Browse Category

Office 365

Locking a SharePoint Online Site Collection

Within SharePoint Online you have the ability to completely lock down a site collection so no one can get access to it.  This is set via PowerShell and the SharePoint Online Management Shell.  Here are instructions on how to get started using connecting to SharePoint Online via PowerShell.  This lock can also be set on a user’s OneDrive for Business site collection.

Along with the ability to lock a site collection you can also set a redirect URL for the tenant for any locked sites that are accessed.  That means that when a user tries to access that locked site they will be redirected to the URL that you provided at the tenant level.  This could be helpful to provide instructions or further info for anyone letting them know that the site they were trying to access has been locked.  If no redirect URL is set they will receive a 403 error. 

NOTE: As of writing this post you are not able to set a lock state of a site provisioned with an Office 365 Group even though the PS cmdlets say it should be possible.  I will demo the actions later in this post but I have contacted Microsoft on this error and they state it is currently as designed and the error received is incorrect. 

The PowerShell cmdlets that are used to set this up are:


Steps to lock or unlock a site collection

1 – Connect to SharePoint Online

2 – Locking – Set the -LockState of the site collection to “NoAccess” while replacing the domain and sitecollection info to lock the site

  • This can also be a OneDrive for Business site collection (i.e. https://domain-my.sharepoint.com/personal/usersite)

 

2(a) – Unlocking – Set the -LockState of the site collection to “Unlock” while replacing the domain and sitecollection info to unlock the site

3 – Navigate to the URL to confirm and use PowerShell to confirm locked state


Steps to set a tenant redirect URL

1 – Connect to SharePoint Online

2 – Set the NoAccessRedirectURL of the tenant to a URL while replacing the domain and sitecollection info

3 – Navigate to the URL to confirm the redirect.  This may take a few minutes

To remove the NoAccessRedirectURL you can pass in an empty string


Trying to lock an Office 365 Group site

Here is the error you receive when trying to lock a group site:

 

Set-SPOSite : https://domain.sharepoint.com/sites/drewtesto365group is a OneDrive for Business site collection. The only valid parameters for this type of site collection are ‘-Identity’, ‘-StorageQuota’, ‘-StorageWarningLevel’, ‘-LockState’ and ‘-SharingCapability’.
At line:1 char:1
+ Set-SPOSite -Identity https://domain.sharepoint.com/sites/dre …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

The error declares it as a OneDrive for Business site collection and says that -LockState is a valid parameter yet still doesn’t work.  I opened a support ticket with Microsoft and this was their resolution:

“It is by design Issue. We can lock a site collection however we cannot lock a unified group site.”

If this is something that you need I would recommend adding to to Uservoice.  If you need to “lock” an Office 365 Group site the best way as it exists when I am writing this is to remove permissions within the group.


Getting status of all locked site collections in a tenant

At this point Get-SPOSite will not return any OneDrive for Business or Group sites.  There is new parameter called “-IncludePersonalSite” which at some point should return OneDrive sites via this cmdlet.  If you run this now you get the error:

WARNING: SharePoint Online does not support these new features yet.

 

Configuring Office 365 Group Classification

group1

Recently Microsoft released the ability to create classifications for Office 365 groups that allow end users set.  For example, you can now set classifications such as: internal, confidential, external, secret, top secret, low, medium, high, etc..  Group classifications are new and I am not sure the full story of how these will be utilized moving forward.  There are enhancements coming around classification within the security and compliance center that I hope this will be able to tie into at at some point.

Here is some info on the current setup of group classification (as of 10/31/2016):

  • They don’t actually technically do anything yet…
  • They are not on by default
  • The choices can only be set via PowerShell
  • They currently don’t show anywhere else other than “edit group” via Outlook
  • You can only have 1 set of classifications for a tenant
  • If you change a classification value, it does NOT go back and update existing groups that were classified but the existing groups that were classified do not lose the classification
  • It takes some time for classification changes to be visible in the GUI
  • Don’t put spaces between the comma delimited values (i.e. “internal,external” NOT “internal, external”)
  • You can use spaces within comma eliminated values (i.e. “secret,top secret”)
  • I tested some special characters such as ? and ! and they worked
  • I am not aware of a classification limit, i did a test with 15 without an issue

Here is the description of the new property:

2016-10-30-16_07_07-start

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History


Steps to set values for Group Classification

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

4 – Review your updated settings; now Classification’s are available for Groups

2016-10-30-16_14_29-start

You will now see it through the GUI when editing a group and will have the ability to set it.

2016-10-30-16_19_20-new-notification

And once you set a classification it will be viewable.

2016-10-30-16_20_55-photos

You can also set a classification using the Set-UnifiedGroup and New-UnifiedGroup cmdlets.

 

Ignite 2016 Info and Thoughts on Announcements for SharePoint – OneDrive – Office 365

2016-09-28-14_49_22-ignite-sharepoint-onedrive-office-365-info

I put together a Microsoft Sway through my Concurrency tenant that wraps up all of the announcements and my thoughts from the collaboration space at Ignite 2016.  This includes info on everything I was able to attend and intake while here in Atlanta.  I used Microsoft Sway so I could continuously update the Sway throughout the conference and after the conference for future review.  My changes are made in real-time and it’s super easy to update.

Link to Sway

Managing Office 365 Group Creation via Azure AD

group1

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

  • Email & Calendar
  • Security & Membership
  • Files & OneNote
  • Planner
  • PowerBI
  • and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.


Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

  1. Disable the default ability of everyone to create a new Office 365 Group
  2. Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
    • This group cannot have a group in it, must be individual users
    • Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History


Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false

4 – Review your updated settings; now Group creation is disabled for all users

group4


Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

group6


Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Disabling Office 365 Planner Using PowerShell

Office 365 Planner is now rolling out to your tenant.  Microsoft announced this week that Planner is ready for showtime. As this is a product early in its life cycle, Microsoft is still looking for feedback through the Planner uservoice site. Over the next several weeks, Planner will roll out to all eligible Office 365 customers worldwide. At this time, Planner is included with:

  • Office 365 Enterprise (E1, E3, E4, and E5)
  • Office 365 Education (E1, E3, E4, and E5)
  • Office 365 Business Essentials
  • Office 365 Business Premium.

Microsoft Planner will not be available to users by default in the General Availability (GA) update in the following subscription plans:

  • Office 365 operated by 21Vianet
  • Office 365 Government

An important thing to note with this release…

Each user who has one of the Office 365 plans mentioned above has a Microsoft Planner license that is enabled by default.

If your enterprise is not ready, an admin can add or remove licenses for individual users, or to disable Planner to all users. I put a script together that you can run to disable Planner for all licensed users in your tenant.  This script will:

  1. Disable any plan entered into the $disabledplans variable, by default it is just Planner (PROJECTWORKMANAGEMENT)
  2. Disable the Planner Preview SKU if it was assigned
  3. ***Reassign all other services not declared as being disabled.*** <- important  
    • Add any other services you want to disable in the $disabledplans variable (i.e. YAMMER_ENTERPRISE)

Thanks to @vladcatrinescu and his script on disabling Yammer as a starting point