Browse Tag

O365

Recovering a Deleted Office 365 Group via PowerShell

By Drew Madelung
/
Mar 28, 2017
/
General, Groups, Office 365, PowerShell

Introduction

Ever since Office 365 Groups were released which feels like many moons ago now, when it was deleted, it was unrecoverable. So if you either on purpose or accidentally deleted an Office 365 Group you lost all your data. You lost your SharePoint site, Planner data, Outlook mailbox…all of it. There was a checkbox that you had to check in most places letting you know that deletion was permanent. What began happening though with the proliferation of Groups throughout Office 365 there was a ton of ways and places to delete a Group. Last time I tried counting there was at least 16 different ways to delete a Group. That is a ton of places for UI to be just different enough and someone to make a mistake. This was also a large concern for regulated or very security aware environments. The ability to discover and recover critical data can be mandatory in these environments. That means the lack of ability to restore Groups could be a single bottle neck to stop usage of such a helpful technology.

Thankfully our wait is now no more and we can recover a deleted Office 365 Group. The message that this was rolling out appeared in Message Centers today and the Office 365 Roadmap has already been updated that this has been launched.

Here is the announcement on the Tech Community site and the supporting Microsoft Documentation.

NOTE: I am writing this right around the launch date of this feature and will try to keep this post updated if anything changes

What you need to know

Currently you can only recover them via PowerShell with GUI coming later
You have 30 days from the deletion of the Group to recover it, if not it will be permanently deleted
You cannot restore a group if a group with the same SMTP address or alias now exists (that new group would have to be deleted first)
It could take up to 24 hours to restore in rare cases
You can permanently delete a Group within the 30 days
Content that currently gets restored includes:
- AD Groups Object including properties and members
- SMTP address
- Exchange mailbox & calendar
- SharePoint Online site
- OneNote notebook hosted on the SPO site
- Planner
- Additionally if you have a connected Microsoft Team or Office 365 Connected Yammer group those can be restored as well

Prerequisites:

Azure AD PowerShell V2 – Preview
- The release of the cmdlets that support Office 365 Group recovery are now available only in the preview cmdlets.
- I am writing this using version 2.0.0.98

Steps to recover a deleted Office 365 Group

In my example I have a Group called InterestGroup1 which was deleted and can no longer be seen:

1 – Connect to Azure AD via PowerShell (ensure you connect to Preview)

Connect-AzureAD

2 – Review the Office 365 Groups that have been deleted and can be recovered

I included the list of properties in this for visibility to see everything returned in the recoverable Group object. You only need Get-AzureADMSDeletedGroup, ” | select * ” is not required.

Get-AzureADMSDeletedGroup | select *

3 – Select the Group you want to recover and ensure that you selected a group

Replace “ENTER GROUP DISPLAY NAME HERE” with the appropriate name of the Group you want to recover. I put this together so you just need to enter the Group Display Name instead of copying the GUID but entering just the ID is also valid in the next step.

$deletedgroup = Get-AzureADMSDeletedGroup | Where-Object {$_.DisplayName -eq "ENTER GROUP DISPLAY NAME HERE"} 
$deletedgroup

4 – Recover your Group

Restore-AzureADMSDeletedDirectoryObject –Id $deletedgroup.Id

You can run the command from step 2 above to review that your Group you are recovering is no longer in the Deleted Group list.

5 – Confirm you Group has been recovered

Get-AzureADGroup

After some time it will start popping back up in the GUI.

Steps to permanently delete an Office 365 Group

You can also delete a Group that is in the pending 30 day deletion using this process. This will delete everything and not be recoverable.

1 – Follow steps 1 through 3 above to connect to Azure AD and get the group you want to recover in the $deletedgroup variable.

Instead of using the Restore-AzureADMSDeletedDirectoryObject cmdlet use the Remove-AzureADMSDeletedDirectoryObject cmdlet and passing the Group ID.

Remove-AzureADMSDeletedDirectoryObject –Id $deletedgroup.Id

2 – Review the Office 365 Group has been deleted

Get-AzureADMSDeletedGroup | select *

Automatically Created Office 365 Groups Based on Direct Reports Coming Soon – (Now Limited Release)

By Drew Madelung
/
Mar 19, 2017
/
General, Groups, Office 365, PowerShell

UPDATE 3/21/2017 from Microsoft

Microsoft has released a new update to this roll out stating:

**We listened to your concerns and have decided to limit the rollout of this feature to a smaller set of customers (notified via MC94808) whom we will work with directly to ensure feedback is considered, and the feature has a positive impact. We thank you all for your constructive feedback, we have learned a few lessons and look forward to continued Group innovations in the future.**

So thankfully the voice of the community has been heard and this below information now relates to the original global release. There was a ton of discussion around this on the MS Tech Community site and on Twitter.

