Browse Tag

Groups

Managing Office 365 Group Creation via Azure AD

group1

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

  • Email & Calendar
  • Security & Membership
  • Files & OneNote
  • Planner
  • PowerBI
  • and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.

Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

  1. Disable the default ability of everyone to create a new Office 365 Group
  2. Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
    • This group cannot have a group in it, must be individual users
    • Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History

Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = ""
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users

Get-MsolAllSettings | ForEach Values

group4

Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.
$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.
$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
$setting[“GroupCreationAllowedGroupId”] = $group.ObjectId
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

Get-MsolAllSettings | ForEach Values

group6

Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

SPTechCon Boston Slides & Scripts

sptechcon

Thanks to all who joined my session at SPTechCon Boston.  This was my first SPTechCon event and look forward to speaking/attending again.  The conference was ran great and had a great selection of content.  I did a presentation on a deep dive into Office 365 Groups.  I went through some high level management topics and then went deep into Powershell administration options. I put all of the scripts that I discussed onto Github so people can help contribute.  I will be trying add to this project as I find new handy scripts.

Here are the links to the slides and the slides and the scripts:

Scripts:     http://bit.ly/DrewO365GroupScripts

Slides:      http://bit.ly/DrewO365GroupsSlides

Here is my session abstract:

Office 365 Groups enable teams to work together by establishing a single identity in Office 365. Office 365 Groups are a new and modern solution for collaboration in Office 365. There is a lot of confusion on what Groups can do and should be used for. This session will be a deep dive into all things Office 365 Groups focusing on the technical aspects..
We will spend a large amount of this session demoing Office 365 Groups. This session will include demos of:

  • How to create, access, and navigate
  • What are the core things to do
  • How are they technically structured
  • What administration is available and how to do it
  • What extensibility options are there

I will also walk through the pros and cons of using Groups vs other collaboration options in Office 365. Groups are also one of the fastest changing solutions in Office 365, so this session will bring everyone up to speed on the most recent updates that Microsoft has rolled out and what innovations are next. By the end of the session you should have a better understanding of what Groups can do and if they are right for your enterprise right now or in the future!

My Microsoft Collaboration Predictions for 2016

2016

Well 2015 is nearly completed and it was what I would call a GREAT year for Microsoft and their collaboration platforms. Jeff Teper is back in charge and things really picked up speed. Before we talk 2016, let’s talk about 2015.

Here are few of the highlights for 2015…

Groups became the king of collaboration in O365

  • Office 365 Groups were announced in 2014 but became for real in 2015. As we have seen with the majority of “experiences” coming out in Office 365, Microsoft is heavily following the Minimal Viable Product (MVP) deployment model. This means that Microsoft is releasing things without things being fully ready but then actively taking feedback to actually adapt their solutions to business needs. I think this is a great approach and we as technologists working with Microsoft need to understand this. We can be critical of their releases but need to provide the proper feedback through the proper channels such as uservoice and Yammer.  There is still a lot of work to do for Office 365 Groups to be fully enterprise ready but Microsoft has made it incredibly clear that this is the future. The recent announcement of the compliance capabilities within Groups is a great start. And remember it is NOT Groups vs Team Sites. Groups have their place along with Team Sites.

SharePoint Server 2016 on-premises was presented and betas released

  • If you would have asked me in 2014 what I thought the future of on-premises versions of SharePoint was I would have told you that it wasn’t good. Microsoft had been spending all of its marketing budget on Office 365 and Azure and not telling anyone about a roadmap for on-premises only SharePoint solutions. Then the announcement of SharePoint Server 2016 was released and over the past 12 months I have been able to watch the product grow internally and with the betas. This is not a groundbreaking release for Microsoft as far as any technical or end user upgrades but does provide a better long term infrastructure solution. In my opinion the biggest benefit will be the consolidated codebase between SharePoint Server 2016 and SharePoint Online. As Microsoft is developing everything cloud first this means that solutions will be more easily ported from Office 365 back to on-premises. Now of course there are things that will always be Office 365 only but this new version allows for more possibilities.

New OneDrive for Business sync tool(s)

  • If you have ever used the old OneDrive for Business sync tool you know it sucked. Thankfully Microsoft released a new sync client in preview for most of Q4 and finally made it GA in December. Now this release does a lot of things better than the old sync tool, like actually sync, but still has lots of work to do. I would still not consider this an enterprise ready solution. The fact that we still have to use 2 sync tools for OneDrive vs SharePoint vs Groups is enough to confuse everyone.

