Browse Category

Office 365

Find and Report on Existing Delve Blogs

With the announcement that Delve blogs will be retiring you may want to see what blogs exist in your tenant. Delve blogs create their own site collection but do not show up in the admin center or when you use the SharePoint PowerShell module and the Get-SPOSite cmdlet. Thankfully PnP Powershell does return this. I put together a PowerShell script to find blogs and put a report together including the number of posts.

First, install PnP PowerShell if you haven’t already. I recommend installing via the PowerShell gallery with the command:

  • Install-Module SharePointPnPPowerShellOnline

Here is a script to find and export the blog information using PnP Powershell. Ensure you fill in your own variables for your tenant and the file path. 

try {

    #variables -> enter your own domain and output path
    $creds = Get-Credential
    $tenantadmin = "https://domain-admin.sharepoint.com"
    $outputfilepath = "c:\temp\delveblogexport.csv"

    #connect to tenant to get blog sites
    Connect-PnPOnline $tenantadmin -Credentials $creds
    $sites = Get-PnPTenantSite -Template POINTPUBLISHINGPERSONAL#0

    $resultsarray = @()

    #loop through sites to get details for blog
    foreach($s in $sites){
        Connect-PnPOnline $s.Url -Credentials $creds
        $list = Get-PnPList -Identity "Pages"
        $pagecount = $list.ItemCount
        $listlastmodified = $list.LastItemUserModifiedDate
        $contributor = Get-PnPGroupMembers -Identity "Contributors" | select Email

        #add to export object
        $obj = New-Object PSObject
        Add-Member -InputObject $obj -MemberType NoteProperty -Name DelveBlogUrl -Value $s.Url
        Add-Member -InputObject $obj -MemberType NoteProperty -Name BlogPageCount -Value $pagecount
        Add-Member -InputObject $obj -MemberType NoteProperty -Name LastModified -Value $listlastmodified
        Add-Member -InputObject $obj -MemberType NoteProperty -Name Email -Value $contributor.Email

        $resultsarray += $obj
        $obj = $null

        Disconnect-PnPOnline

    }
    #export results
    $resultsarray | Export-Csv -Path $outputfilepath -NoTypeInformation
    Write-Host "Complete" -ForegroundColor Green
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Red
}

The results will include the URL of the site, the page count, last modified, and the email of the blog site owner.

If you want other details per page you can go directly to the pages library to view by applying “pPg/Forms/AllItems.aspx” to the blog site url. As an example:

When you go to the pages library you can download the posts. They exist in a JSON blob. This may be a good way to extract blog posts before they are removed via Microsoft.

To view the posts you will still go through “portals/hub/personal/drew” path vs “portals/personal/drew”.

Another path to get some of this information is through the User Profiles that exist. Each user profile includes a link to their Delve blog. So if you get all existing user profiles you can find where that value is filled in. The best way to get this at scale is through SharePoint search. I put together a script to do this as well. I included batching logic on the results which will be needed in large tenants as the max search results is only 500. 

try
{
    #variables -> enter your own domain and output path
    $creds = Get-Credential
    $tenantadmin = "https://domain-admin.sharepoint.com"
    $outputfilepath = "c:\temp\delvebloguserprofileexport.csv"
    $returnproperties = @("PreferredName","AccountName","WorkEmail")
    $sourceid = "B09A7990-05EA-4AF9-81EF-EDFAB16C4E31"  #this is consistent across tenants
    $maxresults = 100
    $startrow = 0

    #connect to tenant to search
    Connect-PnPOnline $tenantadmin -Credentials $creds

    $resultsarray = @()
    Do{
   
        #perform search query
        $results = Submit-PnPSearchQuery -Query "*" -SourceId $sourceid -SelectProperties $returnproperties -StartRow $startrow -MaxResults $maxresults -SortList @{LastModifiedTime="Descending"} 
        $rowcount = $results.RowCount

        #loop through results in row
        foreach($res in $results.ResultRows){

            #get user profile properties
            $props = Get-PnPUserProfileProperty -Account $res.AccountName

            #check if blog site exists
            if($props.UserProfileProperties.'SPS-PointPublishingUrl' -ne ""){

