Useful PowerShell cmdlets To Administer Office 365 Groups

Office 365

Howdy Folks! As promised in the previous blog post related to Office groups, I’m back now with some cool PowerShell cmdlets which should ease your work in managing Office 365 groups in your organization. If you’re new to Office 365 groups, I humbly request you to read in detail about Office 365 groups by accessing this link. I’ve tried my best to explain Office 365 groups there. Alright, let’s get started ….

Note

Before you can run all these PowerShell cmdlets given below, you need to load the Exchange Online management shell by following this link. I’ve given a screenshot below for your reference.

Office 365

Listed below are the operations that you can perform by following the PowerShell commands mentioned below.

  • Get the list of all the Office 365 groups in your tenant
  • Remove an existing Office 365 group from the tenant
  • To make changes to an existing Office 365 group
  • Get the membership and ownership information of an Office 365 group /all the Office 365 groups in your tenant
  • Get the list of all the Office 365 groups in descending order
  • Get the list of all Private Office 365 groups in your tenant
  • Get the list of deleted Office 365 groups in descending order
  • Get the list of orphaned Office 365 groups in your tenant
  • Retrieve the list of recently created Office 365 groups
  • Update the quota of a new group if a team site exists
  • Create new Directory Settings for Groups template
  • Update the classifications for all the Office 365 groups
  • Update the privacy of an Office 365 group based on its classification
  • Determine where a group was provisioned (Planner, Yammer, Teams etc.)
  • Get the list of Obsolete Office 365 groups in your tenant

So, let’s look into all these operations in detail below….

  1. To get the list of all the Office 365 groups in your tenant.
    Get-UnifiedGroup

    Office 365
  1. To remove an existing Office 365 group

    This will remove a specific Office 365 group from your tenant.
    Remove-UnifiedGroup -Identity "Test Group"
  1. To make changes to an existing Office 365 group in your tenant
    Set-UnifiedGroup

Ex 1

Set-UnifiedGroup -Identity "HR Team" -AccessType Private

This example changes the Office 365 Group named HR Team from a public group to a private group.

Ex 2

Set-UnifiedGroup -Identity "HR Team" -PrimarySmtpAddress [email protected] -RequireSenderAuthenticationEnabled $false

This example makes the following changes to the Office 365 Group named HR Team,

    • The primary email address is changed to [email protected].
    • The Office 365 Group is allowed to receive mail from unauthenticated (external) senders.
  1. To get the membership and ownership information of an Office 365 group/all the Office 365 groups in your tenant

Get-UnifiedGroupLinks

Ex

Get-UnifiedGroupLinks -Identity "Transport Department" -LinkType Members

This example shows the members of the Office 365 Group named Transport Department

Similarly, you can use the script below to get the list of all the members from all the Office 365 groups in you tenant.

Get Office 365 group members

 This will run and display the results as shown in the screenshot below.
Office 365
  1. To get the list of all the Office 365 groups in descending order.

  1. Get - UnifiedGroup | Select Id, DisplayName, ManagedBy, Alias, AccessType, WhenCreated,  
  2.     @ {  
  3.         Expression = {  
  4.             ([array](Get - UnifiedGroupLinks - Identity $_.Id - LinkType Members)).Count  
  5.         };  
  6.         Label = 'Members'  
  7.     } | Sort - Object whencreated | Format - Table displayname, alias, managedby, Members, accesstype, whencreated  

Office 365
  1. To get the list of all private Office 365 groups in your tenant.
    1. Get - UnifiedGroup | Where - Object   
    2. {  
    3.     $_.AccessType - eq 'Private'  
    4. } | Sort - Object whencreated | Format - Table displayname, alias, managedby, accesstype, whencreated  
    Office 365 
  1. To get the list of deleted Office 365 groups in descending order.
    1. Get-AzureADMSDeletedGroup | Sort-Object DeletedDateTime -Descending | Format-Table Id, DisplayName, Description, Visibility, DeletedDateTime  

Note
To run this command, you need to do the below mentioned steps, else you would end up getting an error as shown in the image below. If you pay close attention to the cmdlet you would notice that this is related to Azure AD and hence you need to load the Azure AD PowerShell module for this.

Office 365

 

I’d suggest performing these tasks in a different PowerShell window for ease of use.

    1. Uninstall the production module of Azure AD by running, (Uninstall-Module AzureAD) as this cmdlet works with the preview module of Azure AD.
    2. You cannot have the production module and the preview module running on the same machine as per Microsoft’s documentation mentioned in this link here.
    3. Once done, please go ahead and install the Preview module by running (Install-module AzureADPreview)
    4. After that, please connect to Azure AD by running Connect-AzureAD as shown in the image below

      Office 365

    5. Once you’re done connecting to Azure AD, please go ahead and run the above-mentioned cmdlet to get the list of deleted Office 365 groups in descending order and you will get the results as shown in the image below. In my case, I don’t have any deleted Office 365 group and hence it didn’t return anything.

