Office 365 Groups Governance Toolkit Part 4-Ownerless Groups

2018-12-03 | Martina Grom

In this multi-part series we show you how to handle the Office 365 Groups and Microsoft Teams governance toolkit. The next article cover the governance part of our Groups Governance Toolkit.Imagine your company policy requires at least 2 owners per Office 365 Group or per Microsoft Team. In this part, we want to monitor all groups that are ownerless (orphaned), or do not comply with our organization's policies. The IT department shall get the information of all groups and teams where there are no owners or not enough owners and the possibility to fix that. Read below how this can be accomplished.

Get all ownerless (orphaned) groups

The goal here is to use our application and a new function code to get a list of all groups that do not comply with our organization's policies. An Azure function runs e.g. every day, reads all existing groups in the Office 365 tenant, and writes each group in a queue. A second function is triggered by that queue and reads all the group details for one group, in that case how many owners are stored for a group. For example, our organization wants to have at least two owners of an active group to avoid ownerless groups. If one owner leaves the company, we can cover that. So, our condition checks if a group has less than 2 owners. If yes, the Admin shall receive a nicely formatted email with all groups which are affected. The following graphics shows that process from a technical standpoint.

image

For cache we use an Azure storage…

As cache, we need an Azure storage account for providing the queue for the communication between the two functions, and a table for storing the results of the functions. Since we don't know, when the last group has been processed, we use an Azure Logic App with a scheduled trigger to create a nice email with the data of the generated table. So, the "GroupsOwnerless" Logic App runs every day at 02:00AM.

image

…and an email template as Output, stored in SharePoint Online

The email template is stored in SharePoint Online. That's easy to access from a Logic App and the template can be modified easily. Of course, you can use any email style, but we went for a HTML design to transport the data nicely formatted. The template could look similar as here, using a [placeholder] text for the data we want to insert.

image

So, the HTML file is stored in a SPO document library (or in Azure Blob storage, or somewhere else…).

Create the Azure Functions…

Create two new Azure Functions as in the article before, and paste the code for f3-RunOwnerless and f4-Ownerless into your code window. For communicating, we are using the bindings. Adapt them as provided at f3-RunOwnerless/function.json and f4-Ownerless/function.json. The screenshot below shows the new bindings for f4-Ownerless/function.json: The queue is accessed by the name "ownerless", the result will be written to table "groupsownerless".

image

Finally, the Logic Apps

To use the Ownerless Groups functions daily, Azure Logic Apps help. We use two Logic Apps:

The first simply one, "ClearGroupsOwnerless", deletes all data that might be existing in our target table "groupsownerless". We could delete the whole table and regenerate it, or run through all records and delete them. Anyway, as result, the table shall be empty, so we can insert new data. This Logic app is called from our function code f3-RunOwnerless at the beginning and looks like below.

image

The second LogicApp "GroupsOwnerless" runs once in the night, reads all records from the Azure table "groupsownerless", creates a HTML table out of it, loads the email template from a SharePoint Online document library and finally creates an email to the IT Administrator. The body placeholder is replaced by the generated HTML table.

image

As expression in the email Body property, this function is used:

replace(string(body('Load_HTML_template_from_Sharepoint')),'[placeholder]',body('Create_HTML_table'))

If you are interested in the differences between Microsoft Flow and Azure Logic Apps look at this Microsoft Ignite session from my fellow MVP’s Ahmad Najjar, Serge Luca: Microsoft Azure Logic Apps vs. Microsoft Flow: When, how, and where

Let it run

When f3-RunOwnerless is executed, it will run through all groups in the Office 365 tenant, and call f4-Ownerless for each group. After some minutes, depending on the number of groups, the Azure table "groupsownerless" should be filled. Then, run the LogicApp "GroupsOwnerless" to receive an email with that output. This could look similar as below.

image

In the email, we also integrated a link "manage" that leads directly to the Office 365 groups owner management in the Azure portal. So, new owners can quickly be added by an IT Admin (using the Azure authorization).

image

This process helps to make existing Office 365 Groups and Teams compliant on a daily basis.

See how to check external users in the next article!

Office 365 Groups Governance Toolkit series

Categories: Azure, Developer, English, Microsoft, Office365, Microsoft365, PowerShell, Tools, atwork, Cloud, DevOps, Flow, GitHub, Governance, Logic apps, Microsoft Teams

Source: https://blog.atwork.at/post/2018/12/03/Groups-Governance-Toolkit-Part-4-Orphaned-Groups