Browse Tag

Office 365 Groups

Managing Office 365 Groups Using Azure AD Powershell V2

By Drew Madelung
/
Feb 27, 2017
/
General, Groups, Office 365, PowerShell

Introduction

Azure AD PowerShell is an incredibly useful tool for management. V2 was released as GA (general availability) in Dec 2016.
This means that you could begin to utilize the new cmdlets in your production environment. There is currently not dual functionality from the V1 MSOL cmdlets so both will still need to be used as V2 continues to develop. There is also a preview set of cmdlets that you can download and use that has some extended features beyond just V2. The V1 module will begin to be deprecated as V2 continues to advance. I would recommend working with V2 when possible and only going back to V1 as needed.

I won’t be going through all of the differences between these versions but will be shedding some light on the differences for Office 365 Group management from V1 to now. This is a follow up to my original post: Managing Office 365 Group Creation via Azure AD.

Links:

Azure AD PowerShell V1
Azure AD PowerShell V2
Azure AD PowerShell V2 – Preview
- when writing this its 2.0.0.52
- Updated to support 2.0.0.85

Licensing

Microsoft has made changes to the licensing for Office 365 Groups capabilities and the required Azure AD licensing to be able to use them. This is highlighted in the ‘Feature availability and licensing section’ of the following article: Learn about Office 365 Groups

Quick V1 vs. V2 Examples

The big difference from V1 to V2 is that the majority of cmdlets that used *-MSOL* cmdlets are now *-AzureAD*. The full list of cmdlets can be found through the links above.

To connect using V1 you would use:

Connect-MsolService

V2 you now use:

Connect-AzureAD

To get a user in V1 you would use:

Get-MSOLUser

V2 you now use:

Get-AzureADUser

Managing Groups using Azure AD PowerShell V2

To perform Group management you will need to use the V2 Preview cmdlets (download above) until they are rolled into V2. The same Office 365 groups settings in Azure AD PowerShell available in V1 are currently not available in V2. Hopefully when that happens they won’t change much from when I am writing this.

The primary cmdlets utilized in V1:

Get-MsolAllSettings
Get-MsolAllSettingTemplate
New-MsolSettings
Set-MsolSettings
Remove-MsolSettings

Their comparison in V2:

Get-AzureADDirectorySetting
Get-AzureADDirectorySettingTemplate
New-AzureADDirectorySetting
Set-AzureADDirectorySetting
Remove-AzureADDirectorySetting

The way that these are updated are also different. That means you can not simply replace “MsolAllSettings” with “AzureADDirectorySetting” in your scripts. There are different parameters that you need to pass and functions not available.

You can currently see these values but not all can bet set. Please ensure you review Microsoft’s latest supported parameters as these are updated frequently.

Name : ClassificationDescriptions
Description : A comma-delimited list of structured strings describing the classification values in the ClassificationList. The structure of the string is: Value: Description

Name : DefaultClassification
Description : The classification value to be used by default for Unified Group creation.

Name : PrefixSuffixNamingRequirement
Description : A structured string describing how a Unified Group displayName and mailNickname should be structured. Please refer to docs to discover how to structure a valid requirement.

Name : AllowGuestsToBeGroupOwner
Description : Flag indicating if guests are allowed to be owner in any Unified Group.

Name : AllowGuestsToAccessGroups
Description : Flag indicating if guests are allowed to access any Unified Group resources.

Name : GuestUsageGuidelinesUrl
Description : A link to the Group Usage Guidelines for guests.

Name : GroupCreationAllowedGroupId
Description : Guid of the security group that is always allowed to create Unified Groups.

Name : AllowToAddGuests
Description : Flag indicating if guests are allowed in any Unified Group.

Name : UsageGuidelinesUrl
Description : A link to the Group Usage Guidelines.

Name : ClassificationList
Description : A comma-delimited list of valid classification values that can be applied to Unified Groups.

Name : EnableGroupCreation
Description : Flag indicating if group creation feature is on.

Steps to Create new Directory Settings for Groups template

There are multiple templates that are part of your Azure AD tenant. This template can contain a settings object which has a collection of values. Within these values are where we can set the parameters above. This needs to be done before you can set any values. If you already have this you can move to the section below.

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Review if you have any settings currently configured in your tenant

Get-AzureADDirectorySetting | ForEach Values

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created

Run this command to create the new directory settings

$template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $setting

4 – Review your updated settings; you can now see the default values for the directory settings object created for the Groups template

Get-AzureADDirectorySetting | ForEach Values

Steps to set Group Settings

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Review if you have any settings currently configured in your tenant

Get-AzureADDirectorySetting | ForEach Values

3a – If you have directory settings returned it will look like this (properties subject to change over time)

3b – If you have NO settings returned it will look like this and new directory settings will need to be created and follow the steps above

4 – Examples of Group settings

All settings below will use the Get-AzureADDirectorySetting cmdlet and store that in a variable and then use the Set-AzureADDirectorySetting cmdlet with the updated settings. The full command to run a setting update is:

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["SETTING NAME"] = ""
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

I will walk through some of the common scenarios and how to configure the settings parameters. If you run any of the

Restricting Group Creation for all except users in a specific group

Enter the group you want to use in the “ENTER..” section.

$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["EnableGroupCreation"] = "false" 
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting Group classification

Use comma delimited values for the classifications.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationList"] = "Internal,External,Confidential"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting Guidelines URL

Enter a valid URL to a page or document that holds your guidelines.

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Restrict all access for guest users to Groups including ones that were already granted access

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowGuestsToAccessGroups"] = "False"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Restrict the ability to add any new guest users but not restrict existing

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["AllowToAddGuests"] = "False"
$settings["AllowGuestsToAccessGroups"] = "True"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

Setting all Group settings

With some examples.

$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE WHO WILL HAVE ACCESS TO CREATE GROUPS”} 
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["ClassificationDescriptions"] = "Internal:This is internal only,External:External users can access,Confidential:Highly secure" 
$settings["DefaultClassification"] = "Confidential"
$settings["PrefixSuffixNamingRequirement"] = "ogrp-" 
$settings["AllowGuestsToBeGroupOwner"] = "false"
$settings["AllowGuestsToAccessGroups"] = "true" 
$settings["GuestUsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Guest-Usage-Guidelines.aspx"
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId 
$settings["AllowToAddGuests"] = "true"
$settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 
$settings["ClassificationList"] = "Internal,External,Confidential"
$settings["EnableGroupCreation"] = "true"
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

5 – Review your updated settings

Get-AzureADDirectorySetting | ForEach Values

Steps to remove Group Settings

1 – Connect to Azure AD via PowerShell

Connect-AzureAD

2 – Remove your directory settings, follow the steps above to create new

$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
Remove-AzureADDirectorySetting -Id$settings.Id

More Scripts

All of these Office 365 Group scripts for V2 can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for their work they have already done and multiple supporting scripts. The scripts from this post are under the file: DrewO365GroupsScripts – Azure AD Cmdlets

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Get-SPOSite Now Returns Office 365 Group and Video Site Collections

By Drew Madelung
/
Jan 15, 2017
/
General, Groups, Office 365, PowerShell, Video

For the longest time it was not possible to see Office 365 Group and Office 365 Video site collections in PowerShell using the SharePoint Online Management Shell and the Get-SPOSite cmdlet. If you declared the site directly you could see the site. Also if you used the Set-SPOSite cmdlet to set values of the site it would work but you couldn’t see all sites with one cmdlet. As of a recent release this is now possible.

Here are instructions on how to get started using connecting to SharePoint Online via PowerShell.
Get-SPOSite cmdlet on technet

Get-SPOSite

You can also now use a -Template command to limit the query based on the site collection template which will allow you to get only Office 365 Video or Group site collections

Get all Office 365 Group site collections

Get-SPOSite -Template GROUP#0

Get all Office 365 Video site collections

Get-SPOSite -Template POINTPUBLISHINGTOPIC#0

Managing Office 365 Group Creation via Azure AD

By Drew Madelung
/
Jul 26, 2016
/
Groups, Office 365, PowerShell

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

Email & Calendar
Security & Membership
Files & OneNote
Planner
PowerBI
and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.

Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

Disable the default ability of everyone to create a new Office 365 Group
Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
- This group cannot have a group in it, must be individual users
- Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

Azure AD module for PowerShell version 1.1.117.0 or later (currently preview)

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.”

My scripts below are using Version 1.1.143.0. Azure AD PowerShell Module Version Release History

Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = ""
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

3b – If you have NO settings returned it will look like this a new template will need to be created

Run this command to create the new template with EnableGroupCreation set to false

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users

Get-MsolAllSettings | ForEach Values

Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.

$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
$setting[“GroupCreationAllowedGroupId”] = $group.ObjectId
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

Get-MsolAllSettings | ForEach Values

Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

SPTechCon Boston Slides & Scripts

By Drew Madelung
/
Jun 30, 2016
/
Events, General

sptechcon

Thanks to all who joined my session at SPTechCon Boston. This was my first SPTechCon event and look forward to speaking/attending again. The conference was ran great and had a great selection of content. I did a presentation on a deep dive into Office 365 Groups. I went through some high level management topics and then went deep into Powershell administration options. I put all of the scripts that I discussed onto Github so people can help contribute. I will be trying add to this project as I find new handy scripts.

Here are the links to the slides and the slides and the scripts:

Scripts: http://bit.ly/DrewO365GroupScripts

Slides: http://bit.ly/DrewO365GroupsSlides

Here is my session abstract:

Office 365 Groups enable teams to work together by establishing a single identity in Office 365. Office 365 Groups are a new and modern solution for collaboration in Office 365. There is a lot of confusion on what Groups can do and should be used for. This session will be a deep dive into all things Office 365 Groups focusing on the technical aspects..
We will spend a large amount of this session demoing Office 365 Groups. This session will include demos of:

How to create, access, and navigate
What are the core things to do
How are they technically structured
What administration is available and how to do it
What extensibility options are there

I will also walk through the pros and cons of using Groups vs other collaboration options in Office 365. Groups are also one of the fastest changing solutions in Office 365, so this session will bring everyone up to speed on the most recent updates that Microsoft has rolled out and what innovations are next. By the end of the session you should have a better understanding of what Groups can do and if they are right for your enterprise right now or in the future!

My Microsoft Collaboration Predictions for 2016

By Drew Madelung
/
Dec 22, 2015
/
Office 365, SharePoint

2016

Well 2015 is nearly completed and it was what I would call a GREAT year for Microsoft and their collaboration platforms. Jeff Teper is back in charge and things really picked up speed. Before we talk 2016, let’s talk about 2015.

Here are few of the highlights for 2015…

Groups became the king of collaboration in O365

Office 365 Groups were announced in 2014 but became for real in 2015. As we have seen with the majority of “experiences” coming out in Office 365, Microsoft is heavily following the Minimal Viable Product (MVP) deployment model. This means that Microsoft is releasing things without things being fully ready but then actively taking feedback to actually adapt their solutions to business needs. I think this is a great approach and we as technologists working with Microsoft need to understand this. We can be critical of their releases but need to provide the proper feedback through the proper channels such as uservoice and Yammer. There is still a lot of work to do for Office 365 Groups to be fully enterprise ready but Microsoft has made it incredibly clear that this is the future. The recent announcement of the compliance capabilities within Groups is a great start. And remember it is NOT Groups vs Team Sites. Groups have their place along with Team Sites.

SharePoint Server 2016 on-premises was presented and betas released

If you would have asked me in 2014 what I thought the future of on-premises versions of SharePoint was I would have told you that it wasn’t good. Microsoft had been spending all of its marketing budget on Office 365 and Azure and not telling anyone about a roadmap for on-premises only SharePoint solutions. Then the announcement of SharePoint Server 2016 was released and over the past 12 months I have been able to watch the product grow internally and with the betas. This is not a groundbreaking release for Microsoft as far as any technical or end user upgrades but does provide a better long term infrastructure solution. In my opinion the biggest benefit will be the consolidated codebase between SharePoint Server 2016 and SharePoint Online. As Microsoft is developing everything cloud first this means that solutions will be more easily ported from Office 365 back to on-premises. Now of course there are things that will always be Office 365 only but this new version allows for more possibilities.

