creation - Drew Madelung

Introduction

Azure AD PowerShell is an incredibly useful tool for management. V2 was released as GA (general availability) in Dec 2016.
This means that you could begin to utilize the new cmdlets in your production environment. There is currently not dual functionality from the V1 MSOL cmdlets so both will still need to be used as V2 continues to develop. There is also a preview set of cmdlets that you can download and use that has some extended features beyond just V2. The V1 module will begin to be deprecated as V2 continues to advance. I would recommend working with V2 when possible and only going back to V1 as needed.

I won’t be going through all of the differences between these versions but will be shedding some light on the differences for Office 365 Group management from V1 to now. This is a follow up to my original post: Managing Office 365 Group Creation via Azure AD.

Links:

Azure AD PowerShell V1
Azure AD PowerShell V2
Azure AD PowerShell V2 – Preview
- when writing this its 2.0.0.52
- Updated to support 2.0.0.85

Licensing

Microsoft has made changes to the licensing for Office 365 Groups capabilities and the required Azure AD licensing to be able to use them. This is highlighted in the ‘Feature availability and licensing section’ of the following article: Learn about Office 365 Groups

Quick V1 vs. V2 Examples

The big difference from V1 to V2 is that the majority of cmdlets that used *-MSOL* cmdlets are now *-AzureAD*. The full list of cmdlets can be found through the links above.

To connect using V1 you would use:

Connect-MsolService

V2 you now use:

Connect-AzureAD

To get a user in V1 you would use:

Get-MSOLUser

V2 you now use:

Get-AzureADUser

Managing Groups using Azure AD PowerShell V2

To perform Group management you will need to use the V2 Preview cmdlets (download above) until they are rolled into V2. The same Office 365 groups settings in Azure AD PowerShell available in V1 are currently not available in V2. Hopefully when that happens they won’t change much from when I am writing this.

The primary cmdlets utilized in V1:

Get-MsolAllSettings
Get-MsolAllSettingTemplate
New-MsolSettings
Set-MsolSettings
Remove-MsolSettings

Their comparison in V2:

Get-AzureADDirectorySetting
Get-AzureADDirectorySettingTemplate
New-AzureADDirectorySetting
Set-AzureADDirectorySetting
Remove-AzureADDirectorySetting

The way that these are updated are also different. That means you can not simply replace “MsolAllSettings” with “AzureADDirectorySetting” in your scripts. There are different parameters that you need to pass and functions not available.

You can currently see these values but not all can bet set. Please ensure you review Microsoft’s latest supported parameters as these are updated frequently.

Name : ClassificationDescriptions
Description : A comma-delimited list of structured strings describing the classification values in the ClassificationList. The structure of the string is: Value: Description

Name : DefaultClassification
Description : The classification value to be used by default for Unified Group creation.

Name : PrefixSuffixNamingRequirement
Description : A structured string describing how a Unified Group displayName and mailNickname should be structured. Please refer to docs to discover how to structure a valid requirement.

Name : AllowGuestsToBeGroupOwner
Description : Flag indicating if guests are allowed to be owner in any Unified Group.

Name : AllowGuestsToAccessGroups
Description : Flag indicating if guests are allowed to access any Unified Group resources.

Name : GuestUsageGuidelinesUrl
Description : A link to the Group Usage Guidelines for guests.

Name : GroupCreationAllowedGroupId
Description : Guid of the security group that is always allowed to create Unified Groups.

Name : AllowToAddGuests
Description : Flag indicating if guests are allowed in any Unified Group.

Name : UsageGuidelinesUrl
Description : A link to the Group Usage Guidelines.

Name : ClassificationList
Description : A comma-delimited list of valid classification values that can be applied to Unified Groups.

Name : EnableGroupCreation
Description : Flag indicating if group creation feature is on.

Steps to Create new Directory Settings for Groups template

There are multiple templates that are part of your Azure AD tenant. This template can contain a settings object which has a collection of values. Within these values are where we can set the parameters above. This needs to be done before you can set any values. If you already have this you can move to the section below.

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Review if you have any settings currently configured in your tenant

Get-AzureADDirectorySetting | ForEach Values

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created

Run this command to create the new directory settings

$template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $setting

4 – Review your updated settings; you can now see the default values for the directory settings object created for the Groups template

Get-AzureADDirectorySetting | ForEach Values

Steps to set Group Settings

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Review if you have any settings currently configured in your tenant

Get-AzureADDirectorySetting | ForEach Values

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created and follow the steps above

4 – Examples of Group settings

All settings below will use the Get-AzureADDirectorySetting cmdlet and store that in a variable and then use the Set-AzureADDirectorySetting cmdlet with the updated settings. The full command to run a setting update is:

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["SETTING NAME"] = ""
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

I will walk through some of the common scenarios and how to configure the settings parameters. If you run any of the

Restricting Group Creation for all except users in a specific group

Enter the group you want to use in the “ENTER..” section.

$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["EnableGroupCreation"] = "false" 
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting Group classification

Use comma delimited values for the classifications.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationList"] = "Internal,External,Confidential"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting Guidelines URL

Enter a valid URL to a page or document that holds your guidelines.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Restrict all access for guest users to Groups including ones that were already granted access

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowGuestsToAccessGroups"] = "False"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Restrict the ability to add any new guest users but not restrict existing

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowToAddGuests"] = "False"
$settings["AllowGuestsToAccessGroups"] = "True"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting all Group settings

With some examples.

$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE WHO WILL HAVE ACCESS TO CREATE GROUPS”} 
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationDescriptions"] = "Internal:This is internal only,External:External users can access,Confidential:Highly secure" 
$settings["DefaultClassification"] = "Confidential"
$settings["PrefixSuffixNamingRequirement"] = "ogrp-" 
$settings["AllowGuestsToBeGroupOwner"] = "false"
$settings["AllowGuestsToAccessGroups"] = "true" 
$settings["GuestUsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Guest-Usage-Guidelines.aspx"
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId 
$settings["AllowToAddGuests"] = "true"
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 
$settings["ClassificationList"] = "Internal,External,Confidential"
$settings["EnableGroupCreation"] = "true"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

5 – Review your updated settings

Get-AzureADDirectorySetting | ForEach Values

Steps to remove Group Settings

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Remove your directory settings, follow the steps above to create new

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
Remove-AzureADDirectorySetting -Id$settings.Id

More Scripts

All of these Office 365 Group scripts for V2 can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for their work they have already done and multiple supporting scripts. The scripts from this post are under the file: DrewO365GroupsScripts – Azure AD Cmdlets

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

Email & Calendar
Security & Membership
Files & OneNote
Planner
PowerBI
and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.

Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

Disable the default ability of everyone to create a new Office 365 Group
Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
- This group cannot have a group in it, must be individual users
- Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

Azure AD module for PowerShell version 1.1.117.0 or later (currently preview)

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.”

My scripts below are using Version 1.1.143.0. Azure AD PowerShell Module Version Release History

Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = ""
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

3b – If you have NO settings returned it will look like this a new template will need to be created

Run this command to create the new template with EnableGroupCreation set to false

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users

Get-MsolAllSettings | ForEach Values

Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
$setting[“GroupCreationAllowedGroupId”] = $group.ObjectId
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

Get-MsolAllSettings | ForEach Values

Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts