blog.atwork.at

news and infos about microsoft, technology, cloud and more

Management capabilities for Office 365 Groups

Office 365 Groups are THE connection between the different Office 365 services. Office 365 groups are very useful for team collaboration, collaboration on ideas and projects, sharing documents within teams, have a team calendar and a lot more. They span like an umbrella around all Office 365 services and are the key connection point in Office 365. What I like most about them from an architectural perspective – they are where they belong to: in Azure AD. In some practical examples with my customers I learned how they love groups because they are easy to create, offer self service and provide a lot of additional value within Office 365. But there are probably also some things which especially IT administrators don’t like and topics which are challenging especially in large tenants: everybody can create groups and naming policies are hard to implement. As a first workaround Microsoft provided a possibility to disable group creation out of Exchange Online, which is definitely one of the most common usecases. But this did not avoid Office 365 Groups creation through Planner or other services.

So groups management through Azure AD was something I was really looking forward to since it appeared on the Office 365 roadmap. Finally its here now and here is how you can manage it:

The article Manage Office 365 Group creation describes the necessary steps. Basically. IN this article I try to explain a little more into detail and what to consider upfront. So here’s my step by step guide.

Lessons Learned

  • Only one (1) group can be selected for group creation
  • Office 365 admins can still create groups and manage them
  • Get used to use GUID’s
  • Use the correct Windows PowerShell Cmdlets even if the GA number is higher than the preview number

The scenario

For the scenario I use a demo Office 365 tenant. There’s one Global Admin and a bunch of users. It’s necessary to use security groups for that purpose. So I created two security groups for Administrators, visualized in the blue boxes. Only users in these security groups (Alan and Christa in AdminGroupVienna and Dan in AdminGroupParis) shall be able to create Office 365 groups. All other users (Eric, Jeff, Molly, … in the green box) shall not have the permission to create new Office 365 groups.

image

I created these groups in the Office 365 portal as follows:

image

So there are three GroupAdmins in two security groups.

The defaults for creating Office 365 groups

Without any specific settings, ALL users in an Office 365 tenant who have access to a mailbox can create a new Office 365 group or create a group through Planner.

This can be done in Outlook for the Web. Eric (who is NOT an Admin, he’s a standard user in the green box above) can create his “Erics Marketing Group”.

image

After adding members and the provisioning process, the new group is ready to use.

image

We want to restrict that as well as the groups creation through planner. So here we see how to remove the permissions so that group creation is just available for specific users (members of a security group).

The prerequisites

The configuration needs to be done with Windows PowerShell by a Global Admin in Azure Active Directory.

First, download Microsoft Azure Active Directory Module for Windows PowerShell Preview. It’s important that you need to download the preview version “AdministrationConfig-V1.1.130.0-Preview.msi”. Currently, it’s mandatory to use the PREVIEW version (V1.1.130.0) and NOT the General Availability version (V1.1.166.0) since the required Cmdlets are simply not present in the GA version! Don’t get confused by the version number, I know it’s higher. Still, only the preview contains the cmdlets we need.

image

In case you already installed the GA version – uninstall it through add or remove programs.

Connect

After we installed the Windows PowerShell module we can now connect to the tenant: Connect-MsolService. Login with a Global Admin account.

Modify the Groups

Now we check the security groups by searching with Get-MsolGroup -SearchString "<Group Name>"

image

We get the ObjectID of the two groups. I would habe expected that the Windows PowerShell has also simple exgtensions like –identity or something similar. Unfortunately, this is not the case in this special scenario, so we do the Management through the ObjectID’s.

As next step, we need to select the Group settings template with DisplayName of “Group.Unified”. This can be modified afterwards.

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq "Group.Unified"}

We check the .values properties of the Unified Group template. As you can see, the DefaultValue for “EnableGroupCreation” is set to “true”.

image

Now that we have a valid template, we need to create a new settings object and apply the loaded template. This is simply done by creating a new SettingsObject variable.

$setting = $template.CreateSettingsObject()

Let’s check the values with

$setting.Values

image

Ok. We need to change the setting “GroupCreationAllowedGroupID” to our Admin Group and to set “EnableGroupCreation” to “false”. As GroupID I used the ObjectID of the “AdminGroupVienna” (c8388…).

$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = "c83888c4-8ce7-4e08-a36d-6cecc59f3407"

Let’s check with $setting.Values again.

image

Ok. The settings are set in my object. Now the settings must be applied to Office 365. This is done with that cmdlet:

New-MsolSettings -SettingsObject $setting

This takes some seconds and outputs a new setting for unified groups. The result can be checked anytime with Get-MsolAllSettings -TargetType Groups as well.

image

That’s it. The new settings are active within a couple of minutes.