Here is the new message in the message center:

Now back to the original post with some slight tweaks….

Last Friday an interesting new message that caught me off guard popped up in my message center titled – Auto creation of Direct Reports group in Outlook.

Here are the contents of the message:

Auto creation of Direct Reports group in Outlook

MC96611

Published On : March 17, 2017

Expires On : April 28, 2017

To help managers collaborate more effectively with their employees, we will automatically create Office 365 Groups containing the manager’s direct reports. Managers can easily update, delete, or modify the group at any time. This message is associated with Office 365 Roadmap ID 78174.

How does this affect me?

Beginning April 13th , 2017 We will automatically create direct reports groups in Outlook (leveraging the Office 365 Groups Service) for eligible managers. If you have Office 365 Groups disabled for your tenant, or if the manager in question doesn’t have permission to create groups, then no group will be created.

What do I need to prepare for this change?

If you are looking forward to this, there is no action you need to take. Get yourself familiar with Office 365 Groups, update your user training, and notify your helpdesk, as needed. If you would like to leave Office 365 Groups enabled for your organization but turn off direct reports groups creation, we have provided controls to enable and disable. Please click Additional Information to learn more.

Let’s go a little more into this…

At first glance this sounds like a good idea. The part that I disagree with is the auto opting-in of something like this and the very late notice. Normally things exist on the O365 Roadmap for awhile and fall intro their standard development and release cadence. This one is being rolled out within a month of the announcement and doesn’t have info if it will be first-release to start. This feature has the ability to create a whole ton of Groups depending on the size of your organization whether you are ready for them or not. The majority of the large clients I work with have not fully jumped into the Groups world yet and are working towards basic governance, adoption, and training strategies before they fully go. For those organizations, they could already have a plan to provision groups for specific teams – company teams not the product 🙂 – they will most likely get these new Groups created before they are ready. In the documentation currently they don’t list anything for the continued update of groups either. If this is a one time push there will need to be onus on the Managers to maintain their Groups post auto creation. I would still say there are more questions to be answered for this feature and there is already a good discussion on the MS Tech Community site.

Another thing I noticed is the new naming of this release. The title specifically calls out that these are Groups in “Outlook”. This looks like a new way to refer to Email (Outlook) conversation based Groups vs Yammer conversation based Groups.

As stated above this is no longer going to be rolled out to everyone and will be rolled out to a limited subset of tenants.

How will the members of the Groups be determined?

The member population of these Groups is based on your Active Directory ManagedBy attribute. As you’re reading this, raise your hand if you think your ManagedBy attribute is accurate enough in you Active Directory environment? Now lower your hand because you are just reading this post and and someone near you might think you have a question. If you have any direct reports (i.e. your name is listed in someone’s ManagedBy attribute) you potentially could have a group auto created. The manager will be added as an Owner of the Group while everyone else will be added as Members.

How can I control these auto provisioned Groups?

Some key things to note:

This is on by default. I felt like I just needed to repeat this one again.
Office 365 Group creation must be enabled at the tenant. I have highlighted how to manage this in a few posts on here.
The manager must have the permission and ability to create an Office 365 Group.
The group will be named “<Manager’s Name>’s direct reports”, but that can be edited.
You can only turn this off via PowerShell and connecting through Exchange Online (unlike Azure AD for other Group management).

Steps to manage auto provisioning of Direct Reports Office 365 Groups via PowerShell

1 – Connect to Exchange Online via PowerShell

$creds = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri ` https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection
Import-PSSession $Session

2 – Review your current settings for the parameter “DirectReportsGroupAutoCreationEnabled” using the Get-OrganizationConfig cmdlet.

Get-OrganizationConfig | select DirectReportsGroupAutoCreationEnabled

2 – Set the value of “DirectReportsGroupAutoCreationEnabled” to false to disable auto group creation and true to enable it. Review your change with the same cmdlet above.