New OneDrive for Business sync tool(s)

If you have ever used the old OneDrive for Business sync tool you know it sucked. Thankfully Microsoft released a new sync client in preview for most of Q4 and finally made it GA in December. Now this release does a lot of things better than the old sync tool, like actually sync, but still has lots of work to do. I would still not consider this an enterprise ready solution. The fact that we still have to use 2 sync tools for OneDrive vs SharePoint vs Groups is enough to confuse everyone.

Office 365 compliance updates

There were so many releases as far as security, compliance and trust in Office 365 that I could write multiple posts about each. We got our first access to a new Trust Portal, Data Loss Prevention (DLP), advanced eDiscovery, Advanced Threat Protection, Retention, O365 Auditing and more. This was an area that was very hard to keep up with as it changed so much. Even by the end of year, as in this month, they are releasing new things. The Compliance Center is now being rebranded as the Protection Center.

Honorable mention

Better administration in OneDrive for Business
New OneDrive for Business UI
PowerApps
Planner
Lots and lots of mobile apps (Video, Groups, O365 Admin, Office Lens, Delve)
Delve profiles

Ok let’s talk predictions for 2016!

The majority of these will by my wishes. I will state nothing I am predicting here I actually know will happen. I have the privy to be a part of certain preview programs but none of my predictions below relate to those. These are areas I either hope will improve or expect to change.

PowerApps will be a niche solution

My primary issue with PowerApps on its initial release is that it is only directed at mobile and tablet devices. In the right business need PowerApps could be incredible. This really is the first step into having power-users have the ability to create mobile apps. Can you imagine a few years ago if you could use a very intuitive GUI to build an IOS app that could easily be deployed? The world of mobile app developers would have been flipped on its head. I envision that in the right hands with the proper business need PowerApps will be able to save your business money and increase productivity. Now I call it niche because even though we are moving to a mobile first world, the heavy majority of my clients are desktop and laptop based. IF, and that’s a big IF, PowerApps comes out with a desktop component, I can see this being an incredibly great product.

Team Sites in O365 will get some love

It has been far too long since the backbone of SharePoint Online has been updated. I think we saw the beginning of what it will be like with the new authoring solution in Office 365. It is only being used in the personal blog now but that authoring experience will transition into SharePoint Online in a modernized team site experience. I think the driving factor for this is the lack of responsive design using the default master page and branding in SharePoint Online. if Microsoft provided and page building solution that allowed for even basic responsive design it would be a huge plus. I don’t expect them to redo the master page model but apply the processes on top of it. I predict the new team sites will not be easily branded and used as a lightly customized solution.

OneDrive for Business will be easily manageable for the enterprise

I have no idea how this will happen but it better. Every time I talk with clients about rolling out OneDrive for Business the process of administering it becomes the number one topic. Right now there are not enough management capabilities to meet their needs There are ways to manage certain areas with PowerShell but we need a GUI for this. We also need better management of security capabilities that can be utilized. For example, there is currently no good way to manage IRM throughout your enterprise. These types of requests will hopefully begin to be added to the new protection center.

Yammer conversations get added into areas of Office 365

I went into Ignite 2015 expecting to hear Yammer was dead. I keep waiting to read a Microsoft blog post that Yammer is going away. This was a great example that my prediction being completely wrong as Yammer is still going whether its confusing when to use it or not. The newsfeed area of Office 365 is the best part about it and would greatly benefit being included in Team Sites but mainly Office 365 Groups. Right now the conversation section of Groups is simply email. The way Yammer tracks conversations could be included with the email capabilities to provide an even better experience. Things are going to get even more interesting once Groups allow external access as I believe that is one of the primary use cases for Yammer today. Either way something has to happen with Yammer at the least to ease confusion for what to use and when.

I may be wrong about all of these but cheers to 2016!

Fireworks