Test it with a user

In Outlook for the web, it can take a couple of minutes till the the “+” Icon is no longer available for the users (a page refresh after some minutes should help).

image image

If the GUI still shows the Plus icon and users click it now (as Eric did to create another Office 365 group “Erics Second Group”), he gets an error message in Outlook. The group cannot be created and a message appears saying “Something went wrong and the group couldn’t be created…”. So the settings are working properly.

image

 

Usually, after some minutes, the users do not see the Plus icon anymore and cannot create a new Office 365 group.

Test it with an Admin

Ok, now it’s time to test the group creation with an a member of the Groups Admin group. For that we use Christa, who is member of the Security Group “AdminGroupVienna”. She creates a new Office 365 group named “Vienna Support”.

image

As expected, members of that Security Group can create new Office 365 groups. The new Unified Group was created.

image

So, the settings work! Users no longer can create groups and only Office 365 groups admins can create Office 365 groups.

What happens with existing groups?

Nothing. They still exist as before (in our sample “Erics Marketing Group” is still here, of course, as shown in the screenshot above). If the group should be deleted, the owner or an Office 365 admin needs to delete them. Be warned, currently there’s no Recycle Bin (no soft delete) for the Office 365 group.

Wait!

Oh, actually we wanted to have our second security group “AdminGroupParis” be able to manage Office 365 groups.  So this group is not defined for allowing group creation. He still is a standard user and cannot create Office 365 groups.

The intention is to update the “AdminGroupParis” ObjectID (fa63…) and to add another setting. To make it short: This does not work.

image

The message says "A conflicting object with one or more of the specified property values is present in the directory."

For the documentation see New-MsolSettings. As far as I see, the “Unified.Group” setting can exist in one tenant only once. Even with -TargetType Groups and other settings only one setting is available per each type.

Therefore, you can only allow one security group to create new Office 365 groups. Hopefully this will change in the future, as I find it hard to give delegation permissions to selected security groups but cannot give the Office 365 groups creation rights to more than one group.

The solution for our scenario

Since only one group can be defined, let’s create a new security group “AdminGroupAllowGroupCreation”.

So, you get the idea for a solution: Put the three users into that new group… as here. (We do not need the AdminGroupVienna and Paris groups any longer for that purpose…).

image

…and configure this in the Office 365 Admin Portal.

image

 

Now, let’s update the settings! In my humble opinion the easiest way is to delete the settings with Remove-MsolSettings and create them new. We only need the ObjectId of the Groups-Settings.

Get-MsolAllSettings -TargetType Groups
Remove-MsolSettings -SettingId 'd6ccfc23-2b32-4609-b97b-2a49b7daec5c'

image

Ok, now the settings are deleted and we simply can update the new Group ID. But first, we need the ObjectId of the new security group.

Get-MsolGroup -SearchString "AdminGroup"

image

Now we modify the settings (we still have them in our RAM storage) with that ID (d280…):

$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = "d280fa56-ebba-401f-8fc8-0592cfd5c62a"

And finally, we recreate a new group setting.

New-MsolSettings -SettingsObject $setting

Voila.Let’s check again with Get-MsolAllSettings -TargetType Groups.

image

Of course, the steps for removal and recreation are only necessary if you already have these settings in place and you want to update them as I did.

Test it (again)

It can take some minutes until the Admins get the permission to create Office 365 Groups in their Outlook Web. A little bit later, Dan is able to create Office 365 Groups as well.

image

Summary

So my best practice is to create one Security Group and add the Admin users as members. Then use the PowerShell as above to restrict users to create new Office 365 Groups and allow just one Security Group as in my sample “AdminGroupAllowGroupCreation”. Don’t forget you need to have the Microsoft Azure Active Directory Module for Windows PowerShell Preview installed, otherwise you have some stumbling blocks with missing cmdlets.

I hope this article and many other resources in this blog help IT-Admins to customize their own Office 365 tenant for their needs. Please let me know your feedback! If you are at Microsoft Ignite in Atlanta, stop by on the Ask us anything session about Office 365 Groups on friday, https://myignite.microsoft.com/sessions/4098 where Eric Zenc, Darrell Webster, Christophe Fiessinger and I available to help you get answers around your Office 365 Groups questions.

Comments (2) -

  • Dean

    9/25/2016 11:45:34 AM |

    You state that all users with access to a mailbox can create a group. Does this mean that if someone has already been added to a Group and they have their mailbox in Exchange on-prem, that they can create a Group? I thought that they needed to have their own mailbox in EXO (but I'm having a hard time finding the criteria that must be met for a user to be able to create a group)

  • Mark Burland

    10/14/2016 2:22:15 PM |

    Thank you for this! Yours was the first mention I found anywhere that specified the exact version of the MAADM. I had the GA version and was at the point of tearing my hair out.

  • 7G63jH5KUpR

    11/18/2016 3:21:56 PM |

    101311 981799Hello. I wanted to ask 1 thing�is this a wordpress internet internet site as we are preparing to be shifting more than to WP. Furthermore did you make this template yourself? Thanks. 926280

Pingbacks and trackbacks (2)+

Loading