Browse Tag

Office365

Recovering a Deleted Office 365 Group via PowerShell

group1

Introduction

Ever since Office 365 Groups were released which feels like many moons ago now, when it was deleted, it was unrecoverable.  So if you either on purpose or accidentally deleted an Office 365 Group you lost all your data.  You lost your SharePoint site, Planner data, Outlook mailbox…all of it.  There was a checkbox that you had to check in most places letting you know that deletion was permanent.  What began happening though with the proliferation of Groups throughout Office 365 there was a ton of ways and places to delete a Group.  Last time I tried counting there was at least 16 different ways to delete a Group.  That is a ton of places for UI to be just different enough and someone to make a mistake.  This was also a large concern for regulated or very security aware environments.  The ability to discover and recover critical data can be mandatory in these environments.  That means the lack of ability to restore Groups could be a single bottle neck to stop usage of such a helpful technology. 

Thankfully our wait is now no more and we can recover a deleted Office 365 Group.  The message that this was rolling out appeared in Message Centers today and the Office 365 Roadmap has already been updated that this has been launched. 

Here is the announcement on the Tech Community site and the supporting Microsoft Documentation

NOTE: I am writing this right around the launch date of this feature and will try to keep this post updated if anything changes

What you need to know

  • Currently you can only recover them via PowerShell with GUI coming later
  • You have 30 days from the deletion of the Group to recover it, if not it will be permanently deleted
  • You cannot restore a group if a group with the same SMTP address or alias now exists (that new group would have to be deleted first)
  • It could take up to 24 hours to restore in rare cases
  • You can permanently delete a Group within the 30 days 
  • Content that currently gets restored includes:
    • AD Groups Object including properties and members
    • SMTP address
    • Exchange mailbox & calendar
    • SharePoint Online site
    • OneNote notebook hosted on the SPO site
    • Planner
    •  Additionally if you have a connected Microsoft Team or Office 365 Connected Yammer group those can be restored as well

Prerequisites:

  • Azure AD PowerShell V2 – Preview 
    • The release of the cmdlets that support Office 365 Group recovery are now available only in the preview cmdlets. 
    • I am writing this using version 2.0.0.98 

Steps to recover a deleted Office 365 Group

In my example I have a Group called InterestGroup1 which was deleted and can no longer be seen:

1 – Connect to Azure AD via PowerShell (ensure you connect to Preview)

Connect-AzureAD

2 – Review the Office 365 Groups that have been deleted and can be recovered 

I included the list of properties in this for visibility to see everything returned in the recoverable Group object.  You only need Get-AzureADMSDeletedGroup,  ”  | select * ”  is not required. 

Get-AzureADMSDeletedGroup | select *

3 – Select the Group you want to recover and ensure that you selected a group

Replace “ENTER GROUP DISPLAY NAME HERE” with the appropriate name of the Group you want to recover.  I put this together so you just need to enter the Group Display Name instead of copying the GUID but entering just the ID is also valid in the next step.

$deletedgroup = Get-AzureADMSDeletedGroup | Where-Object {$_.DisplayName -eq "ENTER GROUP DISPLAY NAME HERE"} 
$deletedgroup

4 – Recover your Group

Restore-AzureADMSDeletedDirectoryObject –Id $deletedgroup.Id

You can run the command from step 2 above to review that your Group you are recovering is no longer in the Deleted Group list.

5 – Confirm you Group has been recovered

Get-AzureADGroup

After some time it will start popping back up in the GUI.

Steps to permanently delete an Office 365 Group

You can also delete a Group that is in the pending 30 day deletion using this process.  This will delete everything and not be recoverable. 

1 – Follow steps 1 through 3 above to connect to Azure AD and get the group you want to recover in the $deletedgroup variable.  

Instead of using the Restore-AzureADMSDeletedDirectoryObject cmdlet use the Remove-AzureADMSDeletedDirectoryObject cmdlet and passing the Group ID.

