SOLVED

Stream Administrative Controls?

Steel Contributor

Just saw this announcement on the office blog: https://blogs.office.com/2017/06/20/microsoft-stream-now-available-worldwide-new-intelligent-feature...; and immediately checked the portal and yes there is now a tile appearing in the waffle which wasn't there until today.

 

I was taken by surprise by this actually. I am unable to find the administrative controls for Stream and/or Video in the admin portal. Where do we set the company policy? Where do we switch it on/off? Why is the license enabled for all users by default? Do we now need to run a PowerShell script to revoke the licenses for all existing users and then everytime a new users joins? View is still okay, but "everyone in the company can contribute" is NOT for us.

 

tl;dr; (rant follows)

 

This is a mess. It by default picks up all our million O365 groups created by users. Not only this, it allows anyone in any group to upload videos and create groups directly from within Stream. We do NOT want this pushed down our throat. We do NOT want all of our users ending up uploading a thousand videos without moderation and eat up the storage. This bypasses our internal governance.

 

As long as it was only documents and photos via highly confusing and unorganized O365 Groups paraphernalia, it was still okay for us. Not everyone was allowed to upload videos to the Videos app. But, now with Stream choosing to use (and spawn) O365 Groups all around, it is seemingly an administrative and governance nightmare for us.

 

Anyone has any details around this? How do we control Stream as a resource? How can all O365 Group resources be controlled at an organizational level? We want our users to be able to create their own groups to collaboarate, but not with all videos and sites and plans being spawned unncessarily all around. 

 

I know that the AMA is scheduled tomorrow, but the time is not suitable for me, so couldn't wait for this rant.

 

20 Replies

The first of the questions, is answered. I can now see the option "Admin Settings" in Stream. Perplexed on why this wasn't available earlier today!?

 

Rest of the questions still stand, including the one on how to prevent Groups to upload videos altogether and preventing Stream to create Groups.

I highly suggest you check out the documention https://stream.microsoft.com/en-us/documentation/stream-portal-get-started/
A lot of your questions are already answered.

@Ivan Unger wrote:
I highly suggest you check out the documention https://stream.microsoft.com/en-us/documentation/stream-portal-get-started/
A lot of your questions are already answered.

Thanks @Ivan Unger. I already checked that out. As I said, I was perplexed on not finding the "Admin Setting" earlier. It started showing just about 30 minutes ago. Also, that documentation does cover a lot of topics on getting started with Stream, but does NOT cover a lot of my questions (only the first few).

 

I still am unable to come to terms with not being able to disable this O365 Groups business altogether. People already end up creating multiple groups for each of the connected services Planner, Teams, Sites, and now Stream! They go to the service and end up creating a Group not realizing they already had one. The entire O365 Groups business is shouting for our continuous guidance to users. 

 

We just want total control over the services provisioned with O365 Groups. And, we do NOT want just about everyone to be able to upload thousands of unmoderated videos on their own tucked up in thousand private groups.

 

Guidance and controls given by Microsoft is inadequate. It is like an all or none situation.

but this is not a Stream issue, rather a general groups governance issue that simply extends to Stream as well.
I've limited to groups creation to a specific AAD Security Group in our tenant, therefore I'm not facing those issue, as my IT staff are the only members.
I'm unfamiliar with your environment so I cannot tell if this is an option or not. Additionally you could simply turn off Stream altoghether for the moment.

I agree @Ivan Unger that this is not a Stream issue per se, but an overarching problem with the O365 Group Architecture. But, my plight is that the current Video service did not tie into the Groups, but Stream does. So, I ended up crying out loud on Stream :( especially since it was enabled by default for everyone today morning! I was not monitoring the development and preview because I was loaded up in other projects and could not find time, and it caught me unprepared. 

 

This is a Stream problem, because I do NOT have the straight-cut ability to turn off Stream for the entire tenant for the moment. 

 

In my organisation we allow everyone to be able to create Groups for their collaboration needs. This way they do not depend on the traditional IT and can work on their workgroups and taskforces on their own. I am sold into the whole self-service use-case of O365 Groups idea. 