                #add to export object
                $obj = New-Object PSObject
                Add-Member -InputObject $obj -MemberType NoteProperty -Name DelveBlogUrl -Value $props.UserProfileProperties.'SPS-PointPublishingUrl'
                Add-Member -InputObject $obj -MemberType NoteProperty -Name WorkEmail -Value $props.UserProfileProperties.WorkEmail
                $resultsarray += $obj
                $obj = $null
            }
        }
        $startrow = $startrow + $rowcount + 1
    }
    while ($rowcount -ne 0)
    
    #export results
    $resultsarray | Export-Csv -Path $outputfilepath -NoTypeInformation
    Write-Host "Finished" -ForegroundColor Green
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Red
}

This is not the most efficient way to get this information but it could be helpful to double check the SharePoint sites approach. This is also a handy way to loop through user profiles via search.

PowerShell for SharePoint Site Designs & Site Scripts

SharePoint site designs and site scripts allow you to provision sites and apply your own configurations at that time. This solution allows you to drive consistency for sites being created in SharePoint Online. The management of these is currently all done by PowerShell. I have been working with these and building presentations on them and have put together a collection of PowerShell scripts that I found useful. This includes a lot of the base functionality for working with them but is absolutely not all inclusive.

This is not intended to be ran as 1 full script but use pieces of these together and run sections that you need at a point in time. A few things this script includes:

  • Creating site scripts and site designs
  • Add and remove site scripts from an existing site design
  • Setting site design view rights
  • Getting site scripts from a list
  • Viewing status and information about previous ran or running site designs

PowerShell scripts

Here is the link to the repository on Github for the site design and site script PowerShell file.

Please help update as well!

Key links

SharePoint site designs and site scripts overview from Microsoft docs customization/site-design-overview

Multiple provisioning blog posts from Beau Cameron

PnP Remote Provisioning

The Ultimate Guide to SharePoint Site Templates and Site Scripts
Amazing info from Laura Kokkarinen

Get Office 365 Groups with Teams via PowerShell and the Microsoft Graph

Office 365 Groups are the backbone of a lot applications in Microsoft. The core principal is that an Office 365 Group is the security model that supports a Team. A good start to learn more about this is from the Microsoft documentation about the two.

Here is a more detailed image about how a Team is a workload that is supported by Office 365 Groups as the identity layer. This means that not all groups have an associated Team but all Teams are supported by a group.

Getting Groups with associated Teams

I had a client ask me recently to get a list of what groups have a Microsoft Teams chat connected vs Office 365 groups that don’t have a team connected. I have done this in the past using the method here on the TechCommunity. I then saw in some updated documentation that the beta Graph API includes a filterable property called resourceProvisioningOptions. The documentation can be found here. Filtering by this property is currently on the beta API so it is not recommended to utilize this in a production solution. 

Using the /groups Graph API we can retrieve all groups in the tenant that have a team. Any group that has a team has a resourceProvisioningOptions property that contains “Team”. 

  • Currently teams that were deleted may be included
  • This property can be changed but don’t do it
  • This also is populated for a group that has a Team added to it after the fact

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Group.Read.All, Group.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Group.Read.All, Group.ReadWrite.All

Here is the script and I will break it down below

#Enter scopes or app data - If a scope is entered it will used
#If scopes is empty it will check to run via app 
$scopes = 'Group.Read.All'

$appid = ''
$appsecret = ''
$appaaddomain = ''

#Graph URLs - uncomment one to run

#Get all groups
#$url = "https://graph.microsoft.com/v1.0/groups?`$filter=groupTypes/any(c:c eq 'Unified')&`$select=displayname,resourceProvisioningOptions"
#Get all groups with teams
$url = "https://graph.microsoft.com/beta/groups?`$filter=resourceProvisioningOptions/Any(x:x eq 'Team')"

#Establish connection
If($scopes.Length -gt 0){
    Connect-PnPOnline -Scopes "Group.Read.All"
} elseif($appid.Length -gt 0) {
    Connect-PnPOnline -AppId $appid -AppSecret $appsecret  -AADDomain $appaaddomain
} else {
    write-host 'Connection issue' -ForegroundColor Red
    exit
}

#Get token
$token = Get-PnPAccessToken

#Call graph
if($token){
    $response = Invoke-RestMethod -Uri $url -Headers @{Authorization = "Bearer $token"}
} else {
    write-host 'Token issue' -ForegroundColor Red
    exit
}

