpful to provide instructions or further info for anyone letting them know that the site they were trying to access has been locked.  If no redirect URL is set they will receive a 403 error. 

NOTE: As of writing this post you are not able to set a lock state of a site provisioned with an Office 365 Group even though the PS cmdlets say it should be possible.  I will demo the actions later in this post but I have contacted Microsoft on this error and they state it is currently as designed and the error received is incorrect. 

The PowerShell cmdlets that are used to set this up are:


Steps to lock or unlock a site collection

1 – Connect to SharePoint Online

2 – Locking – Set the -LockState of the site collection to “NoAccess” while replacing the domain and sitecollection info to lock the site

  • This can also be a OneDrive for Business site collection (i.e. https://domain-my.sharepoint.com/personal/usersite)

 

2(a) – Unlocking – Set the -LockState of the site collection to “Unlock” while replacing the domain and sitecollection info to unlock the site

3 – Navigate to the URL to confirm and use PowerShell to confirm locked state


Steps to set a tenant redirect URL

1 – Connect to SharePoint Online

2 – Set the NoAccessRedirectURL of the tenant to a URL while replacing the domain and sitecollection info

3 – Navigate to the URL to confirm the redirect.  This may take a few minutes

To remove the NoAccessRedirectURL you can pass in an empty string


Trying to lock an Office 365 Group site

Here is the error you receive when trying to lock a group site:

 

Set-SPOSite : https://domain.sharepoint.com/sites/drewtesto365group is a OneDrive for Business site collection. The only valid parameters for this type of site collection are ‘-Identity’, ‘-StorageQuota’, ‘-StorageWarningLevel’, ‘-LockState’ and ‘-SharingCapability’.
At line:1 char:1
+ Set-SPOSite -Identity https://domain.sharepoint.com/sites/dre …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

The error declares it as a OneDrive for Business site collection and says that -LockState is a valid parameter yet still doesn’t work.  I opened a support ticket with Microsoft and this was their resolution:

“It is by design Issue. We can lock a site collection however we cannot lock a unified group site.”

If this is something that you need I would recommend adding to to Uservoice.  If you need to “lock” an Office 365 Group site the best way as it exists when I am writing this is to remove permissions within the group.


Getting status of all locked site collections in a tenant

At this point Get-SPOSite will not return any OneDrive for Business or Group sites.  There is new parameter called “-IncludePersonalSite” which at some point should return OneDrive sites via this cmdlet.  If you run this now you get the error:

WARNING: SharePoint Online does not support these new features yet.

 

Configuring Office 365 Group Classification

group1

Recently Microsoft released the ability to create classifications for Office 365 groups that allow end users set.  For example, you can now set classifications such as: internal, confidential, external, secret, top secret, low, medium, high, etc..  Group classifications are new and I am not sure the full story of how these will be utilized moving forward.  There are enhancements coming around classification within the security and compliance center that I hope this will be able to tie into at at some point.

Here is some info on the current setup of group classification (as of 10/31/2016):

  • They don’t actually technically do anything yet…
  • They are not on by default
  • The choices can only be set via PowerShell
  • They currently don’t show anywhere else other than “edit group” via Outlook
  • You can only have 1 set of classifications for a tenant
  • If you change a classification value, it does NOT go back and update existing groups that were classified but the existing groups that were classified do not lose the classification
  • It takes some time for classification changes to be visible in the GUI
  • Don’t put spaces between the comma delimited values (i.e. “internal,external” NOT “internal, external”)
  • You can use spaces within comma eliminated values (i.e. “secret,top secret”)
  • I tested some special characters such as ? and ! and they worked
  • I am not aware of a classification limit, i did a test with 15 without an issue

Here is the description of the new property:

2016-10-30-16_07_07-start

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History


Steps to set values for Group Classification

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

4 – Review your updated settings; now Classification’s are available for Groups

2016-10-30-16_14_29-start

You will now see it through the GUI when editing a group and will have the ability to set it.