 

But, Stream dipping into that is a concern for us, because that way we fear ending up with innumerble videos inside of innumerable private groups and that could not be moderated by our knowledge managers. See, we do NOT want Stream (video as media) service to be part of Groups at all. We want to manage it centrally via our knoweledge managers. For social sharing we already have Yammer.

 

So, I want Stream to be able to provide some administrative control to turn-off Groups and turn-on only organisation-wide channels. If not, then at least selective control over Groups that are allowed to upload video.

 

Let me see, if I can move or cross-reference this thread to another "more" appropriate place.

 

Just stumbled upon this thread: https://techcommunity.microsoft.com/t5/Office-365-Video/Microsoft-Stream-general-availability-planni...

 

Looks like I am not alone with the grouse with Stream using O365 groups.

Hi @Abhimanyu Singh - 

 

Thanks for your feedback and concerns about Stream and O365 Groups. Groups is being connected more and more with various services within O365 which does make it harder to manage. In general we are trying hard to respond to and address as much of the Groups management feedback as we can. Lots of new groups management capabilities have been added across O365 Groups in the last many months.

 

I’m adding some folks who work on the O365 Group team directly to this conversation so they can see your feedback as well. The O365 Groups community is here as well if you want to ask further questions about O365 Groups in general: https://techcommunity.microsoft.com/t5/Office-365-Groups/ct-p/Office365Groups

 

Groups Team Folks (FYI): @Sahil Arora@Christophe Fiessinger@Mike McLean (OFFICE)

 

Background Question

Could you explain a bit more about your organization’s thinking about videos in Stream as comparison to files or videos living in the document library / files of a Group? Is the difference just the fact that Stream aggregates all the content together into a portal vs the files living in their own separate area and only aggregate in Delve or Enterprise Search? Why did you mention it’s okay for people to self-service create groups with storing files, etc, but you are thinking you don’t want that to also be possible for Stream?

 

Enable / Disable Stream in General

You are correct. We do not have a simple overall on/off switch for Stream at this point in time. The way to disable Stream for users is to unlicense them. If you remove their license they won’t see the Stream tile in the App launcher anymore. See this help article: https://stream.microsoft.com/en-us/documentation/stream-license-management/

 

Alternatively if you really do want to disable Stream all together, you can take the “big hammer” option of blocking our AAD App ID. This makes Stream not usable at all. We don’t suggest this option but it is there: https://stream.microsoft.com/en-us/documentation/stream-block-application/

 

Disable Upload / Creation of Companywide groups

We do have a setting in Stream Admin that allows you to limit who can upload videos into Stream and limit who can create companywide channels. If you use this option you can have a select set of people within the org who can upload videos. Everyone else won’t be allowed, even if they are part of an O365 Group that shows up in Stream.

https://stream.microsoft.com/en-us/documentation/stream-restricting-uploaders/

 

 

Disable Group Creation

As you mentioned Stream is just leveraging Groups like other O365 Services (Yammer, Outlook, SharePoint, Planner, StaffHub, Teams, etc). This means that groups you create in other apps do show up in Stream. We don’t provision anything per se, but the group shows up in Stream ready for you to upload videos and create channels within.

 

Stream respects the settings of O365 Groups in general. So if as other mentioned you restrict who can create Groups in general Stream will respect that. We do have some outstanding work items to finish up to make this more transparent to users. Right now today if you restrict who can make groups, we still show you the create group option in Stream. When the user who doesn’t have rights to make groups clicks it and tries to create a group it will fail. We are doing work now to address this and just not show the create group option if you as a user aren’t allowed.

 

To disable group creation you need to do this with the O365 Groups controls as this isn’t something that applies only to Stream. See this article: https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5...

 

Here is the top level article to understand O365 Groups across O365: https://support.office.com/en-us/article/Learn-about-Office-365-groups-b565caa1-5c40-40ef-9915-60fdb...

