Browse Tag

azure

Get Office 365 Groups with Teams via PowerShell and the Microsoft Graph

By Drew Madelung
/
Aug 14, 2018
/
General, Groups, Office 365, Teams

Office 365 Groups are the backbone of a lot applications in Microsoft. The core principal is that an Office 365 Group is the security model that supports a Team. A good start to learn more about this is from the Microsoft documentation about the two.

Here is a more detailed image about how a Team is a workload that is supported by Office 365 Groups as the identity layer. This means that not all groups have an associated Team but all Teams are supported by a group.

Getting Groups with associated Teams

I had a client ask me recently to get a list of what groups have a Microsoft Teams chat connected vs Office 365 groups that don’t have a team connected. I have done this in the past using the method here on the TechCommunity. I then saw in some updated documentation that the beta Graph API includes a filterable property called resourceProvisioningOptions. The documentation can be found here. Filtering by this property is currently on the beta API so it is not recommended to utilize this in a production solution.

Using the /groups Graph API we can retrieve all groups in the tenant that have a team. Any group that has a team has a resourceProvisioningOptions property that contains “Team”.

Currently teams that were deleted may be included
This property can be changed but don’t do it
This also is populated for a group that has a Team added to it after the fact

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	Group.Read.All, Group.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	Group.Read.All, Group.ReadWrite.All

Here is the script and I will break it down below

#Enter scopes or app data - If a scope is entered it will used
#If scopes is empty it will check to run via app 
$scopes = 'Group.Read.All'

$appid = ''
$appsecret = ''
$appaaddomain = ''

#Graph URLs - uncomment one to run

#Get all groups
#$url = "https://graph.microsoft.com/v1.0/groups?`$filter=groupTypes/any(c:c eq 'Unified')&`$select=displayname,resourceProvisioningOptions"
#Get all groups with teams
$url = "https://graph.microsoft.com/beta/groups?`$filter=resourceProvisioningOptions/Any(x:x eq 'Team')"

#Establish connection
If($scopes.Length -gt 0){
    Connect-PnPOnline -Scopes "Group.Read.All"
} elseif($appid.Length -gt 0) {
    Connect-PnPOnline -AppId $appid -AppSecret $appsecret  -AADDomain $appaaddomain
} else {
    write-host 'Connection issue' -ForegroundColor Red
    exit
}

#Get token
$token = Get-PnPAccessToken

#Call graph
if($token){
    $response = Invoke-RestMethod -Uri $url -Headers @{Authorization = "Bearer $token"}
} else {
    write-host 'Token issue' -ForegroundColor Red
    exit
}

#Parse data
if($response){
foreach($r in $response.value){ 
    if($r.resourceProvisioningOptions -eq 'Team'){
        write-host $r.displayname "is a Team enabled Group" -ForegroundColor Yellow
        #Do fancy stuff in here
    } else {
        write-host $r.displayname "is a regular O365 Group" -ForegroundColor Green
    }
}
} else {
    write-host 'Response issue' -ForegroundColor Red
}

Connecting to the Graph via PowerShell

To connect to the Graph via PowerShell I am using the PnP PowerShell module. SharePoint Patterns and Practices (PnP) contains a library of PowerShell commands (PnP PowerShell) that allows you to perform complex provisioning and artifact management actions towards SharePoint. The commands use CSOM and can work against both SharePoint Online as SharePoint On-Premises. Details about how to work with this module and its cmdlets can be found here.

The cmdlet that is used to connect is Connect-PnPOnline. This cmdlet can be used to connect to multiple entry points. When connecting to the Graph you can connect through Azure AD and declare permissions scopes with the -Scopes parameter or connect with app level permissions using the -AppId, -AppSecret, and -AADDomain parameters.

I have setup the script to handle either depending on what you enter at the top for the variables. Details for different types of permissions can be found here.

Calling the Graph via PowerShell

To call the Graph I am using the Invoke-RestMethod cmdlet to make the REST request. To handle the Graph call we need to pass along a bearer token. I am getting the token through the PnP cmdlet Get-PnPAccessToken. The data will then be returned as an object. You could convert the data into JSON to utilize it if necessary.

Along with the token we need to pass along the Graph Uri call. I have setup 2 different options to get the data. Swap the comment (#) tags for either $url line.