2016-10-30-16_19_20-new-notification

And once you set a classification it will be viewable.

2016-10-30-16_20_55-photos

You can also set a classification using the Set-UnifiedGroup and New-UnifiedGroup cmdlets.

 

Changes to Sharing in SharePoint Online

There has been an update that I have seen in Office 365 in the options you get when trying to share content.  Previously when sharing something, you had the option to select a permission level and put the user(s) into a specific SharePoint Group.

image_thumb

The sharing process has recently been updated.  In newer tenants, mainly first release that I have seen, you will no longer see the select a permission level option when sharing from top right site share or the library level share.

image_thumb1

In a support case with Microsoft it was stated that “the feature of displaying groups on the sharing options of a site is deprecated and will no longer be available for the tenants which are on the newer versions. The reason for the deprecating this feature being, it is complex to show different set of permission levels set on each of the site collections and subsites considering unique permissions set at each web level.”

However I was able to still find the option to pick a group when using the Grant Permissions option under Site settings -> Site permissions.

image_thumb2

When you click the show options section you will see the select permission level section.  In that drop down select More options.

image_thumb3

You will then see the list of groups and permissions levels again.

image_thumb4

It is always interesting finding these unexpected changes.  This wasn’t a huge deal as we found a work around to get users into groups but this did disrupt a client’s business process until a resolution was found.

Exporting SharePoint Group Members to Excel Without PowerShell

I was at a client recently and was not allowed to run any powershell commands but needed a list of accounts that existed in a SharePoint Group in a table format.  I also was not allowed site collection administration permission.  I tried a few different options in which trying to manipulate the list view of the group and using Excel data connections to get back to SharePoint but no option worked very cleanly.

What I ended up using was a REST call to get the users and then downloading the XML response and opening it with Excel.  Use this link to learn about the available REST api’s for users & groups

Here are the steps….

1.  Get a client that you can use to test REST calls

2.  Construct the REST call to get a list of users by group

The structure looks like this:  https://siteurl/_api/web/sitegroups/getbyid(groupid)/users

  • To get the group ID simply navigate to the members page of your SharePoint Group and look at the number at the end of the URL  Here is the URL of my “Product Members” group:  https://concurrencyinc.sharepoint.com/sites/products/_layouts/15/people.aspx?MembershipGroupId=9

Here is my call:  https://concurrencyinc.sharepoint.com/sites/products/_api/Web/SiteGroups/GetById(9)/Users

  • We will see the users returned in the entry area of the response.

ExportSPGroup1

3.  Download the XML response

  • In the Advanced REST Client click Save as file and then Download in the response section.

ExportSPGroup2

4.  Change the file type

  • The file will download as a .text-plain file type.  Edit the filename and change it to a .xml file type.

ExportSPGroup3

5.  Open with Excel!

  • In Excel browse and pick out the new .xml file you created and select open this file as an XML table.

ExportSPGroup8

  • Take a second and look at your pretty data.

ExportSPGroup4

6.  Remove duplicates

  • The data comes across in a way that there are 2 rows for each user.  We can clean that up by removing the duplicates based on the login name.  First click anywhere in the imported table and under the Data tab click Remove Duplicates.

ExportSPGroup5

  • Click the Unselect All button then scroll down and check ns4:LoginName

ExportSPGroup6

  • That will remove your duplicate logins and you will have emails and logins that you can use whatever way you need.

ExportSPGroup7

 

Handy appendix?

I know this post is titled how to get a list without powershell but I wanted to just include this down here as this is an easier approach if you have the ability.  Here are the commands to get a list of users in a SharePoint Group via powershell.

  • Get-SPSite http://server/sites/yoursite | Select -ExpandProperty RootWeb | Select -ExpandProperty Groups | Where {$_.Name -EQ “group name”} | Select -ExpandProperty Users | Select Name, Email| Export-Csv c:\scripts\users.txt

Here is the command to do it with SharePoint Online

  • Get-SPOUser -Site https://contoso.sharepoint.com/sites/finance -Group “group name”

Handy links!