#Parse data
if($response){
foreach($r in $response.value){ 
    if($r.resourceProvisioningOptions -eq 'Team'){
        write-host $r.displayname "is a Team enabled Group" -ForegroundColor Yellow
        #Do fancy stuff in here
    } else {
        write-host $r.displayname "is a regular O365 Group" -ForegroundColor Green
    }
}
} else {
    write-host 'Response issue' -ForegroundColor Red
}

Connecting to the Graph via PowerShell

To connect to the Graph via PowerShell I am using the PnP PowerShell module. SharePoint Patterns and Practices (PnP) contains a library of PowerShell commands (PnP PowerShell) that allows you to perform complex provisioning and artifact management actions towards SharePoint. The commands use CSOM and can work against both SharePoint Online as SharePoint On-Premises. Details about how to work with this module and its cmdlets can be found here.

The cmdlet that is used to connect is Connect-PnPOnline. This cmdlet can be used to connect to multiple entry points. When connecting to the Graph you can connect through Azure AD and declare permissions scopes with the -Scopes parameter or connect with app level permissions using the -AppId, -AppSecret, and -AADDomain parameters.

I have setup the script to handle either depending on what you enter at the top for the variables. Details for different types of permissions can be found here.

Calling the Graph via PowerShell

To call the Graph I am using the Invoke-RestMethod cmdlet to make the REST request. To handle the Graph call we need to pass along a bearer token. I am getting the token through the PnP cmdlet Get-PnPAccessToken. The data will then be returned as an object. You could convert the data into JSON to utilize it if necessary.

Along with the token we need to pass along the Graph Uri call. I have setup 2 different options to get the data. Swap the comment (#) tags for either $url line. 

Here is a breakdown of each option:

  • Get all groups which have Teams
    • This will return the filtered list of Groups
      • /v1.0/groups?$filter=groupTypes/any(c:c eq ‘Unified’)&`$select=displayname,resourceProvisioningOptions
  • Get all groups
    • This will return all groups and then go through all returned groups and perform an action for ones that have a connected Team
      • /beta/groups?$filter=resourceProvisioningOptions/Any(x:x eq ‘Team’)
      • Currently this only does a Write-Host but any business logic could be added here.

Make sure you copy and paste from the code block for proper formatting.

The best way to test Graph calls before working with them is through the Graph Explorer. I highly recommend this one!

Securing the app permissions

One idea that I did not put in here but would be a good idea if you wanted to set up a recurring solution around this would be to protect the app data through the Azure Key Vault.  Here are details on how this can be completed – 

Using Azure Key Vault with PowerShell – Part 1

More information about setting up an Azure AD app can be found here:

Interact with Graph and make O365 Groups with AzureFunctions PowerShell

Removing Permissions for Viewing Modern Personal Blogs in Office 365

A personal blog can be a great tool for you to contribute your thoughts and ideas. Office 365 provides the capability for everyone to have a personal blog that can be accessed via your profile page. 

When you create a new blog post this will be automatically be view-able by all employees. If you do not want to have this capability or manage this in any way it can be done via PowerShell. The example I put together will remove viewers access from all existing blogs so they can only be seen by the owner.

To get started we need a high level understanding of what these blogs are and how they work. I won’t go into all of the details of this because Benjamin Niaulin has already put it together in this great post:

The highlights to support this post are:

  • When a user follows the links to create a new blog post a new site collection is built with the managed path of /portals/personal with a site name of your user account
    • i.e. tenant.sharepoint.com/portals/personal/dmadelung
    • These are not viewable in any SP Admin center and Get-SPOSite will not work
  • Site collections are only built after a user initiates the creation so not all users will have one
  • Blog posts (stories) are creates at pages in the pages library on your site collection
  • Permissions are handled with SharePoint permissions and inherited down with a Contributors, Creators, and Viewers SharePoint Group
    • The viewers group includes “Everyone except external users” by default
  • The blogs are NOT deleted when a user leaves like their OneDrive site collection

And here are details the details from Microsoft around personal blog posts in Office 365:

Removing existing permissions via PowerShell

As this is all hosted in SharePoint there could be multiple ways that we can control these. Unfortunately I couldn’t find a way to control things as scale but there is a small UserVoice submission for it. What I wanted to ensure was that creators could still get to their content but no one else could view anything. The path I took to manage these was through PowerShell and CSOM (Client Side Object Model)

Here is link to the GitHub repo and I will break it down below along with the script.

Here are some key things to note:

  • I can not confirm that doing this is the best practice but it was the easiest way I found to control these without a any administrator controls available to us. 
  • This is currently built to run on demand but could be updated to run on a schedule via something like Azure Automation.
    • To catch everything it will need to run on a schedule because any future sites will not be caught.
  • This could be updated to be used as a reporting tool or identification tool for cleanup.
  • I would comment out the actual removal of the permissions and put some logging in to test before fully running.
    • Also if you have any changes please update the repo!
  • This queries the user profile service in SharePoint Online to get the full list of users which could be huge.
    • I didn’t test this on a very large environment so this could take awhile to run or need to be enhanced for scale.
  • All of the user profile gathering was copied from this post from Microsoft on how to display a list of OneDrive for Business site collections

To get started with CSOM & PowerShell with SharePoint Online here is a good blog post from Chris O’Brien. You can get the latest version of SharePoint Online CSOM here. If you download the nuget file you can change the file extension to .zip and extract the .dlls.

To utilize the script make sure you fill out the appropriate variables and more information about what this will do is below the script. Make sure you test any script you get online before you really run it!

# Use this script to remove viewer permissions from all user delve blogs that have been created
# A user will still be able to view their existing blogs and create blogs but people will not be able to see them
# This would allow you to choose in the future if you want to make them live
# 
# This could be updated to run on a schedule as this will not remove any new blogs that are created

### ENTER YOU VARIABLES HERE ###

#Path to the SP CSOM files 
$csomPath = "C:\...." 
################

#Prompt for parameters
#TenantDomain is beginning of "tenantdomain.sharepoint.com.."
$TenantDomain = Read-Host -Prompt "Tenant domain"
$AdminAccount = Read-Host -Prompt "Admin account"
$AdminPass = Read-Host -Prompt "Password for $AdminAccount" –AsSecureString

#Set SharePoint admin url
$AdminURI = "https://" + $TenantDomain + "-admin.sharepoint.com"

#Get CSOM files
Add-type -Path "$csomPath\Microsoft.SharePoint.Client.dll"
Add-type -Path "$csomPath\Microsoft.SharePoint.Client.Runtime.dll"

#Begin the process
$loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
$loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
$loadInfo3 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")

#Set credentials for CSOM
$creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminAccount, $AdminPass)

#Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it
$proxyaddr = "$AdminURI/_vti_bin/UserProfileService.asmx?wsdl"
$UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
$UserProfileService.Credentials = $creds

#Set variables for authentication cookies
$strAuthCookie = $creds.GetAuthenticationCookie($AdminURI)
$uri = New-Object System.Uri($AdminURI)
$container = New-Object System.Net.CookieContainer
$container.SetCookies($uri, $strAuthCookie)
$UserProfileService.CookieContainer = $container

#Sets the first User profile, at index -1
$UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)

Write-Host "Starting- This could take a while."

#Getting total number of profiles
$NumProfiles = $UserProfileService.GetUserProfileCount()
$i = 1

#Create array to track users
$users = @()

#As long as the next User profile is NOT the one we started with (at -1)...
While ($UserProfileResult.NextValue -ne -1) 
{
    Write-Host "Reviewing profile $i of $NumProfiles"

    #Look for the Point Publishing Blog url object in the User Profile and retrieve it
    #It will be empty for users which it has not been created for

    #Get personal blog publishing URL
    $Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "SPS-PointPublishingUrl" } 
    $Url= $Prop.Values[0].Value

    #Get user UPN - Can be used for reporting
    #$Prop = $userProfileResult.UserProfile | Where-Object { $_.Name -eq "SPS-UserPrincipalName"}
    #$Upn= $Prop.Values[0].Value

    #If the blog site exists then add it to an array to review
    if ($Url) {
        $users += $Url
    }

    #And now we check the next profile the same way...
    $UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)
    $i++
}