Set-OrganizationConfig -DirectReportsGroupAutoCreationEnabled $false

Managing Office 365 Groups Using Azure AD Powershell V2

By Drew Madelung
/
Feb 27, 2017
/
General, Groups, Office 365, PowerShell

Introduction

Azure AD PowerShell is an incredibly useful tool for management. V2 was released as GA (general availability) in Dec 2016.
This means that you could begin to utilize the new cmdlets in your production environment. There is currently not dual functionality from the V1 MSOL cmdlets so both will still need to be used as V2 continues to develop. There is also a preview set of cmdlets that you can download and use that has some extended features beyond just V2. The V1 module will begin to be deprecated as V2 continues to advance. I would recommend working with V2 when possible and only going back to V1 as needed.

I won’t be going through all of the differences between these versions but will be shedding some light on the differences for Office 365 Group management from V1 to now. This is a follow up to my original post: Managing Office 365 Group Creation via Azure AD.

Links:

Azure AD PowerShell V1
Azure AD PowerShell V2
Azure AD PowerShell V2 – Preview
- when writing this its 2.0.0.52
- Updated to support 2.0.0.85

Licensing

Microsoft has made changes to the licensing for Office 365 Groups capabilities and the required Azure AD licensing to be able to use them. This is highlighted in the ‘Feature availability and licensing section’ of the following article: Learn about Office 365 Groups

Quick V1 vs. V2 Examples

The big difference from V1 to V2 is that the majority of cmdlets that used *-MSOL* cmdlets are now *-AzureAD*. The full list of cmdlets can be found through the links above.

To connect using V1 you would use:

Connect-MsolService

V2 you now use:

Connect-AzureAD

To get a user in V1 you would use:

Get-MSOLUser

V2 you now use:

Get-AzureADUser

Managing Groups using Azure AD PowerShell V2

To perform Group management you will need to use the V2 Preview cmdlets (download above) until they are rolled into V2. The same Office 365 groups settings in Azure AD PowerShell available in V1 are currently not available in V2. Hopefully when that happens they won’t change much from when I am writing this.

The primary cmdlets utilized in V1:

Get-MsolAllSettings
Get-MsolAllSettingTemplate
New-MsolSettings
Set-MsolSettings
Remove-MsolSettings

Their comparison in V2:

Get-AzureADDirectorySetting
Get-AzureADDirectorySettingTemplate
New-AzureADDirectorySetting
Set-AzureADDirectorySetting
Remove-AzureADDirectorySetting

The way that these are updated are also different. That means you can not simply replace “MsolAllSettings” with “AzureADDirectorySetting” in your scripts. There are different parameters that you need to pass and functions not available.

You can currently see these values but not all can bet set. Please ensure you review Microsoft’s latest supported parameters as these are updated frequently.

Name : ClassificationDescriptions
Description : A comma-delimited list of structured strings describing the classification values in the ClassificationList. The structure of the string is: Value: Description

Name : DefaultClassification
Description : The classification value to be used by default for Unified Group creation.

Name : PrefixSuffixNamingRequirement
Description : A structured string describing how a Unified Group displayName and mailNickname should be structured. Please refer to docs to discover how to structure a valid requirement.

Name : AllowGuestsToBeGroupOwner
Description : Flag indicating if guests are allowed to be owner in any Unified Group.

Name : AllowGuestsToAccessGroups
Description : Flag indicating if guests are allowed to access any Unified Group resources.

Name : GuestUsageGuidelinesUrl
Description : A link to the Group Usage Guidelines for guests.

Name : GroupCreationAllowedGroupId
Description : Guid of the security group that is always allowed to create Unified Groups.

Name : AllowToAddGuests
Description : Flag indicating if guests are allowed in any Unified Group.

Name : UsageGuidelinesUrl
Description : A link to the Group Usage Guidelines.

Name : ClassificationList
Description : A comma-delimited list of valid classification values that can be applied to Unified Groups.

Name : EnableGroupCreation
Description : Flag indicating if group creation feature is on.

Steps to Create new Directory Settings for Groups template

There are multiple templates that are part of your Azure AD tenant. This template can contain a settings object which has a collection of values. Within these values are where we can set the parameters above. This needs to be done before you can set any values. If you already have this you can move to the section below.