 

It could be an interesting idea if we added an additional control in Stream that controls who can create groups in STREAM itself. We’d have to make sure we still respect the overall O365 Groups setting, but an extra setting in Stream might help what you are after. If you are interested in this could you add an idea to the Stream Ideas Forum for this so others could comment and vote on it? Stream Ideas: https://techcommunity.microsoft.com/t5/Microsoft-Stream-Ideas/idb-p/StreamIdeas

 

Control over the services provisioned automatically with Groups

I can see the concern about not wanting/needing certain services when you make groups. This is for sure a tricky one to solve in the right way that works well across organizations and for users in a way that is intuitive. I can see both sides of this one in terms of more control and in terms of making it easier for users to get to and use new services automatically which are tied to groups.

 

If you’d like to add your votes and comments on this idea it looks like this idea on the O365 Groups User Voice forum is similar to what you are thinking:

https://office365.uservoice.com/forums/286611-office-365-groups/suggestions/16619995-ability-to-cont...

 

Please find a list of recent Office 365 Groups admin improvements and roadmap: https://blogs.office.com/2017/04/06/whats-new-in-office-365-groups-for-april-2017/ 

I'm not seeing a way to unlicensed Stream using PowerShell because it is a SKU enabled under the Office 365 Education E3 for faculty license(Microsoft Stream for O365 E3 SKU). Does someone know how to disable the Stream license using PowerShell without disabling the E3 license(30k+ accounts)?

Hi William:

 

Here is an article which talks about how to remove licenses from users in O365 using PowerShell  https://technet.microsoft.com/library/dn771774.aspx. 

 

You can also use these PowerShell commands and we will work on putting together a Stream specific article soon.

 

  • Connect to your Office 365 subscription: Connect-MsolService
  • View your available licensing plans: Get-MsolAccountSku 
  • Create a licenseOptions object that disables Microsoft Stream service in the licensing plan 
$LO = New-MsolLicenseOptions -AccountSkuId <AccountSkuId> -DisabledPlans "STREAM_O365_E3"
  • To disable Microsoft Stream for an existing licensed user use the following command
Set-MsolUserLicense -UserPrincipalName <Account> -LicenseOptions $LO

Please let us know if there is anything else we can help with.

-Ashish


@Marc Mroz wrote:

Hi @Abhimanyu Singh - 

 

Thanks for your feedback and concerns about Stream and O365 Groups. Groups is being connected more and more with various services within O365 which does make it harder to manage. In general we are trying hard to respond to and address as much of the Groups management feedback as we can. Lots of new groups management capabilities have been added across O365 Groups in the last many months.

Thank you @Marc Mroz for this detailed explanation. Really helpful. Much appreciated. Yes, I agree that my main gripe *is* with the way O365-Groups is implementated. And that is the source of all confusions and frustations. It's the individual services which leverage the Groups, that then get the flak. 

 

 

I’m adding some folks who work on the O365 Group team directly to this conversation so they can see your feedback as well. The O365 Groups community is here as well if you want to ask further questions about O365 Groups in general: https://techcommunity.microsoft.com/t5/Office-365-Groups/ct-p/Office365Groups

 

Groups Team Folks (FYI): @Sahil Arora@Christophe Fiessinger@Mike McLean (OFFICE)

 

Thanks a ton for this. I've been dying for the right audience! As I wrote above, I was intending to stop this thread going further and look for the right place within the Groups Space to post a more coherent feedback and cross link from here. Now that you have provided some valuable explanation here, I shall complete this first here and then go create a fresh post in O365-Groups Space.

 

 

Background Question

Could you explain a bit more about your organization’s thinking about videos in Stream as comparison to files or videos living in the document library / files of a Group? Is the difference just the fact that Stream aggregates all the content together into a portal vs the files living in their own separate area and only aggregate in Delve or Enterprise Search? Why did you mention it’s okay for people to self-service create groups with storing files, etc, but you are thinking you don’t want that to also be possible for Stream?

 

That is a good question there, and am myself struggling with this. I shall try to explain:

 

We created a well defined Intranet built out of SharePoint Online way back in 2014 when the only services available on O365 were EXO, SPO, ODfB, SfB, and Yammer. We invested a lot in creating site-collections, and sites, and subsites which closely followed our formal HR structure and fit well with our intended governance. With strong organisational term-sets and metadata elements, we have a system that works beautifully for us. There are few shortcomings here and there, but it works. For adhoc needs and ephemeral teams we provisioned separate team-sites on-demand, but with at least one basic content-type. All governed and manged by IT. We intend to keep our content curated. And our internal guidance says that clearly. For all other purposes, ODfB and/or Yammer. SP is strictly curated.

 

We explicitly provided guidance to our users to not upload media/videos for three reasons: one - to keep storage consumption within limits (we are a non-profit and every penny spent needs to be justified); second - to maintain a central repository of media backed by strong metadata and taxonomy term-sets, we want our content to be highly curated; and third - to keep the junk away. For social we promoted Yammer. Control was/is a pain because there is no straight-cut way to block certain file-types. So we've been auditing via PowerShell scripts to generate adminsitrative reports on content to keep a tab and notify users. 

 

As O365 environment matured and grew, new services started becoming available. As O365-Video service became available, it was the clear choice to host organisational video library. This was/is managed by a team of knowledge workers. We are happy with it.

 

When O365-Groups launched, it changed everything. For one, I *am* a big fan of this idea as it now removes dependence on IT and AD. Users can create their own groups for ephemeral teams. They can share files, communicate, and overall collaborate. While this *is* all great, it brought with it its own set of challenges. So many private groups started cropping up on which there is no administrative visibility. All groups started getting provisioned with all kinds of artefacts - team-site, onenote, planner, calendar, and so on. Many of these artefacts were/are unused and become graveyards. There is no visibility in SharePoint Admin Center! Organisational taxonomy goes for a toss. Naming policy doesn't work properly and is still bug-ridden at its best. 

 

Yes, we cannot block files in ODfB and SP and now Groups-team-site. But, with Stream there is now another avenue for the users and it just adds to the existing overheads and pain. At least with O365-Video, there was one less problem area. 

 

Enable / Disable Stream in General

You are correct. We do not have a simple overall on/off switch for Stream at this point in time. The way to disable Stream for users is to unlicense them. If you remove their license they won’t see the Stream tile in the App launcher anymore. See this help article: https://stream.microsoft.com/en-us/documentation/stream-license-management/

 

Alternatively if you really do want to disable Stream all together, you can take the “big hammer” option of blocking our AAD App ID. This makes Stream not usable at all. We don’t suggest this option but it is there: https://stream.microsoft.com/en-us/documentation/stream-block-application/

 

Thank you for the links. I've already seen that. But, that is not the point. Why make it so convoluted? Why enable services by default? Let the administrators take a call and assign licenses, rather than going the other way round and revoke licenses. Why not a simple on/off switch in admin portal for tenancy-level control? Why go the Azure AppId route? Everytime a service goes GA, we scramble to get hold of the documentation, dig out PS commands, find out SKU-Id and so on. There was no "admin settings" option in the menu for full first-half of yesterday (which actually prompted this rant)! 

 

 

Disable Upload / Creation of Companywide groups

We do have a setting in Stream Admin that allows you to limit who can upload videos into Stream and limit who can create companywide channels. If you use this option you can have a select set of people within the org who can upload videos. Everyone else won’t be allowed, even if they are part of an O365 Group that shows up in Stream.

https://stream.microsoft.com/en-us/documentation/stream-restricting-uploaders/

THIS is what I was looking for. The guidance is not proper. I read that link twice yesterday, but two things: firstly - there was no "admin settings" option in the menu for full first-half of yesterday, which is the cause of this long rant to start with! secondly - the message is not clear that this setting will disallow upload from inside groups as well. Perhaps it could be worded better.

 

In any case, this should work for us. Thank you again for clarifying this.

 

 

Disable Group Creation

As you mentioned Stream is just leveraging Groups like other O365 Services (Yammer, Outlook, SharePoint, Planner, StaffHub, Teams, etc). This means that groups you create in other apps do show up in Stream. We don’t provision anything per se, but the group shows up in Stream ready for you to upload videos and create channels within.

 

Stream respects the settings of O365 Groups in general. So if as other mentioned you restrict who can create Groups in general Stream will respect that. We do have some outstanding work items to finish up to make this more transparent to users. Right now today if you restrict who can make groups, we still show you the create group option in Stream. When the user who doesn’t have rights to make groups clicks it and tries to create a group it will fail. We are doing work now to address this and just not show the create group option if you as a user aren’t allowed.

 

To disable group creation you need to do this with the O365 Groups controls as this isn’t something that applies only to Stream. See this article: https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5...

 

Here is the top level article to understand O365 Groups across O365: https://support.office.com/en-us/article/Learn-about-Office-365-groups-b565caa1-5c40-40ef-9915-60fdb...

Nopes. Disabling O365-Groups altoegther isn't a solution. We don't want to kill a killer function just because it has niggling problems. We would rather see those problems solved. We would want to continue to empower our users. If nothing works out and we will see what to do then. More about this in a separate post in the relevant O365-Groups Space as mentioned earlier.

 

As for the link to the article to understand O365-Groups, I have gone through that again now. Nothing new there. I do understand O365-Groups, that is why I have gripes on the way it has been implemented.

 

It could be an interesting idea if we added an additional control in Stream that controls who can create groups in STREAM itself. We’d have to make sure we still respect the overall O365 Groups setting, but an extra setting in Stream might help what you are after. If you are interested in this could you add an idea to the Stream Ideas Forum for this so others could comment and vote on it? Stream Ideas: https://techcommunity.microsoft.com/t5/Microsoft-Stream-Ideas/idb-p/StreamIdeas

That would be wonderful Marc. It will certainly help as an interim solution in the immediate term. I shall post in the StreamIdeas space as advised. I hope other services also think the same way.

 

 

Control over the services provisioned automatically with Groups

I can see the concern about not wanting/needing certain services when you make groups. This is for sure a tricky one to solve in the right way that works well across organizations and for users in a way that is intuitive. I can see both sides of this one in terms of more control and in terms of making it easier for users to get to and use new services automatically which are tied to groups.

 

If you’d like to add your votes and comments on this idea it looks like this idea on the O365 Groups User Voice forum is similar to what you are thinking:

https://office365.uservoice.com/forums/286611-office-365-groups/suggestions/16619995-ability-to-cont...

 


You got it perfectly there. I do believe that will not be tricky. It would actually be more helpful across all types of organisations. Something like what Teams does.. starts with chat, files, wiki and then "add a tab" for anything that users want to add. Groups could do the same. Start with just conversations, and then a big "add a service" call-to-action button right there in the user's face. User can then add whatever services/tools/workloads they need in their group and those will be provisioned just-in-time. No unnecessary artefacts. Adminstrators should be able to control what services should be available for use in that "add a service". If required, organisations can block certain services to be provisioned with a group, otherwise by default all services be allowed. Best of both the worlds.

 

Thank you for pointing to that uservoice idea. Yes, it is 60% of what I am thinking. But, unfortunately I can't vote (zero votes left) :( Shall login with another account/anon and then vote.

 

I can gather myself and try a post a complete idea on the O365-Groups Space soon.

 

Thank you Marc, all over again. 

 

I am 100% on board with everything you said, @Abhimanyu Singh

 

Groups is ultimately the culprit for pain.  It has lots of value, but it is getting to be a bloody mess on the customer side, and to me it all starts with service provisioning.  I recently wrote this up along these same lines, in what I would do to fix O365 Groups before it gets too much further down the path:  https://techcommunity.microsoft.com/t5/Office-365-Groups/How-I-would-quot-fix-quot-O365-Groups/td-p/...

 

New slogan IMO --> "Microsoft Office 365, good luck finding your content ever again"

best response confirmed by Abhimanyu Singh (Steel Contributor)
Solution

Thanks for your detailed answers, feedback, and ideas. We will for sure digest this feedback as a team.

 

I like this idea of yours about allowing other services to be added to a Group on-demand as group owners feel they need other services for their group. I'll make sure to pass on this idea to the Groups team as well.