#Loop through all identified sites to remove blog viewers
foreach($user in $users){
    #Set blog site url
    $siteurl = "https://" + $TenantDomain + ".sharepoint.com" + $user

    #Connect to blog site collection
    $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($siteurl)
    $ctx.Credentials = $Creds
 
    #Connect to web and get site groups
    $web = $ctx.Web
    $groups = $ctx.Web.SiteGroups
    $ctx.Load($web)
    $ctx.Load($groups)
    $ctx.ExecuteQuery()
    
    #Get the viewers group
    $group = $groups | where { $_.Title -eq "Viewers"}
    if($group){
        #Get the users in the viewers group
        $users = $group.Users
        $ctx.Load($users)
        $ctx.ExecuteQuery()

        #Remove all users from the viewers group
        foreach($u in $users){
            $group.Users.RemoveByLoginName($u.LoginName)
            $web.Update()
            $ctx.ExecuteQuery()
        }
    }
}

The end result will be that all existing blog sites will have anyone in the Viewers SharePoint Group removed

Before…

After..

Office 365 Groups Naming Policy

group1

Introduction

When Office 365 Groups were first released there was not an ability to control the names of Groups at all. One of the primary reasons for this was due to the cross workload functionality that make up Office 365 Groups. As a reminder, an Office 365 Group is the single Azure AD identity service that provides specific membership to Office 365 solutions like SharePoint, Exchange, Planner, Teams, etc. Within each of these workloads you have the ability to create and manage an Office 365 Group. If you make a change within one of workloads, for example SharePoint, there is communication between the workload and Azure AD with notifications on things like creation, changes, and deletions. 

With a separated system and Azure AD as the source, any policies need to be applied at the Azure AD level. As an example, an Exchange naming policy can be used (and at one point was the only option) for Office 365 Groups. If you set a naming policy within Exchange that would only work if you tried creating a group within Exchange. If I was on SharePoint Home and tried to create an Office 365 Group that naming policy would not trigger as I technically not working in Exchange. Exchange would learn about the Group after it is synced back to Azure AD but that would be too late. 

To resolve this issue Microsoft has released Office 365 Group naming policy capabilities at the Azure AD level. A naming policy is very important for proper control and a clean Global Address List (GAL). Since this is in Azure AD now the naming policy is applied to Groups that are created across workloads. 

Details

As I am writing this post in Dec 2017 this is currently still in Private Preview. 

Both of these currently can only be configured with PowerShell. The prerequisites for configuring these can be found in this post: Managing Office 365 Groups using Azure AD PowerShell V2.

The AzureADPreview PowerShell module version 2.0.0.137 is required.

Office 365 Group naming policies can be built using 2 different features and 1 is automatically maintained:

  • Custom blocked words
    • You can set specific blocked words that can be used within Group names. 
  • Prefix-Suffix naming policy
    • Using fixed strings or user attributes, you can add an automated prefix or suffix to a Group name. 
  • Microsoft Standard blocked words list
    • A set of words Microsoft manages that are not allowed. This includes your primary swear words. I tested quite a few good ones and they were all blocked automatically.

These administrators bypass or are exempt from the naming polices you configure but NOT the MS standard blocked words list:

  • Global Administrator
  • Partner Tier 1 Support
  • Partner Tier 2 Support
  • User Account Administrator
  • Directory Writers

Microsoft detailed information for the naming policy can be found here.

Custom blocked words

This is a comma separated list of words that you can configure. These words are blocked in Group names and aliases. Some examples of when you would want to configure blocked words:

  • Your department or business function names because you want to ensure you don’t have duplicate places for content
  • Regulatory words that you may have specific legal requirements around that you need to have more control over
  • Names of roles that you don’t want people to try to impersonate
  • Client, Vendor, or Competitor names

There are some things to know about these blocked words.

  • The checks are done AFTER appending the prefix/suffix to the Group name
    • If things like underscores (_) or dashes (-) are used in prefix/suffix they could stop your blocked word from working if there are no spaces
  • No sub-string searches are done
    • If “Drew” is the blocked word, “Andrew” would still work
  • Not case-sensitive
  • No character restrictions
  • No limit on the amount of words

Steps to set the Custom Blocked words

This is assuming you already have a directory settings template created, details in prior post, and connection information from the first section.