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Review if you have any settings currently configured in your tenant

Get-AzureADDirectorySetting | ForEach Values

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created

Run this command to create the new directory settings

$template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $setting

4 – Review your updated settings; you can now see the default values for the directory settings object created for the Groups template

Get-AzureADDirectorySetting | ForEach Values

Steps to set Group Settings

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Review if you have any settings currently configured in your tenant

Get-AzureADDirectorySetting | ForEach Values

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created and follow the steps above

4 – Examples of Group settings

All settings below will use the Get-AzureADDirectorySetting cmdlet and store that in a variable and then use the Set-AzureADDirectorySetting cmdlet with the updated settings. The full command to run a setting update is:

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["SETTING NAME"] = ""
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

I will walk through some of the common scenarios and how to configure the settings parameters. If you run any of the

Restricting Group Creation for all except users in a specific group

Enter the group you want to use in the “ENTER..” section.

$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["EnableGroupCreation"] = "false" 
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting Group classification

Use comma delimited values for the classifications.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationList"] = "Internal,External,Confidential"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting Guidelines URL

Enter a valid URL to a page or document that holds your guidelines.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Restrict all access for guest users to Groups including ones that were already granted access

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowGuestsToAccessGroups"] = "False"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Restrict the ability to add any new guest users but not restrict existing

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowToAddGuests"] = "False"
$settings["AllowGuestsToAccessGroups"] = "True"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting all Group settings

With some examples.

$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE WHO WILL HAVE ACCESS TO CREATE GROUPS”} 
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationDescriptions"] = "Internal:This is internal only,External:External users can access,Confidential:Highly secure" 
$settings["DefaultClassification"] = "Confidential"
$settings["PrefixSuffixNamingRequirement"] = "ogrp-" 
$settings["AllowGuestsToBeGroupOwner"] = "false"
$settings["AllowGuestsToAccessGroups"] = "true" 
$settings["GuestUsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Guest-Usage-Guidelines.aspx"
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId 
$settings["AllowToAddGuests"] = "true"
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 
$settings["ClassificationList"] = "Internal,External,Confidential"
$settings["EnableGroupCreation"] = "true"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

5 – Review your updated settings

Get-AzureADDirectorySetting | ForEach Values

Steps to remove Group Settings

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Remove your directory settings, follow the steps above to create new

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
Remove-AzureADDirectorySetting -Id$settings.Id

More Scripts

All of these Office 365 Group scripts for V2 can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for their work they have already done and multiple supporting scripts. The scripts from this post are under the file: DrewO365GroupsScripts – Azure AD Cmdlets

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Hide Sync for Sites via PowerShell in SharePoint Online – Offline Client Availablity

By Drew Madelung
/
Feb 07, 2017
/
Office 365, PowerShell, SharePoint

Offline Client Availability is built within SharePoint to “Prevent users from downloading content from a site” via MS support. There is not a way that I am aware of to fully stop existing syncs, but what is capable is to hide the Sync option from the views within the document library. This setting can be done at the site and the library level.

When working at the site level, this setting actually exists at the “Web” level within SharePoint. This means its not a site collection level and needs to be set per site, including all subsites.

What it looks like when done

This is what you will see with this setting set to NO:

Modern experience (no sync option)

Classic experience (sync option greyed out)

This is what you see with this setting set to YES:

Modern experience

Classic experience

Setting via Browser

The Offline Client Availability option can be set by single site under…

On the site, click Settings > Site Settings.
Under Search, click Search and offline availability.
In the Offline Client Availability section, select No.

Setting via PowerShell

There was a good discussion going on within the MS Tech Community site around the ability to restrict sync via scripting and I tried to put together what I could to support it. Obviously it would be tedious to try to set that for all sites and subsites across your tenant. This was my first published attempt for CSOM so I used some great references to get me through it and this is probably rough around the edges. All feedback is helpful!

Setting this CSOM web property (ExcludeFromOfflineClient) to true does not disable synchronization. Instead, it represents a recommendation to the client not to attempt synchronization via technet.

Ensure that you update the <script path> section near the header with the path to your CSOM files. Ensure you have at least the August 2016 version of CSOM. Link to latest Nuget for download.

