Browse Tag

Planner

Managing Office 365 Group Creation via Azure AD

group1

Introduction

Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:

  • Email & Calendar
  • Security & Membership
  • Files & OneNote
  • Planner
  • PowerBI
  • and more!

One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.

What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.


Managing Group Creation via Azure AD

With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.

You can now do 2 things:

  1. Disable the default ability of everyone to create a new Office 365 Group
  2. Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
    • This group cannot have a group in it, must be individual users
    • Users with higher tenant roles already have access (company admin, mailbox admin, etc…)

Prerequisites:

NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.

My scripts below are using Version 1.1.143.0.  Azure AD PowerShell Module Version Release History


Steps to disable ALL Group creation

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId

$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = ""
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users

Get-MsolAllSettings | ForEach Values

group4


Steps to disable Group creation except for only authorized users

1 – Connect to Azure AD via PowerShell

Connect-MsolService

2 – Review if you have any MsolSettings currently configured in your tenant

Get-MsolAllSettings | ForEach Values

3a – If you have settings returned it will look like this (properties subject to change over time)

group2

Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.
$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false" 
$value["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value

Here is a visual example of what we are trying to get via the Azure AD portal.

group5

3b – If you have NO settings returned it will look like this a new template will need to be created

group3

Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.

  • Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.
$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
$setting[“GroupCreationAllowedGroupId”] = $group.ObjectId
New-MsolSettings –SettingsObject $setting

4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group

Get-MsolAllSettings | ForEach Values

group6


Aftermath

Once configured users will see errors like this when trying to create an Office 365 Group

Via Outlook UI:

group8

Via Planner UI:

group7

All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts

Please feel free to contribute!

https://github.com/dmadelung/O365GroupsScripts

Disabling Office 365 Planner Using PowerShell

Office 365 Planner is now rolling out to your tenant.  Microsoft announced this week that Planner is ready for showtime. As this is a product early in its life cycle, Microsoft is still looking for feedback through the Planner uservoice site. Over the next several weeks, Planner will roll out to all eligible Office 365 customers worldwide. At this time, Planner is included with:

  • Office 365 Enterprise (E1, E3, E4, and E5)
  • Office 365 Education (E1, E3, E4, and E5)
  • Office 365 Business Essentials
  • Office 365 Business Premium.

Microsoft Planner will not be available to users by default in the General Availability (GA) update in the following subscription plans:

  • Office 365 operated by 21Vianet
  • Office 365 Government

An important thing to note with this release…

Each user who has one of the Office 365 plans mentioned above has a Microsoft Planner license that is enabled by default.

If your enterprise is not ready, an admin can add or remove licenses for individual users, or to disable Planner to all users. I put a script together that you can run to disable Planner for all licensed users in your tenant.  This script will:

  1. Disable any plan entered into the $disabledplans variable, by default it is just Planner (PROJECTWORKMANAGEMENT)
  2. Disable the Planner Preview SKU if it was assigned
  3. ***Reassign all other services not declared as being disabled.*** <- important  
    • Add any other services you want to disable in the $disabledplans variable (i.e. YAMMER_ENTERPRISE)

Thanks to @vladcatrinescu and his script on disabling Yammer as a starting point

#MAKE SURE YOU ARE CONNECTED TO OFFICE 365 BEFORE RUNNING THIS SCRIPT
#If you don't know how check out: http://powershell.office.com/script-samples/connect-to-Azure-AD 
#The initial script was built for Yammer removal by Vlad Catrinescu and can be found here: http://spvlad.com/1VXll7f
#Updated by Drew Madelung to support O365 Planner GA
#This script will go through all licensed users and first check if they have the planner preview license and remove it and then check for the GA O365 planner license and disable it
#This script will re-enable all other services EXCEPT planner, If you want to disable more add them comma seaparated to the $disabledplans variable. 
#For example to disable Yammer and Planner use this: $disableplans = "PROJECTWORKMANAGEMENT", "YAMMER_ENTERPRISE"
 
#Set disabled plans (only Planner to start)
$disableplans = "PROJECTWORKMANAGEMENT"

#Get All Licensed Users
$users = Get-MsolUser | Where-Object {$_.isLicensed -eq $true}

 
foreach ($user in $users)
{
 Write-Host "Checking " $user.UserPrincipalName -foregroundcolor "Cyan"
 $CurrentSku = $user.Licenses.Accountskuid
 #If more than one SKU, Have to check them all!
 if ($currentSku.count -gt 1)
 {
 Write-Host $user.UserPrincipalName "Has Multiple SKU Assigned. Checking all of them" -foregroundcolor "White"
 for($i = 0; $i -lt $currentSku.count; $i++)
 { 
 #Disable preview planner if it is assigned to this user
 if($currentSku[$i] -like "*PLANNERSTANDALONE*" )
 {
 $pos = $currentSku[$i].IndexOf(":")
 $tenant = $currentSku[$i].Substring(0, $pos)
 $license = $tenant + ":PLANNERSTANDALONE"
 Write-host $user.Licenses[$i].AccountSkuid "has Planner Preview. Will Disable for" $tenant -foregroundcolor "Yellow" 
 Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $license
 Write-Host "Planner Preview disabled for " $user.UserPrincipalName " On SKU " $user.Licenses[$i].AccountSkuid -foregroundcolor "Green"
 }
 else
 {
 #Loop trough Each SKU to see if one of their services has the word PROJECTWORKMANAGEMENT inside. This is the service for O365 Planner
 if($user.Licenses[$i].ServiceStatus.ServicePlan.ServiceName -like "*PROJECTWORKMANAGEMENT*" )
 {
 Write-host $user.Licenses[$i].AccountSkuid "has Planner. Will Disable" -foregroundcolor "Yellow"
 $NewSkU = New-MsolLicenseOptions -AccountSkuId $user.Licenses[$i].AccountSkuid -DisabledPlans $disableplans
 Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $NewSkU
 Write-Host "Planner disabled for " $user.UserPrincipalName " On SKU " $user.Licenses[$i].AccountSkuid -foregroundcolor "Green"
 }
 else
 {
 Write-host $user.Licenses[$i].AccountSkuid " doesn't have Planner. Skip" -foregroundcolor "Magenta"
 }
 }
 }
 }
 else
 {
 $NewSkU = New-MsolLicenseOptions -AccountSkuId $CurrentSku -DisabledPlans PROJECTWORKMANAGEMENT
 Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -LicenseOptions $NewSkU
 Write-Host "Planner disabled for " $user.UserPrincipalName -foregroundcolor "Green"
 }
}

My Microsoft Collaboration Predictions for 2016

2016

Well 2015 is nearly completed and it was what I would call a GREAT year for Microsoft and their collaboration platforms. Jeff Teper is back in charge and things really picked up speed. Before we talk 2016, let’s talk about 2015.


Here are few of the highlights for 2015…


Groups became the king of collaboration in O365

  • Office 365 Groups were announced in 2014 but became for real in 2015. As we have seen with the majority of “experiences” coming out in Office 365, Microsoft is heavily following the Minimal Viable Product (MVP) deployment model. This means that Microsoft is releasing things without things being fully ready but then actively taking feedback to actually adapt their solutions to business needs. I think this is a great approach and we as technologists working with Microsoft need to understand this. We can be critical of their releases but need to provide the proper feedback through the proper channels such as uservoice and Yammer.  There is still a lot of work to do for Office 365 Groups to be fully enterprise ready but Microsoft has made it incredibly clear that this is the future. The recent announcement of the compliance capabilities within Groups is a great start. And remember it is NOT Groups vs Team Sites. Groups have their place along with Team Sites.

SharePoint Server 2016 on-premises was presented and betas released

  • If you would have asked me in 2014 what I thought the future of on-premises versions of SharePoint was I would have told you that it wasn’t good. Microsoft had been spending all of its marketing budget on Office 365 and Azure and not telling anyone about a roadmap for on-premises only SharePoint solutions. Then the announcement of SharePoint Server 2016 was released and over the past 12 months I have been able to watch the product grow internally and with the betas. This is not a groundbreaking release for Microsoft as far as any technical or end user upgrades but does provide a better long term infrastructure solution. In my opinion the biggest benefit will be the consolidated codebase between SharePoint Server 2016 and SharePoint Online. As Microsoft is developing everything cloud first this means that solutions will be more easily ported from Office 365 back to on-premises. Now of course there are things that will always be Office 365 only but this new version allows for more possibilities.