Office 365 compliance updates

  • There were so many releases as far as security, compliance and trust in Office 365 that I could write multiple posts about each. We got our first access to a new Trust Portal, Data Loss Prevention (DLP), advanced eDiscovery, Advanced Threat Protection, Retention, O365 Auditing and more. This was an area that was very hard to keep up with as it changed so much. Even by the end of year, as in this month, they are releasing new things. The Compliance Center is now being rebranded as the Protection Center.

Honorable mention

  • Better administration in OneDrive for Business
  • New OneDrive for Business UI
  • PowerApps
  • Planner
  • Lots and lots of mobile apps (Video, Groups, O365 Admin, Office Lens, Delve)
  • Delve profiles

Ok let’s talk predictions for 2016!

The majority of these will by my wishes. I will state nothing I am predicting here I actually know will happen. I have the privy to be a part of certain preview programs but none of my predictions below relate to those. These are areas I either hope will improve or expect to change.

PowerApps will be a niche solution

  • My primary issue with PowerApps on its initial release is that it is only directed at mobile and tablet devices. In the right business need PowerApps could be incredible. This really is the first step into having power-users have the ability to create mobile apps. Can you imagine a few years ago if you could use a very intuitive GUI to build an IOS app that could easily be deployed? The world of mobile app developers would have been flipped on its head. I envision that in the right hands with the proper business need PowerApps will be able to save your business money and increase productivity. Now I call it niche because even though we are moving to a mobile first world, the heavy majority of my clients are desktop and laptop based. IF, and that’s a big IF, PowerApps comes out with a desktop component, I can see this being an incredibly great product.

Team Sites in O365 will get some love

  • It has been far too long since the backbone of SharePoint Online has been updated. I think we saw the beginning of what it will be like with the new authoring solution in Office 365. It is only being used in the personal blog now but that authoring experience will transition into SharePoint Online in a modernized team site experience. I think the driving factor for this is the lack of responsive design using the default master page and branding in SharePoint Online. if Microsoft provided and page building solution that allowed for even basic responsive design it would be a huge plus. I don’t expect them to redo the master page model but apply the processes on top of it. I predict the new team sites will not be easily branded and used as a lightly customized solution.

OneDrive for Business will be easily manageable for the enterprise

    • I have no idea how this will happen but it better. Every time I talk with clients about rolling out OneDrive for Business the process of administering it becomes the number one topic. Right now there are not enough management capabilities to meet their needs There are ways to manage certain areas with PowerShell but we need a GUI for this. We also need better management of security capabilities that can be utilized. For example, there is currently no good way to manage IRM throughout your enterprise. These types of requests will hopefully begin to be added to the new protection center.

Yammer conversations get added into areas of Office 365

  • I went into Ignite 2015 expecting to hear Yammer was dead. I keep waiting to read a Microsoft blog post that Yammer is going away. This was a great example that my prediction being completely wrong as Yammer is still going whether its confusing when to use it or not. The newsfeed area of Office 365 is the best part about it and would greatly benefit being included in Team Sites but mainly Office 365 Groups. Right now the conversation section of Groups is simply email. The way Yammer tracks conversations could be included with the email capabilities to provide an even better experience. Things are going to get even more interesting once Groups allow external access as I believe that is one of the primary use cases for Yammer today. Either way something has to happen with Yammer at the least to ease confusion for what to use and when.

I may be wrong about all of these but cheers to 2016!

Fireworks

Exporting SharePoint Group Members to Excel Without PowerShell

I was at a client recently and was not allowed to run any powershell commands but needed a list of accounts that existed in a SharePoint Group in a table format.  I also was not allowed site collection administration permission.  I tried a few different options in which trying to manipulate the list view of the group and using Excel data connections to get back to SharePoint but no option worked very cleanly.

What I ended up using was a REST call to get the users and then downloading the XML response and opening it with Excel.  Use this link to learn about the available REST api’s for users & groups

Here are the steps….

1.  Get a client that you can use to test REST calls

2.  Construct the REST call to get a list of users by group

The structure looks like this:  https://siteurl/_api/web/sitegroups/getbyid(groupid)/users

  • To get the group ID simply navigate to the members page of your SharePoint Group and look at the number at the end of the URL  Here is the URL of my “Product Members” group:  https://concurrencyinc.sharepoint.com/sites/products/_layouts/15/people.aspx?MembershipGroupId=9

Here is my call:  https://concurrencyinc.sharepoint.com/sites/products/_api/Web/SiteGroups/GetById(9)/Users

  • We will see the users returned in the entry area of the response.