Here is a breakdown of each option:

Get all groups which have Teams
- This will return the filtered list of Groups
  - /v1.0/groups?$filter=groupTypes/any(c:c eq ‘Unified’)&`$select=displayname,resourceProvisioningOptions
Get all groups
- This will return all groups and then go through all returned groups and perform an action for ones that have a connected Team
  - /beta/groups?$filter=resourceProvisioningOptions/Any(x:x eq ‘Team’)
  - Currently this only does a Write-Host but any business logic could be added here.

Make sure you copy and paste from the code block for proper formatting.

The best way to test Graph calls before working with them is through the Graph Explorer. I highly recommend this one!

Securing the app permissions

One idea that I did not put in here but would be a good idea if you wanted to set up a recurring solution around this would be to protect the app data through the Azure Key Vault. Here are details on how this can be completed –

Using Azure Key Vault with PowerShell – Part 1

More information about setting up an Azure AD app can be found here:

Interact with Graph and make O365 Groups with AzureFunctions PowerShell

Office 365 Groups Naming Policy

By Drew Madelung
/
Dec 17, 2017
/
General, Groups, Office 365, PowerShell

Introduction

When Office 365 Groups were first released there was not an ability to control the names of Groups at all. One of the primary reasons for this was due to the cross workload functionality that make up Office 365 Groups. As a reminder, an Office 365 Group is the single Azure AD identity service that provides specific membership to Office 365 solutions like SharePoint, Exchange, Planner, Teams, etc. Within each of these workloads you have the ability to create and manage an Office 365 Group. If you make a change within one of workloads, for example SharePoint, there is communication between the workload and Azure AD with notifications on things like creation, changes, and deletions.

With a separated system and Azure AD as the source, any policies need to be applied at the Azure AD level. As an example, an Exchange naming policy can be used (and at one point was the only option) for Office 365 Groups. If you set a naming policy within Exchange that would only work if you tried creating a group within Exchange. If I was on SharePoint Home and tried to create an Office 365 Group that naming policy would not trigger as I technically not working in Exchange. Exchange would learn about the Group after it is synced back to Azure AD but that would be too late.

To resolve this issue Microsoft has released Office 365 Group naming policy capabilities at the Azure AD level. A naming policy is very important for proper control and a clean Global Address List (GAL). Since this is in Azure AD now the naming policy is applied to Groups that are created across workloads.

Details

As I am writing this post in Dec 2017 this is currently still in Private Preview.

Both of these currently can only be configured with PowerShell. The prerequisites for configuring these can be found in this post: Managing Office 365 Groups using Azure AD PowerShell V2.

The AzureADPreview PowerShell module version 2.0.0.137 is required.

Office 365 Group naming policies can be built using 2 different features and 1 is automatically maintained:

Custom blocked words
- You can set specific blocked words that can be used within Group names.
Prefix-Suffix naming policy
- Using fixed strings or user attributes, you can add an automated prefix or suffix to a Group name.
Microsoft Standard blocked words list
- A set of words Microsoft manages that are not allowed. This includes your primary swear words. I tested quite a few good ones and they were all blocked automatically.

These administrators bypass or are exempt from the naming polices you configure but NOT the MS standard blocked words list:

Global Administrator
Partner Tier 1 Support
Partner Tier 2 Support
User Account Administrator
Directory Writers

Microsoft detailed information for the naming policy can be found here.

Custom blocked words

This is a comma separated list of words that you can configure. These words are blocked in Group names and aliases. Some examples of when you would want to configure blocked words:

Your department or business function names because you want to ensure you don’t have duplicate places for content
Regulatory words that you may have specific legal requirements around that you need to have more control over
Names of roles that you don’t want people to try to impersonate
Client, Vendor, or Competitor names

There are some things to know about these blocked words.

The checks are done AFTER appending the prefix/suffix to the Group name
- If things like underscores (_) or dashes (-) are used in prefix/suffix they could stop your blocked word from working if there are no spaces
No sub-string searches are done
- If “Drew” is the blocked word, “Andrew” would still work
Not case-sensitive
No character restrictions
No limit on the amount of words

Steps to set the Custom Blocked words

This is assuming you already have a directory settings template created, details in prior post, and connection information from the first section.

1 – Connect to Azure AD via PowerShell.

Connect-AzureAD

2 – Use comma delimited values for the blocked words.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["CustomBlockedWordsList"] = "HR,Contoso,Payroll,CEO,CFO,CIO"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

3 – Review your updated settings; you can now see the default values for the directory settings object.

Get-AzureADDirectorySetting | ForEach Values

Prefix-Suffix naming policy

These can either be fixed strings or actually attributes from the user themselves. These 2 types of capabilities are stored within 1 overall string that is concatenated. Because of this, you must always have [GroupName] included in your setting. That is how you are able to have a prefix & a suffix.