1 – Connect to Azure AD via PowerShell.

Connect-AzureAD

2 – Use comma delimited values for the blocked words.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["CustomBlockedWordsList"] = "HR,Contoso,Payroll,CEO,CFO,CIO"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

3 – Review your updated settings; you can now see the default values for the directory settings object.

Get-AzureADDirectorySetting | ForEach Values

Prefix-Suffix naming policy

These can either be fixed strings or actually attributes from the user themselves. These 2 types of capabilities are stored within 1 overall string that is concatenated. Because of this, you must always have [GroupName] included in your setting. That is how you are able to have a prefix & a suffix. 

Some examples of using strings:

  • GRP [GroupName]
    • This puts the fixed string of “GRP ” before all of your Group names
  • #[GroupName] Group
    • This will put the # symbol at the front of the Group name for better sorting in the GAL and then ” Group” as a suffix for better clarity
    • Special characters are removed from the Alias
  • OGRP – [GroupName]
    • Dashes can be used for separation as spaces are removed automatically in the Group Alias (like the rest of the special characters). That means “OGRP – Drew” as a group name becomes “OGRP-Drew@domain.com” as the alias instead of “OGRPDrew@domain.com”.

The next type of thing you can add are Azure AD user attributes. The following attributes are supported: [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], [Title], [CountryCode]

Some examples of using attributes:

  • [Department] – [GroupName]
    • This will pull the users department stored in Azure AD before the Group name
  • [CountryCode] – GRP – [GroupName]
    • This will first put the Country Code stored in Azure AD followed by a fixed string and then the Group name

There are some things to know about using attributes.

  • The total prefix/suffix + string length is restricted to 53 characters
  • Empty attributes for users will be filled in with blank values. It is best to ensure your Azure AD information is fully established before using these attributes.
  • Extension attributes and custom attributes are not supported
    • If you put it in an unsupported attribute it just comes across as text

Steps to set the Prefix – Suffix naming policy

This is assuming you already have a directory settings template created, details in prior post.

1 – Use comma delimited values for the blocked words.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["PrefixSuffixNamingRequirement"] = "GRP - [Department] - [GroupName]"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

2 – Review your updated settings; you can now see the default values for the directory settings object.

Get-AzureADDirectorySetting | ForEach Values

Microsoft standard blocked words

There are a lot of unprofessional words naturally in the English language that most likely should never be part of an Office 365 Group name. This includes a primary set of things like swear words and other inappropriate words that your imagination may be able to come up with. This is a single setting to turn on the blocked words or off. 

Steps to set the Microsoft blocked words

This is assuming you already have a directory settings template created, details in prior post, and connection information from the first section.

1 – Use comma delimited values for the blocked words.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["EnableMSStandardBlockedWords"] = $true
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

2 – Review your updated settings; you can now see the default values for the directory settings object.

Get-AzureADDirectorySetting | ForEach Values

And when you put it all together!

You get a blocked word of CEO and a naming policy pulling in a prefix of “GRP – ” with an Azure AD department of “NFL” and a suffix of ” – CEO”. You will also see the alias removing the spaces.

Where does the naming policy actually work?

As there are a lot of workloads across Office 365 that utilize Groups there are a lot of places that these policies need to work. Currently it is not supported in every workload. Microsoft has the detailed information for what is supported in their support article here

Here is the current breakdown in Dec 2017.

Where it works:

  • Outlook on the Web
  • Outlook Client – Doesn’t preview
  • Outlook Mobile – Doesn’t preview
  • Teams
  • SharePoint
  • Stream
  • Groups mobile app
  • Planner
  • Dynamics 365
  • Exchange PowerShell
  • Azure AD PowerShell
  • O365 Admin Center

Where it doesn’t:

  • Power BI workspace
  • Yammer
  • StaffHub
  • Azure AD Portal

Licensing

Any Office 365 subscription that has Exchange Online and SharePoint Online will support groups. That includes the Business Essentials and Business Premium plans, and the Enterprise E1, E3 and E5 plans.

There is a large collection of features that require specific types of Azure AD licenses. The Office 365 Groups naming policy requires Azure AD Premium P1 licenses for any users who are part of Office 365 Groups.

The full collection of licensing information is listed from Microsoft here.