      Office 365

To get the list of orphaned Office 365 groups in your tenant

  1. $Groups = Get - UnifiedGroup | Where - Object {  
  2.     ([array](Get - UnifiedGroupLinks - Identity $_.Id - LinkType Owners)).Count - eq 0  
  3. }  
  4.         | Select Id, DisplayName, ManagedBy, WhenCreated  
  5.   
  6. ForEach ($G in $Groups) {  
  7.   
  8.     Write-Host "Warning! The following group has no owner:" $G.DisplayName  
  9.   
  10.  }  

Office 365

To retrieve the list of recently created Office 365 groups

  1. # Variables:  
  2. #   Cutoff date in days  
  3. #   Storage quota in MB  
  4. #   Storage quota warning level in MB  
  5. #.........................................................................................................................................................  
  6. $cutoffdate = ((Get-Date).AddDays(-20))  
  7. $quota = 500  
  8. $warning = 400  
  9. $Groups = Get-UnifiedGroup | Where-Object {$_.WhenCreated -ge $cutoffdate} | Sort-Object whencreated | Select DisplayName, WhenCreated, SharePointSiteUrl  
Office 365
 
To update the quota of a new group accordingly if a team site exists
  1. ForEach($G in $Groups) {  
  2.     try {  
  3.         Set - SPOSite– Identity($G.SharePointSiteUrl) - StorageQuota $quota - StorageQuotaWarningLevel $warning  
  4.         Write - Host "The following site quota was updated:"  
  5.         $G.SharePointSiteUrl  
  6.     } catch {  
  7.         Write - Host "The following Groups does have a site:"  
  8.         $G.DisplayName  
  9.     }  
  10. }  
Office 365

This will run and update the quota of the site as shown in the screenshot below.

Office 365

To create new Directory Settings for Groups template

There are multiple templates that are part of your Azure AD tenant. This template can contain a settings object which has a collection of values. By using these values, we can set the parameters below. This needs to be done before you can set any values.

SettingDescription
·         EnableGroupCreation·         Type: Boolean·         Default: TrueThe flag indicating whether Office 365 group creation is allowed in the directory by non-admin users. This setting does not require an Azure Active Directory Premium P1 license.
·         GroupCreationAllowedGroupId·         Type: String·         Default: “”GUID of the security group for which the members are allowed to create Office 365 groups even when EnableGroupCreation == false.
·         UsageGuidelinesUrl·         Type: String·         Default: “”A link to the Group Usage Guidelines.
·         ClassificationDescriptions·         Type: String·         Default: “”A comma-delimited list of classification descriptions.
·         DefaultClassification·         Type: String·         Default: “”The classification that is to be used as the default classification for a group if none was specified.
·         PrefixSuffixNamingRequirement·         Type: String·         Default: “”String of a maximum length of 64 characters that defines the naming convention configured for Office 365 groups. For more information, see Enforce a naming policy for Office 365 groups (preview).
·         CustomBlockedWordsList·         Type: String·         Default: “”Comma-separated string of phrases that users will not be permitted to use in group names or aliases. For more information, see Enforce a naming policy for Office 365 groups (preview).
·         EnableMSStandardBlockedWords·         Type: Boolean·         Default: “False”Do not use
·         AllowGuestsToBeGroupOwner·         Type: Boolean·         Default: FalseBoolean indicating whether or not a guest user can be an owner of groups.
·         AllowGuestsToAccessGroups·         Type: Boolean·         Default: TrueBoolean indicating whether or not a guest user can have access to Office 365 groups content. This setting does not require an Azure Active Directory Premium P1 license.
·         GuestUsageGuidelinesUrl·         Type: String·         Default: “”The URL of a link to the guest usage guidelines.
·         AllowToAddGuests·         Type: Boolean·         Default: TrueA Boolean indicating whether or not is allowed to add guests to this directory.
·         ClassificationList·         Type: String·         Default: “”A comma-delimited list of valid classification values that can be applied

Let me walk you through the complete process of creating directory settings here.

  1. Install the Azure AD PowerShell Module V2 from this link
  2. Run “Install-Module -Name AzureADPreview” in the PowerShell window
  3. Once done Connect to Azure AD via PowerShell by running “Connect-AzureAD”
    1. Once done to review if you have any settings already configured in your tenant, please run the below cmdlet.
      1. Get-AzureADDirectorySetting | ForEach Values  
             Office 365              

    Note

    If you check the screenshot above you will notice that I have configured few directory settings such as “Usage Guidelines URL “and “Classification List “and I’ll be showing you how to configure that using PowerShell in the examples below.

