Browse Category

PowerShell

Managing Office 365 Group Creation via Azure AD

group1

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

  • Email & Calendar
  • Security & Membership
  • Files & OneNote
  • Planner
  • PowerBI
  • and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.


Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

  1. Disable the default ability of everyone to create a new Office 365 Group
  2. Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
    • This group cannot have a group in it, must be individual users
    • Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History


Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false

4 – Review your updated settings; now Group creation is disabled for all users

group4


Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

2 – Review if you have any MsolSettings currently configured in your tenant

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

group6


Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Disabling Office 365 Planner Using PowerShell

Office 365 Planner is now rolling out to your tenant.  Microsoft announced this week that Planner is ready for showtime. As this is a product early in its life cycle, Microsoft is still looking for feedback through the Planner uservoice site. Over the next several weeks, Planner will roll out to all eligible Office 365 customers worldwide. At this time, Planner is included with:

  • Office 365 Enterprise (E1, E3, E4, and E5)
  • Office 365 Education (E1, E3, E4, and E5)
  • Office 365 Business Essentials
  • Office 365 Business Premium.

Microsoft Planner will not be available to users by default in the General Availability (GA) update in the following subscription plans:

  • Office 365 operated by 21Vianet
  • Office 365 Government

An important thing to note with this release…

Each user who has one of the Office 365 plans mentioned above has a Microsoft Planner license that is enabled by default.

If your enterprise is not ready, an admin can add or remove licenses for individual users, or to disable Planner to all users. I put a script together that you can run to disable Planner for all licensed users in your tenant.  This script will:

  1. Disable any plan entered into the $disabledplans variable, by default it is just Planner (PROJECTWORKMANAGEMENT)
  2. Disable the Planner Preview SKU if it was assigned
  3. ***Reassign all other services not declared as being disabled.*** <- important  
    • Add any other services you want to disable in the $disabledplans variable (i.e. YAMMER_ENTERPRISE)

Thanks to @vladcatrinescu and his script on disabling Yammer as a starting point

Create SharePoint Subsites with Custom Permissions & Templates Using Powershell

powershell2I had a situation recently in which we were performing a migration from SharePoint Services 2.0 up to SharePoint 2013. When testing the path of copying the sites directly from 2.0 to 2013 they didn’t come across very clean. One of the main reasons was the way permissions was done in 2.0 does not directly match 2013. If we would have performed a migration like this they would have had a working environment but it would have been very hard to manage moving forward. Knowing that we didn’t want to copy the sites we decided to try to create all the new sites prior to the migration and then only copy the content.

When performing our pre-migration analysis we found around 2,000 sites and subsites. We performed multiple information architecture planning workshops to figure out the new site structure for 2013. Once we had the agreed upon new site structure we could then map the sites that needed to be migrated to their new locations. Once we had this kind of data I knew I could automate the creation of all the sites. Now I never like to start my scripts from scratch if I don’t have to and there are a lot of very smart people out there posting helpful info. I found some scripts online and put them together with my own special inserts and use cases. To give the proper credit to where I got this script started.

  • This is a great codeplex solution from @PhillipChilds that will create subsite structure as a CSV. This was a good start but would require me to enter all the information for the SharePoint groups that I needed.
  • I then found this script from @PointBeyond which would create the 3 default SharePoint groups I was looking for.

So now I had a script that would create subsites based on a CSV and create 3 default SharePoint groups if stated, awesome!

My last issue I ran into was the ability to apply a custom site template on the subsite. (here is a list of available site templates in SharePoint 2013 thanks to @vladcatrinescu) When you try to create a subsite using Powershell and pass through a custom site template it will not actually apply the template. The way to get this to work was to apply the site template after the subsite was created. So now all templates being applied whether default or custom will be applied after the site is created. Here is a little trick on how to get a custom site template ID without using Powershell.

I also included the enabling and disabling of a few site features.

  • Minimal Download Strategy will be disabled
  • Getting Started will be disabled
  • Publishing will be enabled

Here is a link to the script and the CSV to get started.

16235-illustration-of-a-green-download-button-pv

There are other areas that I would like to expand on this script but if you have any ideas please let me know!

Adjusting Email Notifications For SharePoint 2013 Task Lists

When looking at the settings of a SharePoint 2013 task list you no longer have the option to enable email notifications.  This used to be found under List Settings -> Advanced Settings -> Send e-mail when ownership is assigned.

This is what it looks like in 2010.

tasknotifications

This can be still be turned on using Powershell in SharePoint 2013.  Here is the powershell to perform that task along with a link back to the source of the script.  Thanks to the creator of the script karimSP!

Adjusting when the assigned to task email is fired

20  Fortunately we have the ability to change the types of event that fire these emails in powershell.  The primary use case I used this for is too only send task emails on creation of the item (Add).

The available options for when notifications are sent are listed in the SPEventType enumeration and they are:

Member Name Description
Add Additions to the list or list item. (0x00000001)
Modify All changes made in a list or list item. (0x00000002)
Delete Deletion of a list or list item. (0x00000004)
Discussion Changes in Web discussions. (0x00000FF0)
All All events pertaining to the list or list item. (-1)

 

Powershell to update the events

I have included variables at the top of the script that you can enter depending on the location of the task list(s) along with which ones you want to update.  Make sure you run the powershell to activate the assigned to email, the script above, prior to running this script.

Link to download powershell script

16235-illustration-of-a-green-download-button-pv

If anyone has any thoughts or suggestions for this script please let me know!