ExportSPGroup1

3.  Download the XML response

  • In the Advanced REST Client click Save as file and then Download in the response section.

ExportSPGroup2

4.  Change the file type

  • The file will download as a .text-plain file type.  Edit the filename and change it to a .xml file type.

ExportSPGroup3

5.  Open with Excel!

  • In Excel browse and pick out the new .xml file you created and select open this file as an XML table.

ExportSPGroup8

  • Take a second and look at your pretty data.

ExportSPGroup4

6.  Remove duplicates

  • The data comes across in a way that there are 2 rows for each user.  We can clean that up by removing the duplicates based on the login name.  First click anywhere in the imported table and under the Data tab click Remove Duplicates.

ExportSPGroup5

  • Click the Unselect All button then scroll down and check ns4:LoginName

ExportSPGroup6

  • That will remove your duplicate logins and you will have emails and logins that you can use whatever way you need.

ExportSPGroup7

 

Handy appendix?

I know this post is titled how to get a list without powershell but I wanted to just include this down here as this is an easier approach if you have the ability.  Here are the commands to get a list of users in a SharePoint Group via powershell.

  • Get-SPSite http://server/sites/yoursite | Select -ExpandProperty RootWeb | Select -ExpandProperty Groups | Where {$_.Name -EQ “group name”} | Select -ExpandProperty Users | Select Name, Email| Export-Csv c:\scripts\users.txt

Here is the command to do it with SharePoint Online

  • Get-SPOUser -Site https://contoso.sharepoint.com/sites/finance -Group “group name”

Handy links!

Microsoft Ignite & SharePoint/O365 – Outcomes

MSIgnite

Well this blog post is coming in quite late as Microsoft Ignite was a little less than a month ago. But I believe in better late than never and there are some good topics that I wanted to follow up with. I was lucky enough to attend Ignite with a great group of folks from Concurrency and was also able to do some great networking to meet new folks in the SharePoint and O365 collaboration world. My initial reaction of Ignite was that it was a little overwhelming at times. Coming from the world of smaller SharePoint conferences having 20k+ people in a giant building with all different types of Microsoft technology led to some long walks and not many deep dive sessions. With the amount of announcements in the Office 365 and SharePoint Server 2016 space that were being discussed it was and still is a challenge to keep up with. Looking at the conference from a strictly SharePoint perspective it felt limited at times. Many of the primary SharePoint sessions were packed to the brim and had to be held in overflow areas. I think this directly spoke to the overwhelming usage that SharePoint has in the enterprise still. I am now very excited to attend the smaller SharePoint specific conferences such as SharePoint Fest and SPTechCon to dig deep into the new experiences. I have been trying to go through all of the videos on Channel 9 but there are so many good ones. If you want to download the videos and slides directly here is a link for instructions on how to do it.

In this post I will try to highlight what I believe to be the best sessions for collaboration around SharePoint and Office 365 and also review my pre-conference predictions.

My prediction outcomes

NextGen Portals

Ok we all knew they were already going to announce something but this still was an exciting topic. The new Knowledge Management portal currently called Codename “InfoPedia” was demonstrated. It was apparent that this portal was still in the early stages of development but their strategy to deploy a KM could be great. The new KM portal will consist of Boards, Articles and Microsites in which users are empowered to generate content quickly in a standardized and already styled way. This leads to a more organically and horizontal growing solution rather than a pre-determined hierarchical solution. Here a great post from Benjamin Niaulin about this topic.

Recommended sessions for this topic:

OneDrive for Business Sync Updates

Again we knew this coming but everything announced here was great news. I could write multiple blog posts on all of the new stuff they announced around this topic but here are the juicy highlights. The new OD4B sync client will use the current OneDrive protocol. There will be a unified sync client across OneDrive and OneDrive for Business platforms and the preview and RTM client will be available by end of year. Some other important things to note with the new client:

    • Selective sync (everyone have a round of applause for this one)
    • No more 20k file limit
    • Support for up to 10GB files
    • Blocking of unmanaged PCs
    • Includes PC and Mac

Recommended sessions for this topic:

Simplified Hybrid with SharePoint

I attended the SharePoint Hybrid pre-conference at Ignite and got to see first hand what is coming with hybrid in SharePoint and Office 365. Overall the strategy is clear to me that hybrid will be the new on-premises. There are features that will only be available in Office 365 and Microsoft’s strategy is not to bring you to the cloud but bring the cloud to you. This will allow enterprises to opt-in to hybrid on your own terms. This was very obvious in their hybrid strategy moving forward. Microsoft is trying to make they hybrid experience transparent. I won’t go deep into any of these strategies but if you want to discuss them just shoot me an email or a tweet. Their primary pillars are:

    • Hybrid Search
    • Hybrid OneDrive
    • Hybrid Extranet
    • Hybrid Team Sites
    • Cloud-drive Hybrid Picker
    • In the future with no further info yet…
      • Hybrid taxonomy story
      • Hybrid DLP
      • Hybrid eDiscovery

Recommended sessions for this topic:

What I hoped to see

Future of Forms

Isn’t this everyone’s favorite SharePoint topic? I came in hoping to hear something about forms, or at least anything. With the incredible amount of announcements there was still nothing new on forms. The current state still exists in which InfoPath 2013 will continue to work in Office 365 and SharePoint Server 2016. The only time I heard forms being discussed in a session was during the MVP panel that I linked to above. The panel confirmed the current state and provided similar input to what I am currently telling my clients. If it is a small list form customization go ahead with InfoPath. If you have a larger and more long term forms requirement it is time to look at a 3rd party or custom development.

Future of SharePoint Workflow

There were not architectural changes announced during Ignite. With a total of 0 sessions and 0 discussions about workflow during Ignite I would tend to lean towards the thought that there will be no architectural changes. Workflow will continue to run on Workflow Foundation 4 as an external resource as it does today on-premises and in Office 365. Now there was some news that will affect workflow creators.

There will not be a SharePoint Designer 2016 but SharePoint Designer 2013 will continue to be supported.

I think this is an important step in the evolution of productivity in SharePoint and Office 365. Obviously SharePoint Designer was built with on-premises as its base. That much control is unnecessary in a cloud solution like Office 365. So on that side it makes sense to start bringing in limits. And of course anyone who has used SharePoint Designer heavily in the past knows it was a very buggy product that loved to crash. It is important to remember that we are over a year away from the release of SharePoint Server 2016 so there will be more news around this topic.

As far as workflow creation, I do believe that this is a step in the right direction and hope to see a browser based workflow creation experience. I will also use this time to plug my session at SPBiz that is directly related to SharePoint Designer workflows. This should be a great free online conference.

Future of Yammer

I was very wrong with my prediction here. I was leaning towards the thought that brand for “Yammer” itself would be going away. It was stated pretty loud and clear that this was not the case. There were multiple sessions around this solution including the Yammer Roadmap. Yammer is here to stay and will have a place in the Office 365 ecosystem. Each experience that comes with Office 365 does have its appropriate use cases. The challenge that we currently are and will continue to face is the confusion around when and where to use an experience. There was even a session around this topic titled How to Decide When to Use SharePoint and Yammer and Office 365 Groups and Outlook and Skype. Obviously if we had to have a major session on this topic there is confusion on what to do. I hope this vision continues to clear moving forward.

One item of note around Yammer and Office 365 is that the UI for Yammer is changing to align better with the rest of Office 365. If you are a part of the Office 365 Network (and if you’re reading my blog and are not, go join it now) you are already seeing these changes happening.

The Site Actions Menu in SharePoint Server 2016 not changing locations from the top right

I can confirm that it is staying in the right from the demos performed. No need for any panic from the community.

Anything else interesting?

I think the winner of most interesting topic during Ignite and so far after Ignite has been Office 365 Groups. Microsoft is putting a ton of time and effort into this collaboration experience. I believe that Office 365 Groups still need some help around the governance and control but they will be a go to solution in the future. Here is a link to a great blog post from Nik Patel that will go into a little more detail. Overall groups will be an experience that encompasses nearly all aspects of Office 365.

yammer-post-image

Recommended sessions for this topic:

Here are some other interesting topics and some sessions about each.

SharePoint Server 2016

Office 365 Security

Office 365 Migration API

 

I look forward to the next Microsoft Ignite conference in 2016 coming back to Chicago on May 9-13. It will be interesting to look back on this post and see how different the landscape moves in just 1 year.