Some examples of using strings:

GRP [GroupName]
- This puts the fixed string of “GRP ” before all of your Group names
#[GroupName] Group
- This will put the # symbol at the front of the Group name for better sorting in the GAL and then ” Group” as a suffix for better clarity
- Special characters are removed from the Alias
OGRP – [GroupName]
- Dashes can be used for separation as spaces are removed automatically in the Group Alias (like the rest of the special characters). That means “OGRP – Drew” as a group name becomes “OGRP-Drew@domain.com” as the alias instead of “OGRPDrew@domain.com”.

The next type of thing you can add are Azure AD user attributes. The following attributes are supported: [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], [Title], [CountryCode]

Some examples of using attributes:

[Department] – [GroupName]
- This will pull the users department stored in Azure AD before the Group name
[CountryCode] – GRP – [GroupName]
- This will first put the Country Code stored in Azure AD followed by a fixed string and then the Group name

There are some things to know about using attributes.

The total prefix/suffix + string length is restricted to 53 characters
Empty attributes for users will be filled in with blank values. It is best to ensure your Azure AD information is fully established before using these attributes.
Extension attributes and custom attributes are not supported
- If you put it in an unsupported attribute it just comes across as text

Steps to set the Prefix – Suffix naming policy

This is assuming you already have a directory settings template created, details in prior post.

1 – Use comma delimited values for the blocked words.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["PrefixSuffixNamingRequirement"] = "GRP - [Department] - [GroupName]"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

2 – Review your updated settings; you can now see the default values for the directory settings object.

Get-AzureADDirectorySetting | ForEach Values

Microsoft standard blocked words

There are a lot of unprofessional words naturally in the English language that most likely should never be part of an Office 365 Group name. This includes a primary set of things like swear words and other inappropriate words that your imagination may be able to come up with. This is a single setting to turn on the blocked words or off.

Steps to set the Microsoft blocked words

This is assuming you already have a directory settings template created, details in prior post, and connection information from the first section.

1 – Use comma delimited values for the blocked words.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["EnableMSStandardBlockedWords"] = $true
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

2 – Review your updated settings; you can now see the default values for the directory settings object.

Get-AzureADDirectorySetting | ForEach Values

And when you put it all together!

You get a blocked word of CEO and a naming policy pulling in a prefix of “GRP – ” with an Azure AD department of “NFL” and a suffix of ” – CEO”. You will also see the alias removing the spaces.

Where does the naming policy actually work?

As there are a lot of workloads across Office 365 that utilize Groups there are a lot of places that these policies need to work. Currently it is not supported in every workload. Microsoft has the detailed information for what is supported in their support article here.

Here is the current breakdown in Dec 2017.

Where it works:

Outlook on the Web
Outlook Client – Doesn’t preview
Outlook Mobile – Doesn’t preview
Teams
SharePoint
Stream
Groups mobile app
Planner
Dynamics 365
Exchange PowerShell
Azure AD PowerShell
O365 Admin Center

Where it doesn’t:

Power BI workspace
Yammer
StaffHub
Azure AD Portal

Licensing

Any Office 365 subscription that has Exchange Online and SharePoint Online will support groups. That includes the Business Essentials and Business Premium plans, and the Enterprise E1, E3 and E5 plans.

There is a large collection of features that require specific types of Azure AD licenses. The Office 365 Groups naming policy requires Azure AD Premium P1 licenses for any users who are part of Office 365 Groups.

The full collection of licensing information is listed from Microsoft here.

Managing Office 365 Group Creation via Azure AD

By Drew Madelung
/
Jul 26, 2016
/
Groups, Office 365, PowerShell

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

Email & Calendar
Security & Membership
Files & OneNote
Planner
PowerBI
and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.

Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

Disable the default ability of everyone to create a new Office 365 Group
Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
- This group cannot have a group in it, must be individual users
- Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

Azure AD module for PowerShell version 1.1.117.0 or later (currently preview)

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.”

My scripts below are using Version 1.1.143.0. Azure AD PowerShell Module Version Release History

Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = ""
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

3b – If you have NO settings returned it will look like this a new template will need to be created

Run this command to create the new template with EnableGroupCreation set to false

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users

Get-MsolAllSettings | ForEach Values

Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
$setting[“GroupCreationAllowedGroupId”] = $group.ObjectId
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

Get-MsolAllSettings | ForEach Values

Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts