Saturday , April 4 2020

Managing Office 365 Groups

Managing Office 365 Groups is a key factor in Office 365 Implementation. if you don’t manage your Office 365 Groups Properly. It goes really unmanageable in a governance point of view. As most of the below products allow group creation by default. So its wise to place a restriction in a top level and manage the members who can create teams for mid and large Organizations.

  • Outlook
  • SharePoint
  • Yammer
  • Microsoft Teams
  • Microsoft Stream
  • Planner
  • PowerBI
  • Roadmap

Once you map a group/group ID you can nest them or use Azure AD premium License to have dynamic membership for the security group to allow limited users to create teams for example.Yes you can configure naming policy and group expiration policies later.

Purpose : Disable Teams Creation by all users . Only member of this security group can create Teams

Lets see how create group creators.

azureadpreview.png
Install AzureADPreview

If you don’t install AzureADPreview you will get command not recognized. If you alreay have azureAD module. you need to uninstall and install the same.

Uninstall-Module AzureAD
Install-Module AzureADPreview
 

Office 365 Admin Center – Groups – Create a security Group

Office 365 – Groups Creator

SecurityGroup.png

Save below script as ps1 fill the group name in the first line, save and run it.

$GroupName = ""
 $AllowGroupCreation = "False"
 Connect-AzureAD
 $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 if(!$settingsObjectID)
 {
       $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
     $settingsCopy = $template.CreateDirectorySetting()
     New-AzureADDirectorySetting -DirectorySetting $settingsCopy
     $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 }
 $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
 $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
 if($GroupName)
 {
     $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
 }
  else {
 $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
 }
 Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
 (Get-AzureADDirectorySetting -Id $settingsObjectID).Values



You can see GroupCreationAllowedGroupID is mapped to the security group we created.


User is not a member of this Security Group


withRestricition.png

Users is a member of the security group to get a create team option.


withoutrestriction.png

Known Errors #1 –

</p>
<p>Get-AzureADDirectorySetting : A parameter cannot be found that matches parameter name 'Id'.<br />At C:\Scripts\teams.ps1:12 char:46<br />+ $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID<br />+ ~~~<br />+ CategoryInfo : InvalidArgument: (:) [Get-AzureADDirectorySetting], ParameterBindingException<br />+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Open.MSGraphBeta.PowerShell.GetDirectorySetting</p>
<p>Cannot index into a null array.<br />At C:\Scripts\teams.ps1:13 char:2<br />+ $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation<br />+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />+ CategoryInfo : InvalidOperation: (:) [], RuntimeException<br />+ FullyQualifiedErrorId : NullArray</p>
<p>Cannot index into a null array.<br />At C:\Scripts\teams.ps1:16 char:6<br />+ $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup ...<br />+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />+ CategoryInfo : InvalidOperation: (:) [], RuntimeException<br />+ FullyQualifiedErrorId : NullArray</p>
<p>Set-AzureADDirectorySetting : Cannot bind argument to parameter 'DirectorySetting' because it is null.<br />At C:\Scripts\teams.ps1:21 char:70<br />+ ... irectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy<br />+ ~~~~~~~~~~~~~<br />+ CategoryInfo : InvalidData: (:) [Set-AzureADDirectorySetting], ParameterBindingValidationException<br />+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.MSGraphBeta.PowerShell.Set<br />DirectorySetting</p>
<p>Get-AzureADDirectorySetting : A parameter cannot be found that matches parameter name 'Id'.<br />At C:\Scripts\teams.ps1:22 char:31<br />+ (Get-AzureADDirectorySetting -Id $settingsObjectID).Values<br />+ ~~~<br />+ CategoryInfo : InvalidArgument: (:) [Get-AzureADDirectorySetting], ParameterBindingException<br />+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Open.MSGraphBeta.PowerShell.GetDirectorySetting</p>
<p>

Solution – 

Make sure AzureADPreview Module version is above 2.0.2.77

Reference –


https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide

					
									

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Some Mails Getting Converted to Chinese Characters

Some Emails in Outlook 2016 will Convert to Chinese Characters after reading some after archiving …

Leave a Reply

Your email address will not be published.