    1. If you do not have any settings configured the value returned will be blank, as shown in the screenshot below.

      Office 365

    2. Alright, now let’s see some examples to set group settings.
    All examples below will use the Get-AzureADDirectorySetting cmdlet and store that in a variable and then use the Set-AzureADDirectorySetting cmdlet with the updated settings. The full command to run a setting update is as follows. Also, I’d suggest to use PowerShell ISE for running these cmdlets for ease of usage.

    1. $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}  
    2. $settings["SETTING NAME"] = ""  
    3. Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings  

    Office 365
    Ok, now let’s look into some scenarios here ...

    Scenario 1

    Restricting Office 365 groups creation for all the users in your organization except for few users who belong to a specific Security group

    1. $group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “Office 365 groups creation allowed”}  
    2. $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}  
    3. $settings["EnableGroupCreation"] = "false"  
    4. $settings["GroupCreationAllowedGroupId"] = $group.ObjectId  
    5. Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings  

    Office 365
    In this scenario here, I created a security group named “Office 365 groups creation allowed” and I’ve added few members to it. So, by doing this I can grant access only to those members to create Office 365 groups and not to all the users in my organization. Also, an important point to bear in mind here is, if I’m restricting the creation of Office 365 groups then these users won’t be able to create a Team, a Planner, a Yammer group etc. So, the users will be restricted by creating anything which creates an Office 365 group in the backend. So, from an end-user perspective, the “create” button which you see in the screenshot below for creating Office 365 groups won’t be visible to them. The same applies to other services also, users won’t get the “Create Planner “or “Create Team” button once this option is enabled. This is one way to have control on Office 365 groups creation in your organization

    Office 365

    In Teams, the “Create a Teambutton won’t be visible for the users who are not part of that Security group which allows the creation of Office 365 groups.

    Office 365

    In Planner, the Create a Planbutton won’t be visible for the users who are not part of that Security group which allows the creation of Office 365 groups.

    Office 365

    Similarly, as already explained above other services which create an Office 365 group on the backend won’t be available for end users. By doing this you can have control over who gets to create an Office 365 groups and other services such as Teams and Planner in your organization.

    Scenario 2

    Setting Office 365 groups classification.

    1. $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}  
    2. $settings["ClassificationList"] = "Internal,External,Confidential"  

    Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

    Office 365
    In this scenario, we’re enabling the classification option so that you can classify your groups accordingly. Once this is done whenever you try to create an Office 365 group from the outlook webmail (provided that you have access to create Office 365 groups) you will get an option to choose the classification for that group also as shown in the image below. This could be useful from a compliance and governance perspective.
    Office 365

    Once that’s done you can set the classification for an existing Office 365 by running the below PowerShell command.

    1. Set-UnifiedGroup <[email protected]> -Classification <Internal>  

    Also, if you want to create a new group with a classification then run the below PowerShell command for that.

    1. New-UnifiedGroup <[email protected]> -Classification <External> -AccessType <Public>  

    Scenario 3

    Setting Usage Guidelines URL.

    1. $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}  
    2. $setting["UsageGuidelinesUrl"] = "<https://o365techy.sharepoint.com/sites/office365groupsgovernance/usageguidelines/SitePages/Home.aspx>"  
    3. Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings  

    Office 365

    In this scenario, I’ve created a SharePoint subsite named “Usage Guidelines” which speaks about all the guidelines a user must follow while using Office 365 groups in my organization and the user can refer that while creating/using Office 365 groups. Once this has been enabled what the end user view would be like. Please check the screenshot below.

    Office 365

    Scenario 4

    Restrict all access for guest users to Groups including the ones that were already granted access.

    1. $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}  
    2. $settings["AllowGuestsToAccessGroups"] = "False"  
    3. Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings  

    Office 365
    Scenario 5

    Restrict the ability to add any new guest users but do not restrict existing guest users.

    1. $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}  
    2. $settings["AllowToAddGuests"] = "False"  
    3. $settings["AllowGuestsToAccessGroups"] = "True"  
    4. Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings  
    Office 365

    Finally, if you want to review all the updated settings then please run the below mentioned PowerShell cmdlet as already described above and it will return the updated settings.

    1. Get-AzureADDirectorySetting | ForEach Values  

     Office 365

    If you want to remove the group settings that we configured in all the scenarios above then please run the below PowerShell command.