Remove-AzureADMSDeletedDirectoryObject –Id $deletedgroup.Id

2 – Review the Office 365 Group has been deleted

Get-AzureADMSDeletedGroup | select *

 

Configuring Office 365 Group Classification

group1

Recently Microsoft released the ability to create classifications for Office 365 groups that allow end users set.  For example, you can now set classifications such as: internal, confidential, external, secret, top secret, low, medium, high, etc..  Group classifications are new and I am not sure the full story of how these will be utilized moving forward.  There are enhancements coming around classification within the security and compliance center that I hope this will be able to tie into at at some point.

Here is some info on the current setup of group classification (as of 10/31/2016):

  • They don’t actually technically do anything yet…
  • They are not on by default
  • The choices can only be set via PowerShell
  • They currently don’t show anywhere else other than “edit group” via Outlook
  • You can only have 1 set of classifications for a tenant
  • If you change a classification value, it does NOT go back and update existing groups that were classified but the existing groups that were classified do not lose the classification
  • It takes some time for classification changes to be visible in the GUI
  • Don’t put spaces between the comma delimited values (i.e. “internal,external” NOT “internal, external”)
  • You can use spaces within comma eliminated values (i.e. “secret,top secret”)
  • I tested some special characters such as ? and ! and they worked
  • I am not aware of a classification limit, i did a test with 15 without an issue

Here is the description of the new property:

2016-10-30-16_07_07-start

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History

Steps to set values for Group Classification

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value[“ClassificationList”] = “Internal,External,Confidential”
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to set ClassificationList to a comma separated list of values that you want.  (In my example I included “Internal,External,Confidential”)

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“ClassificationList”] = "Internal,External,Confidential"
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Classification’s are available for Groups

Get-MsolAllSettings | ForEach Values

2016-10-30-16_14_29-start

You will now see it through the GUI when editing a group and will have the ability to set it.

2016-10-30-16_19_20-new-notification

And once you set a classification it will be viewable.

2016-10-30-16_20_55-photos

You can also set a classification using the Set-UnifiedGroup and New-UnifiedGroup cmdlets.

Set-UnifiedGroup interestgroup1@drewmadelung.com -Classification Internal

 

SPTechCon Boston Slides & Scripts

sptechcon

Thanks to all who joined my session at SPTechCon Boston.  This was my first SPTechCon event and look forward to speaking/attending again.  The conference was ran great and had a great selection of content.  I did a presentation on a deep dive into Office 365 Groups.  I went through some high level management topics and then went deep into Powershell administration options. I put all of the scripts that I discussed onto Github so people can help contribute.  I will be trying add to this project as I find new handy scripts.

Here are the links to the slides and the slides and the scripts:

Scripts:     http://bit.ly/DrewO365GroupScripts

Slides:      http://bit.ly/DrewO365GroupsSlides

Here is my session abstract:

Office 365 Groups enable teams to work together by establishing a single identity in Office 365. Office 365 Groups are a new and modern solution for collaboration in Office 365. There is a lot of confusion on what Groups can do and should be used for. This session will be a deep dive into all things Office 365 Groups focusing on the technical aspects..
We will spend a large amount of this session demoing Office 365 Groups. This session will include demos of:

  • How to create, access, and navigate
  • What are the core things to do
  • How are they technically structured
  • What administration is available and how to do it
  • What extensibility options are there

I will also walk through the pros and cons of using Groups vs other collaboration options in Office 365. Groups are also one of the fastest changing solutions in Office 365, so this session will bring everyone up to speed on the most recent updates that Microsoft has rolled out and what innovations are next. By the end of the session you should have a better understanding of what Groups can do and if they are right for your enterprise right now or in the future!

Disabling Office 365 Planner Using PowerShell

Office 365 Planner is now rolling out to your tenant.  Microsoft announced this week that Planner is ready for showtime. As this is a product early in its life cycle, Microsoft is still looking for feedback through the Planner uservoice site. Over the next several weeks, Planner will roll out to all eligible Office 365 customers worldwide. At this time, Planner is included with:

  • Office 365 Enterprise (E1, E3, E4, and E5)
  • Office 365 Education (E1, E3, E4, and E5)
  • Office 365 Business Essentials
  • Office 365 Business Premium.

