Introduction
When Office 365 Groups were first released there was not an ability to control the names of Groups at all. One of the primary reasons for this was due to the cross workload functionality that make up Office 365 Groups. As a reminder, an Office 365 Group is the single Azure AD identity service that provides specific membership to Office 365 solutions like SharePoint, Exchange, Planner, Teams, etc. Within each of these workloads you have the ability to create and manage an Office 365 Group. If you make a change within one of workloads, for example SharePoint, there is communication between the workload and Azure AD with notifications on things like creation, changes, and deletions.
With a separated system and Azure AD as the source, any policies need to be applied at the Azure AD level. As an example, an Exchange naming policy can be used (and at one point was the only option) for Office 365 Groups. If you set a naming policy within Exchange that would only work if you tried creating a group within Exchange. If I was on SharePoint Home and tried to create an Office 365 Group that naming policy would not trigger as I technically not working in Exchange. Exchange would learn about the Group after it is synced back to Azure AD but that would be too late.
To resolve this issue Microsoft has released Office 365 Group naming policy capabilities at the Azure AD level. A naming policy is very important for proper control and a clean Global Address List (GAL). Since this is in Azure AD now the naming policy is applied to Groups that are created across workloads.
Details
As I am writing this post in Dec 2017 this is currently still in Private Preview.
Both of these currently can only be configured with PowerShell. The prerequisites for configuring these can be found in this post: Managing Office 365 Groups using Azure AD PowerShell V2.
The AzureADPreview PowerShell module version 2.0.0.137 is required.
Office 365 Group naming policies can be built using 2 different features and 1 is automatically maintained:
- Custom blocked words
- You can set specific blocked words that can be used within Group names.
- Prefix-Suffix naming policy
- Using fixed strings or user attributes, you can add an automated prefix or suffix to a Group name.
- Microsoft Standard blocked words list
- A set of words Microsoft manages that are not allowed. This includes your primary swear words. I tested quite a few good ones and they were all blocked automatically.
These administrators bypass or are exempt from the naming polices you configure but NOT the MS standard blocked words list:
- Global Administrator
- Partner Tier 1 Support
- Partner Tier 2 Support
- User Account Administrator
- Directory Writers
Microsoft detailed information for the naming policy can be found here.
Custom blocked words
This is a comma separated list of words that you can configure. These words are blocked in Group names and aliases. Some examples of when you would want to configure blocked words:
- Your department or business function names because you want to ensure you don’t have duplicate places for content
- Regulatory words that you may have specific legal requirements around that you need to have more control over
- Names of roles that you don’t want people to try to impersonate
- Client, Vendor, or Competitor names
There are some things to know about these blocked words.
- The checks are done AFTER appending the prefix/suffix to the Group name
- If things like underscores (_) or dashes (-) are used in prefix/suffix they could stop your blocked word from working if there are no spaces
- No sub-string searches are done
- If “Drew” is the blocked word, “Andrew” would still work
- Not case-sensitive
- No character restrictions
- No limit on the amount of words
Steps to set the Custom Blocked words
This is assuming you already have a directory settings template created, details in prior post, and connection information from the first section.
1 – Connect to Azure AD via PowerShell.
Connect-AzureAD
2 – Use comma delimited values for the blocked words.
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["CustomBlockedWordsList"] = "HR,Contoso,Payroll,CEO,CFO,CIO"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
3 – Review your updated settings; you can now see the default values for the directory settings object.
Get-AzureADDirectorySetting | ForEach Values
Prefix-Suffix naming policy
These can either be fixed strings or actually attributes from the user themselves. These 2 types of capabilities are stored within 1 overall string that is concatenated. Because of this, you must always have [GroupName] included in your setting. That is how you are able to have a prefix & a suffix.
Some examples of using strings:
- GRP [GroupName]
- This puts the fixed string of “GRP ” before all of your Group names
- #[GroupName] Group
- This will put the # symbol at the front of the Group name for better sorting in the GAL and then ” Group” as a suffix for better clarity
- Special characters are removed from the Alias
- OGRP – [GroupName]
- Dashes can be used for separation as spaces are removed automatically in the Group Alias (like the rest of the special characters). That means “OGRP – Drew” as a group name becomes “OGRP-Drew@domain.com” as the alias instead of “OGRPDrew@domain.com”.
The next type of thing you can add are Azure AD user attributes. The following attributes are supported: [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], [Title], [CountryCode]
Some examples of using attributes:
- [Department] – [GroupName]
- This will pull the users department stored in Azure AD before the Group name
- [CountryCode] – GRP – [GroupName]
- This will first put the Country Code stored in Azure AD followed by a fixed string and then the Group name
There are some things to know about using attributes.
- The total prefix/suffix + string length is restricted to 53 characters
- Empty attributes for users will be filled in with blank values. It is best to ensure your Azure AD information is fully established before using these attributes.
- Extension attributes and custom attributes are not supported
- If you put it in an unsupported attribute it just comes across as text
Steps to set the Prefix – Suffix naming policy
This is assuming you already have a directory settings template created, details in prior post.
1 – Use comma delimited values for the blocked words.
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["PrefixSuffixNamingRequirement"] = "GRP - [Department] - [GroupName]"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
2 – Review your updated settings; you can now see the default values for the directory settings object.
Get-AzureADDirectorySetting | ForEach Values
Microsoft standard blocked words
There are a lot of unprofessional words naturally in the English language that most likely should never be part of an Office 365 Group name. This includes a primary set of things like swear words and other inappropriate words that your imagination may be able to come up with. This is a single setting to turn on the blocked words or off.
Steps to set the Microsoft blocked words
This is assuming you already have a directory settings template created, details in prior post, and connection information from the first section.
1 – Use comma delimited values for the blocked words.
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["EnableMSStandardBlockedWords"] = $true
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
2 – Review your updated settings; you can now see the default values for the directory settings object.
Get-AzureADDirectorySetting | ForEach Values
And when you put it all together!
You get a blocked word of CEO and a naming policy pulling in a prefix of “GRP – ” with an Azure AD department of “NFL” and a suffix of ” – CEO”. You will also see the alias removing the spaces.
Where does the naming policy actually work?
As there are a lot of workloads across Office 365 that utilize Groups there are a lot of places that these policies need to work. Currently it is not supported in every workload. Microsoft has the detailed information for what is supported in their support article here.
Here is the current breakdown in Dec 2017.
Where it works:
- Outlook on the Web
- Outlook Client – Doesn’t preview
- Outlook Mobile – Doesn’t preview
- Teams
- SharePoint
- Stream
- Groups mobile app
- Planner
- Dynamics 365
- Exchange PowerShell
- Azure AD PowerShell
- O365 Admin Center
Where it doesn’t:
- Power BI workspace
- Yammer
- StaffHub
- Azure AD Portal
Licensing
Any Office 365 subscription that has Exchange Online and SharePoint Online will support groups. That includes the Business Essentials and Business Premium plans, and the Enterprise E1, E3 and E5 plans.
There is a large collection of features that require specific types of Azure AD licenses. The Office 365 Groups naming policy requires Azure AD Premium P1 licenses for any users who are part of Office 365 Groups.
The full collection of licensing information is listed from Microsoft here.
Within SharePoint Online you have the ability to completely lock down a site collection so no one can get access to it. This is set via PowerShell and the 