New OneDrive for Business sync tool(s)

  • If you have ever used the old OneDrive for Business sync tool you know it sucked. Thankfully Microsoft released a new sync client in preview for most of Q4 and finally made it GA in December. Now this release does a lot of things better than the old sync tool, like actually sync, but still has lots of work to do. I would still not consider this an enterprise ready solution. The fact that we still have to use 2 sync tools for OneDrive vs SharePoint vs Groups is enough to confuse everyone.

Office 365 compliance updates

  • There were so many releases as far as security, compliance and trust in Office 365 that I could write multiple posts about each. We got our first access to a new Trust Portal, Data Loss Prevention (DLP), advanced eDiscovery, Advanced Threat Protection, Retention, O365 Auditing and more. This was an area that was very hard to keep up with as it changed so much. Even by the end of year, as in this month, they are releasing new things. The Compliance Center is now being rebranded as the Protection Center.

Honorable mention

  • Better administration in OneDrive for Business
  • New OneDrive for Business UI
  • PowerApps
  • Planner
  • Lots and lots of mobile apps (Video, Groups, O365 Admin, Office Lens, Delve)
  • Delve profiles

Ok let’s talk predictions for 2016!


The majority of these will by my wishes. I will state nothing I am predicting here I actually know will happen. I have the privy to be a part of certain preview programs but none of my predictions below relate to those. These are areas I either hope will improve or expect to change.

PowerApps will be a niche solution

  • My primary issue with PowerApps on its initial release is that it is only directed at mobile and tablet devices. In the right business need PowerApps could be incredible. This really is the first step into having power-users have the ability to create mobile apps. Can you imagine a few years ago if you could use a very intuitive GUI to build an IOS app that could easily be deployed? The world of mobile app developers would have been flipped on its head. I envision that in the right hands with the proper business need PowerApps will be able to save your business money and increase productivity. Now I call it niche because even though we are moving to a mobile first world, the heavy majority of my clients are desktop and laptop based. IF, and that’s a big IF, PowerApps comes out with a desktop component, I can see this being an incredibly great product.

Team Sites in O365 will get some love

  • It has been far too long since the backbone of SharePoint Online has been updated. I think we saw the beginning of what it will be like with the new authoring solution in Office 365. It is only being used in the personal blog now but that authoring experience will transition into SharePoint Online in a modernized team site experience. I think the driving factor for this is the lack of responsive design using the default master page and branding in SharePoint Online. if Microsoft provided and page building solution that allowed for even basic responsive design it would be a huge plus. I don’t expect them to redo the master page model but apply the processes on top of it. I predict the new team sites will not be easily branded and used as a lightly customized solution.

OneDrive for Business will be easily manageable for the enterprise

    • I have no idea how this will happen but it better. Every time I talk with clients about rolling out OneDrive for Business the process of administering it becomes the number one topic. Right now there are not enough management capabilities to meet their needs There are ways to manage certain areas with PowerShell but we need a GUI for this. We also need better management of security capabilities that can be utilized. For example, there is currently no good way to manage IRM throughout your enterprise. These types of requests will hopefully begin to be added to the new protection center.

Yammer conversations get added into areas of Office 365

  • I went into Ignite 2015 expecting to hear Yammer was dead. I keep waiting to read a Microsoft blog post that Yammer is going away. This was a great example that my prediction being completely wrong as Yammer is still going whether its confusing when to use it or not. The newsfeed area of Office 365 is the best part about it and would greatly benefit being included in Team Sites but mainly Office 365 Groups. Right now the conversation section of Groups is simply email. The way Yammer tracks conversations could be included with the email capabilities to provide an even better experience. Things are going to get even more interesting once Groups allow external access as I believe that is one of the primary use cases for Yammer today. Either way something has to happen with Yammer at the least to ease confusion for what to use and when.

I may be wrong about all of these but cheers to 2016!

Fireworks