Microsoft Planner will not be available to users by default in the General Availability (GA) update in the following subscription plans:

  • Office 365 operated by 21Vianet
  • Office 365 Government

An important thing to note with this release…

Each user who has one of the Office 365 plans mentioned above has a Microsoft Planner license that is enabled by default.

If your enterprise is not ready, an admin can add or remove licenses for individual users, or to disable Planner to all users. I put a script together that you can run to disable Planner for all licensed users in your tenant.  This script will:

  1. Disable any plan entered into the $disabledplans variable, by default it is just Planner (PROJECTWORKMANAGEMENT)
  2. Disable the Planner Preview SKU if it was assigned
  3. ***Reassign all other services not declared as being disabled.*** <- important  
    • Add any other services you want to disable in the $disabledplans variable (i.e. YAMMER_ENTERPRISE)

Thanks to @vladcatrinescu and his script on disabling Yammer as a starting point

#MAKE SURE YOU ARE CONNECTED TO OFFICE 365 BEFORE RUNNING THIS SCRIPT
#If you don't know how check out: http://powershell.office.com/script-samples/connect-to-Azure-AD 
#The initial script was built for Yammer removal by Vlad Catrinescu and can be found here: http://spvlad.com/1VXll7f
#Updated by Drew Madelung to support O365 Planner GA
#This script will go through all licensed users and first check if they have the planner preview license and remove it and then check for the GA O365 planner license and disable it
#This script will re-enable all other services EXCEPT planner, If you want to disable more add them comma seaparated to the $disabledplans variable. 
#For example to disable Yammer and Planner use this: $disableplans = "PROJECTWORKMANAGEMENT", "YAMMER_ENTERPRISE"
 
#Set disabled plans (only Planner to start)
$disableplans = "PROJECTWORKMANAGEMENT"

#Get All Licensed Users
$users = Get-MsolUser | Where-Object {$_.isLicensed -eq $true}

 
foreach ($user in $users)
{
 Write-Host "Checking " $user.UserPrincipalName -foregroundcolor "Cyan"
 $CurrentSku = $user.Licenses.Accountskuid
 #If more than one SKU, Have to check them all!
 if ($currentSku.count -gt 1)
 {
 Write-Host $user.UserPrincipalName "Has Multiple SKU Assigned. Checking all of them" -foregroundcolor "White"
 for($i = 0; $i -lt $currentSku.count; $i++)
 { 
 #Disable preview planner if it is assigned to this user
 if($currentSku[$i] -like "*PLANNERSTANDALONE*" )
 {
 $pos = $currentSku[$i].IndexOf(":")
 $tenant = $currentSku[$i].Substring(0, $pos)
 $license = $tenant + ":PLANNERSTANDALONE"
 Write-host $user.Licenses[$i].AccountSkuid "has Planner Preview. Will Disable for" $tenant -foregroundcolor "Yellow" 
 Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $license
 Write-Host "Planner Preview disabled for " $user.UserPrincipalName " On SKU " $user.Licenses[$i].AccountSkuid -foregroundcolor "Green"
 }
 else
 {
 #Loop trough Each SKU to see if one of their services has the word PROJECTWORKMANAGEMENT inside. This is the service for O365 Planner
 if($user.Licenses[$i].ServiceStatus.ServicePlan.ServiceName -like "*PROJECTWORKMANAGEMENT*" )
 {
 Write-host $user.Licenses[$i].AccountSkuid "has Planner. Will Disable" -foregroundcolor "Yellow"
 $NewSkU = New-MsolLicenseOptions -AccountSkuId $user.Licenses[$i].AccountSkuid -DisabledPlans $disableplans
 Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $NewSkU
 Write-Host "Planner disabled for " $user.UserPrincipalName " On SKU " $user.Licenses[$i].AccountSkuid -foregroundcolor "Green"
 }
 else
 {
 Write-host $user.Licenses[$i].AccountSkuid " doesn't have Planner. Skip" -foregroundcolor "Magenta"
 }
 }
 }
 }
 else
 {
 $NewSkU = New-MsolLicenseOptions -AccountSkuId $CurrentSku -DisabledPlans PROJECTWORKMANAGEMENT
 Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $NewSkU
 Write-Host "Planner disabled for " $user.UserPrincipalName -foregroundcolor "Green"
 }
}