    1. $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}  
    2. Remove-AzureADDirectorySetting -Id$settings.Id  

    Office 365

    To update the classifications for all the Office 365 groups

    1. ## Set classifications for all groups  
    2. $Groups = Get-UnifiedGroup | Where-Object {$_.Classification -Eq $Null}  | Select DisplayName, Classification  
    3. ForEach ($G in $Groups) {  
    4.     If ($G.Classification -Eq $Null)  
    5.     {  
    6.         Write-Host $G.DisplayName  
    7.         Set-UnifiedGroup -Identity $G.DisplayName -Classification "Internal"  
    8.     }  
    9.  }  
    10. #...................................  
    11. # Variables:  
    12. #   Cut off date in days  
    13. #   Classification  
    14. #...................................  
    15. $cutoffdate = ((Get-Date).AddDays(-10))  
    16. $classification = "High"  
    17. # Retrieve recently created groups with accesstype set to PUBLIC  
    18. $Groups = Get-UnifiedGroup | Where-Object {  
    19.     $_.WhenCreated -ge $cutoffdate -and $_.AccessType -eq 'Public' -and $_.Classification -eq $classification } `  
    20.      | Sort-Object whencreated | Select DisplayName, WhenCreated, AccessType, Classification, ManagedBy  
    21. # For each new group update set accesstype to PRIVATE  
    22. ForEach ($G in $Groups) {  
    23.     Set-UnifiedGroup -Identity $G.DisplayName -AccessType 'Private'  
    24.     Write-Host "The following Group privacy setting was updated:" $G.DisplayName  
    25.   
    26. }  
    Office 365

    This will run and update the classification for all the Office 365 groups, as shown in the image below.

    Office 365

    To update the privacy of an Office 365 group based on its classification

    1. # ...................................  
    2. #Variables:   
    3. #Cutoff date in days  
    4. # Classification#...................................  
    5. $cutoffdate = ((Get - Date).AddDays(-10))  
    6. $classification = "High"  
    7. #Retrieve recently created groups with accesstype set to PUBLIC  
    8. $Groups = Get - UnifiedGroup | Where - Object {  
    9.     $_.WhenCreated - ge $cutoffdate - and $_.AccessType - eq 'Public' - and $_.Classification - eq $classification  
    10. }  
    11. `  
    12.      | Sort-Object whencreated | Select DisplayName, WhenCreated, AccessType, Classification, ManagedBy  
    13. # For each new group update set accesstype to PRIVATE  
    14. ForEach ($G in $Groups) {  
    15.     Set-UnifiedGroup -Identity $G.DisplayName -AccessType 'Private'  
    16.     Write-Host "The following Group privacy setting was updated:" $G.DisplayName  
    17. }  
    Office 365
    Office 365

    To determine where a group was provisioned (Planner, Yammer, Teams etc.)

    To get the list of Yammer integrated Office 365 group list

    1. Get - UnifiedGroup | Where - Object {  
    2.     $_.ProvisioningOption - eq 'YammerProvisioning'  
    3. } | select DisplayName, Alias, ProvisioningOption, GroupSKU, SharePointSiteUrl, SharePointDocumentsUrl, AccessType 

    To get the list of Teams integrated Office 365 group list

    1. Get - UnifiedGroup | Where - Object {  
    2.     $_.ProvisioningOption - eq 'ExchangeProvisioningFlags:481'  
    3. } | select DisplayName, Alias, ProvisioningOption, GroupSKU, SharePointSiteUrl, SharePointDocumentsUrl, AccessType  

    Similarly, we expect MSFT to work on for Planner and other services which create an Office 365 on the backend.

    To get the list of Obsolete Office 365 groups in your tenant

    This is a PowerShell script from Office 365 fame Tony Redmond and the explanation for the script can be found below.

    Note

    You need to be connected to Exchange Online PowerShell module as well as the SharePoint Online PowerShell module to run this script

    Like any object, an Office 365 Group might become unused over time. No current method exists to detect what groups are underused, so here's a script that does the job for you by checking audit records to establish whether any SharePoint file activity has occurred in the group document library in the last 90 days and whether any conversations have happened in the group mailbox in the last year. Seeing that it's all done in simple PowerShell, you can tailor the code to your heart's content. An HTML report file is generated at the end, which contains some statistics like,

    • Number of groups scanned: 155
    • Number of potentially obsolete groups (based on document library activity): 132
    • Number of potentially obsolete groups (based on conversation activity): 60
    • Number of Teams-enabled groups: 41
    • Percentage of Teams-enabled groups: 26.45%

    Office 365

    Thanks for reading this post! Good luck with Office 365 groups!!!!


    Similar Articles