Link to download most recent version of powershell script from TechNet gallery

# Substitute your path to CSOM files (i.e. c:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\Microsoft.SharePoint.Client.Runtime.dll")
Add-Type -Path "<insert path>\Microsoft.SharePoint.Client.dll"
Add-Type -Path "<insert path>\Microsoft.SharePoint.Client.runtime.dll"

# Variables with prompts
$siteUrl = Read-Host -Prompt "Enter Site Collection URL"
$username = Read-Host -Prompt “Enter username”
$password = Read-Host -Prompt “Enter password” -AsSecureString
$subwebcheck = Read-Host -Prompt "Do you want to process subsites? (enter 'Y' if yes)"

# Generate ClientContext(ctx) function so we can reuse
function GetClientContext($siteurl, $username, $password) {
 $ctx = New-Object Microsoft.SharePoint.Client.ClientContext($siteurl) 
 $credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username, $password) 
 $ctx.Credentials = $credentials
 return $ctx
}

$ctx = GetClientContext $siteurl $username $password

# Verify connection
if ($ctx.ServerObjectIsNull.Value) { 
 Write-Host "Unable to connect to: '$siteUrl'" -ForegroundColor Red
} else {
 Write-Host "Connected to: '$($siteUrl)'" -ForegroundColor Green 

 $rootWeb = $ctx.Web
 $ctx.Load($rootWeb)
 $ctx.ExecuteQuery()

 # Update root site
 Write-Host $rootWeb.Url "is being updated to exclude from offline clients"
 $rootWeb.ExcludeFromOfflineClient=$true
 $rootWeb.Update()
 $ctx.Load($rootWeb)
 $ctx.ExecuteQuery()
 Write-Host "ExcludeFromOfflineClient is now" $rootWeb.ExcludeFromOfflineClient "for the site:" $rootWeb.Url -ForegroundColor Green
 
 if ($subwebcheck -eq "Y") {
 
 # Work with all subsites
 Write-Host "Processing subsites..." -ForegroundColor Yellow
 $childWebs = $rootWeb.Webs
 $ctx.Load($childWebs)
 $ctx.ExecuteQuery()
 foreach ($childWeb in $childWebs)
 {
 processsubsites $childWeb.url
 }
 }

 # Function to loop through subsites and setting values
 function processsubsites ($siteurl){
 $ctx = GetClientContext $siteurl $username $password
 $rootWeb = $ctx.Web
 $childWebs = $rootWeb.Webs
 $ctx.Load($rootWeb)
 $ctx.Load($childWebs)
 $ctx.ExecuteQuery()

 # Perform update for all template types except APPs to exclude from offline clients
 if($rootWeb.WebTemplate -ne "APP"){
 Write-Host $rootWeb.Url "is being updated to exclude from offline clients"
 $rootWeb.ExcludeFromOfflineClient=$true
 $rootWeb.Update()
 $ctx.Load($rootWeb)
 $ctx.ExecuteQuery()
 Write-Host "ExcludeFromOfflineClient is now" $rootWeb.ExcludeFromOfflineClient "for the site:" $rootWeb.Url -ForegroundColor Green
 }

 # Loop subsites of subsites of subsites...etc
 foreach ($childWeb in $childWebs)
 { 
 processsubsites $childWeb.url
 }
 }
}

Used helpful references

So much good info already out there that helped me get started; Thank you!

Tony Phillips – Looping through all subsites in SharePoint Online
Brent Ellis – Script from Tech Community
Juan Carlos González Martín – Office 365: How to disable files synchronization in SPO Doc. Libraries (II)!
Chris O’Brien – Using CSOM in PowerShell scripts with Office 365

Get-SPOSite Now Returns Office 365 Group and Video Site Collections

By Drew Madelung
/
Jan 15, 2017
/
General, Groups, Office 365, PowerShell, Video

For the longest time it was not possible to see Office 365 Group and Office 365 Video site collections in PowerShell using the SharePoint Online Management Shell and the Get-SPOSite cmdlet. If you declared the site directly you could see the site. Also if you used the Set-SPOSite cmdlet to set values of the site it would work but you couldn’t see all sites with one cmdlet. As of a recent release this is now possible.

Here are instructions on how to get started using connecting to SharePoint Online via PowerShell.
Get-SPOSite cmdlet on technet

Get-SPOSite

You can also now use a -Template command to limit the query based on the site collection template which will allow you to get only Office 365 Video or Group site collections

Get all Office 365 Group site collections

Get-SPOSite -Template GROUP#0

Get all Office 365 Video site collections

Get-SPOSite -Template POINTPUBLISHINGTOPIC#0