Introduction
Azure AD PowerShell is an incredibly useful tool for management. V2 was released as GA (general availability) in Dec 2016.
This means that you could begin to utilize the new cmdlets in your production environment. There is currently not dual functionality from the V1 MSOL cmdlets so both will still need to be used as V2 continues to develop. There is also a preview set of cmdlets that you can download and use that has some extended features beyond just V2. The V1 module will begin to be deprecated as V2 continues to advance. I would recommend working with V2 when possible and only going back to V1 as needed.
I won’t be going through all of the differences between these versions but will be shedding some light on the differences for Office 365 Group management from V1 to now. This is a follow up to my original post: Managing Office 365 Group Creation via Azure AD.
Links:
- Azure AD PowerShell V1
- Azure AD PowerShell V2
- Azure AD PowerShell V2 – Preview
- when writing this its 2.0.0.52
- Updated to support 2.0.0.85
Licensing
Microsoft has made changes to the licensing for Office 365 Groups capabilities and the required Azure AD licensing to be able to use them. This is highlighted in the ‘Feature availability and licensing section’ of the following article: Learn about Office 365 Groups
Quick V1 vs. V2 Examples
The big difference from V1 to V2 is that the majority of cmdlets that used *-MSOL* cmdlets are now *-AzureAD*. The full list of cmdlets can be found through the links above.
To connect using V1 you would use:
Connect-MsolService
V2 you now use:
Connect-AzureAD
To get a user in V1 you would use:
Get-MSOLUser
V2 you now use:
Get-AzureADUser
Managing Groups using Azure AD PowerShell V2
To perform Group management you will need to use the V2 Preview cmdlets (download above) until they are rolled into V2. The same Office 365 groups settings in Azure AD PowerShell available in V1 are currently not available in V2. Hopefully when that happens they won’t change much from when I am writing this.
The primary cmdlets utilized in V1:
Get-MsolAllSettings Get-MsolAllSettingTemplate New-MsolSettings Set-MsolSettings Remove-MsolSettings
Their comparison in V2:
Get-AzureADDirectorySetting Get-AzureADDirectorySettingTemplate New-AzureADDirectorySetting Set-AzureADDirectorySetting Remove-AzureADDirectorySetting
The way that these are updated are also different. That means you can not simply replace “MsolAllSettings” with “AzureADDirectorySetting” in your scripts. There are different parameters that you need to pass and functions not available.
You can currently see these values but not all can bet set. Please ensure you review Microsoft’s latest supported parameters as these are updated frequently.
Name : ClassificationDescriptions
Description : A comma-delimited list of structured strings describing the classification values in the ClassificationList. The structure of the string is: Value: Description
Name : DefaultClassification
Description : The classification value to be used by default for Unified Group creation.
Name : PrefixSuffixNamingRequirement
Description : A structured string describing how a Unified Group displayName and mailNickname should be structured. Please refer to docs to discover how to structure a valid requirement.
Name : AllowGuestsToBeGroupOwner
Description : Flag indicating if guests are allowed to be owner in any Unified Group.
Name : AllowGuestsToAccessGroups
Description : Flag indicating if guests are allowed to access any Unified Group resources.
Name : GuestUsageGuidelinesUrl
Description : A link to the Group Usage Guidelines for guests.
Name : GroupCreationAllowedGroupId
Description : Guid of the security group that is always allowed to create Unified Groups.
Name : AllowToAddGuests
Description : Flag indicating if guests are allowed in any Unified Group.
Name : UsageGuidelinesUrl
Description : A link to the Group Usage Guidelines.
Name : ClassificationList
Description : A comma-delimited list of valid classification values that can be applied to Unified Groups.
Name : EnableGroupCreation
Description : Flag indicating if group creation feature is on.
Steps to Create new Directory Settings for Groups template
There are multiple templates that are part of your Azure AD tenant. This template can contain a settings object which has a collection of values. Within these values are where we can set the parameters above. This needs to be done before you can set any values. If you already have this you can move to the section below.
1 – Connect to Azure AD via PowerShell
Connect-AzureAD
2 – Review if you have any settings currently configured in your tenant
Get-AzureADDirectorySetting | ForEach Values
3a – If you have directory settings returned it will look like this (properties subject to change over time)
3b – If you have NO settings returned it will look like this and new directory settings will need to be created
Run this command to create the new directory settings
$template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $setting
4 – Review your updated settings; you can now see the default values for the directory settings object created for the Groups template
Get-AzureADDirectorySetting | ForEach Values
Steps to set Group Settings
1 – Connect to Azure AD via PowerShell
Connect-AzureAD
2 – Review if you have any settings currently configured in your tenant
Get-AzureADDirectorySetting | ForEach Values
3a – If you have directory settings returned it will look like this (properties subject to change over time)
3b – If you have NO settings returned it will look like this and new directory settings will need to be created and follow the steps above
4 – Examples of Group settings
All settings below will use the Get-AzureADDirectorySetting cmdlet and store that in a variable and then use the Set-AzureADDirectorySetting cmdlet with the updated settings. The full command to run a setting update is:
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["SETTING NAME"] = ""
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
I will walk through some of the common scenarios and how to configure the settings parameters. If you run any of the
Restricting Group Creation for all except users in a specific group
Enter the group you want to use in the “ENTER..” section.
$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”}
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["EnableGroupCreation"] = "false"
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Setting Group classification
Use comma delimited values for the classifications.
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationList"] = "Internal,External,Confidential"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Setting Guidelines URL
Enter a valid URL to a page or document that holds your guidelines.
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Restrict all access for guest users to Groups including ones that were already granted access
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowGuestsToAccessGroups"] = "False"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Restrict the ability to add any new guest users but not restrict existing
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowToAddGuests"] = "False"
$settings["AllowGuestsToAccessGroups"] = "True"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Setting all Group settings
With some examples.
$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE WHO WILL HAVE ACCESS TO CREATE GROUPS”}
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationDescriptions"] = "Internal:This is internal only,External:External users can access,Confidential:Highly secure"
$settings["DefaultClassification"] = "Confidential"
$settings["PrefixSuffixNamingRequirement"] = "ogrp-"
$settings["AllowGuestsToBeGroupOwner"] = "false"
$settings["AllowGuestsToAccessGroups"] = "true"
$settings["GuestUsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Guest-Usage-Guidelines.aspx"
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
$settings["AllowToAddGuests"] = "true"
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx"
$settings["ClassificationList"] = "Internal,External,Confidential"
$settings["EnableGroupCreation"] = "true"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
5 – Review your updated settings
Get-AzureADDirectorySetting | ForEach Values
Steps to remove Group Settings
1 – Connect to Azure AD via PowerShell
Connect-AzureAD
2 – Remove your directory settings, follow the steps above to create new
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
Remove-AzureADDirectorySetting -Id$settings.Id
More Scripts
All of these Office 365 Group scripts for V2 can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for their work they have already done and multiple supporting scripts. The scripts from this post are under the file: DrewO365GroupsScripts – Azure AD Cmdlets
Please feel free to contribute!
John Benak
March 22, 2017Hi Drew,
I’m trying to restrict O365 Group creation to a defined group, and using your PS above (and copied from GitHub). I get through each line except the last: Set-AzureADDirectorySetting -ObjectId $settings.Id -DirectorySetting $settings
I keep getting this error: Set-AzureADDirectorySetting : A parameter cannot be found that matches parameter name ‘ObjectId’.
Unfortunately, ‘get-help’ wasn’t helpful.
I installed the ‘AzureADPreview’ module v2.0.0.85 for this, as I was having all kinds of problems trying to get this to work. Yours was the best URL I could find to try and translate things over across modules. However, I can’t get this to execute.
Strange that the parameter can’t be found. Any ideas what I’m doing wrong, or is this a problem with the module? Could it be a conflict with another module? I’ve removed all others but this one.
Thanks
Drew Madelung
March 23, 2017Good find. I updated the scripts for AD Preview 2.0.0.85
Rob de Jong
March 23, 2017Awesome article, Drew! Thanks for publishing this and helping customers migrate to Azure AD PowerShell V2.
Joel Weston
March 24, 2017Same issue as Jon, Saying cannot find parameter that matches ID….
Joel Weston
March 24, 2017Thanks Rob, when you do a get-azuredirectorysetting does it show the groupcreationallowedid as blank?
It took that command but still showing blank. Thanks all for the help!
Drew Madelung
March 24, 2017Joel, what exact action are you looking to complete? If you are looking to fill in the GroupCreationAllowedGroupId you will need to pass in a groups ObjectId. In the script that Rob posted and what I have above you will need to ever a valid group name in the first line where it states to enter the group display name:
$group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”}
This will gather the $group object and will be able to pass the $group.ObjectId
Joel Weston
March 24, 2017Thats what I have been trying, I get back A parameter cannot be found that matches parameter name ‘Id’.
At line:1 char:29
PS C:\WINDOWS\system32> $group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “365groups”}
PS C:\WINDOWS\system32> $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
PS C:\WINDOWS\system32> $settings[“EnableGroupCreation”] = “false”
PS C:\WINDOWS\system32> $settings[“GroupCreationAllowedGroupId”] = $group.ObjectId
PS C:\WINDOWS\system32> Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Set-AzureADDirectorySetting : A parameter cannot be found that matches parameter name ‘Id’.
At line:1 char:29
+ Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $setti …
+ ~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AzureADDirectorySetting], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Open.MSGraphBeta.PowerShell.SetDirectorySetting
Drew Madelung
March 24, 2017Can you run “Install-Module -Name AzureADPreview -Force” to ensure that you are moved up to version 2.0.0.85? In the newer versions of AzureADPreview the parameter -ObjectId is being moved to -Id. Also if you wanted to get it to run without installing the new preview module you could update your Set-AzureADDirectorySetting call to be -ObjectId instead of -Id.
Joel Weston
March 24, 2017if I run with -objectID it completes, but when I look at the setttings the ID never filled in. I imagine I could manually put in the ID without calling it?
I already ran a force earlier to make sure I was on the latest and greatest.
Thanks all
Rob de Jong
March 24, 2017Hi Joel, are you using the latest version of PowerShell V2 Preview?
I just ran this script and it processed without any error:
$group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “zzztop”}
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings[“EnableGroupCreation”] = “false”
$settings[“GroupCreationAllowedGroupId”] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Joel Weston
March 28, 2017Its very odd, and again thanks to all for the help. I run through all the commands without error, and then run Get-AzureADDirectorySetting | ForEach Values. This comes back with Groupcreationallowedgroupid as blank. It did change the enablegroup creation to false but ID is missing……
Parkerthon
April 3, 2017Same exact problem. Won’t set the group. I don’t understand why Microsoft has made this such a awful ordeal, changing up the parameters, removing cmdlets, and generally all around making it impossible to figure this out.
Joel weston
April 3, 2017I have had a ticket open with Microsoft for the last week. They don’t seem to have a clue.
Drew Madelung
April 3, 2017Do you get a valid ObjectID if you run $group.ObjectId after selecting the Group?
rob de jong
April 3, 2017Hi guys – I just tried this out again myself. I first changed the GroupCreationAllowedGroupId to the group ID of the group named “YaYaYa”:
$group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “YaYaYa”}
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings[“EnableGroupCreation”] = “false”
$settings[“GroupCreationAllowedGroupId”] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
This worked:
(Get-AzureADDirectorySetting -Id $settings.id).values
Name Value
—- —–
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId A0dada57-89ef-4db8-9e5f-46cca3bf2398
AllowToAddGuests True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation False
Next I changed it to another group, named “bla”:
$group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “bla”}
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings[“EnableGroupCreation”] = “false”
$settings[“GroupCreationAllowedGroupId”] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
(Get-AzureADDirectorySetting -Id $settings.id).values
This worked too.
Name Value
—- —–
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId 62438306-7c37-4638-a72d-0ee8d9217680
AllowToAddGuests True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation False
If you can’t get this to work, can you please provide me with the exact script that you are running that doesn’t work? Email: rodejo@microsoft.com
Note – I’m also the guy within Microsoft who is responsible for changing all these names and parameters, using confusing version numbers, removing MSOL preview cmdlets and generally pulling rugs from under people 🙂 If you read through this thread you can find some of the underlying reasons for this – please rest assured that we are trying to move ahead here while causing the minimum amount of disturbance and confusion. If you have any questions or feedback you want to share, please let me know and I’ll get back to you as soon as I can – which is usually within a day.
Drew Madelung
April 3, 2017Thanks for the quick reply Rob! I also ran this test and confirmed it was working as well.
Joel Weston
April 4, 2017Thanks for the feedback Rob! It unfortunately is not working for me yet with the new parameters. I have sent you details in an email.
David
April 6, 2017I got stuck with the ObjectId not being populated also.
When running Get-AzureADGroup, I was only getting a small subset of Groups in 365. I could not find the specific group by display name.
The work around I found was to run Get-MSOLGroup -all, then find the group you need including the ObjectID.
Then all you need to do is
$group = Get-AzureADGroup -ObjectId OBJECTIDNUMBERGOESHERE
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings[“EnableGroupCreation”] = “false”
$settings[“GroupCreationAllowedGroupId”] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Hope this helps.
David
Rob de Jong
April 6, 2017I worked with Joel Weston on this issue offline. The problem is that the |Where-object clause iterates through all returned group objects to find the group you’re looking for. By default, Get-AzureADGroup returns only the first 100 objects in a directory. SO if the group you’re looking for isn’t there, the statement will not return a value for ObjectId.
To get all group objects, user Get-AzureADGroup -All $True (similar to what you did with Get-MSOLGroup -all)
Joel weston
April 6, 2017Rob is the man, thanks all again!
Pingback: Microsoft Teams and Office 365 Groups from 365 Admin Perspective | Microsoft
Jonas
October 17, 2017Hi, I have followed the instructions for “Restricting Group Creation for all except users in a specific group” and the output is:
PS C:\WINDOWS\system32> (Get-AzureADDirectorySetting).Values
Name Value
—- —–
CustomBlockedWordsList
EnableMSStandardBlockedWords False
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId 5ef103a6-d278-472e-897e-47b01f64fb90
AllowToAddGuests True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation False
However in AzureAD Portal under Users and Groups > Group Settings > General > Self-service group management is Enabled and Users can create Office 365 groups Yes , Users who can manage Office 365 groups All . This seems to override the settings made in Powershell. Why?
Drew Madelung
October 17, 2017You are correct that the self service group management does not match at this time and compete with each other, I believe they should look at merging these 2 but I am not aware of any specifics.