 

 

 

Control over the services provisioned automatically with Groups

I can see the concern about not wanting/needing certain services when you make groups. This is for sure a tricky one to solve in the right way that works well across organizations and for users in a way that is intuitive. I can see both sides of this one in terms of more control and in terms of making it easier for users to get to and use new services automatically which are tied to groups.

 

If you’d like to add your votes and comments on this idea it looks like this idea on the O365 Groups User Voice forum is similar to what you are thinking:

https://office365.uservoice.com/forums/286611-office-365-groups/suggestions/16619995-ability-to-cont...

 


You got it perfectly there. I do believe that will not be tricky. It would actually be more helpful across all types of organisations. Something like what Teams does.. starts with chat, files, wiki and then "add a tab" for anything that users want to add. Groups could do the same. Start with just conversations, and then a big "add a service" call-to-action button right there in the user's face. User can then add whatever services/tools/workloads they need in their group and those will be provisioned just-in-time. No unnecessary artefacts. Adminstrators should be able to control what services should be available for use in that "add a service". If required, organisations can block certain services to be provisioned with a group, otherwise by default all services be allowed. Best of both the worlds.

 


 

Does removing licenses work for anyone else? We've tried it and people are still able to see the Stream icon in the waffle and get to Stream.

Hi Andrew: We have created multiple tenants and it has worked every time. Once a user license is removed, they should not be seeing the Stream tile, unless they have also signed up Microsoft Stream Trial plan. In that case, you will need to remove the Stream trial license as well as the "Stream for Office 365" license included in E1/E3/E5.

Once the licenses are removed, the Stream tile should be removed from the Application Launcher in a few mins.

Please let me know (DM) if this is not the case and we should be able to help you debug further.

-Ashish

Ashish,

 

Thanks for the reply. That tip helped...kind of...looking in Office 365 for Stream and turning off the license there (instead of the standalone license), we were able to get it to disappear from the waffle, but when a user goes to web.microsoftstream.com they are still able to access the application. And when we look at the their licensing after they've gone to the URL we see that a license has been turned on for the user (with the standalone app now however).

If we then yet again turn it off for them, they can still get into stream as it offers them the stream trial plan, however, this time we don't see anything in the user's licensing to turn it back off again.

Hi Andrew, it could be related to cache update. Once you remove a user license its about an hour after which the cache is updated and from that point the user should not have access to web.microsoftstream.com if both Viral and Stream for Office 365 licenses are removed.

Can you try that and let me know if you still see an issue after an hour?

-Ashish

Hi we had to disable Stream from a tenant level but also ran a script to disable it on the individual user basis.  We have approx 35K users, took our PowerShell script about 6 hours to complete. We also updated our "new users" script to disable stream when we initially apply an E3 license to new uses. 

 

Ashish,

 

Gave it a couple days instead of a couple of hours. :)

The Stream icon disappears from the user's waffle, but if they type in stream.microsoft.com or web.microsoftstream.com they are given the option to login or sign up for free and if they choose login it let's them use their existing account.

 

The message is "You have an account with us. You're using variousnames@ourdomain.com with another Microsoft service already. To finish signing up for Microsoft Stream, sign in with your existing password."

 

This is after I've verified that both the Microsoft Stream Product license is off and the Office 365 licence for Stream for Office 365 is off for that user (for days if not hours). 

 

Thanks for any other suggestions.

1 best response

Accepted Solutions
best response confirmed by Abhimanyu Singh (Steel Contributor)
Solution

Thanks for your detailed answers, feedback, and ideas. We will for sure digest this feedback as a team.

 

I like this idea of yours about allowing other services to be added to a Group on-demand as group owners feel they need other services for their group. I'll make sure to pass on this idea to the Groups team as well.

 

 

 

Control over the services provisioned automatically with Groups

I can see the concern about not wanting/needing certain services when you make groups. This is for sure a tricky one to solve in the right way that works well across organizations and for users in a way that is intuitive. I can see both sides of this one in terms of more control and in terms of making it easier for users to get to and use new services automatically which are tied to groups.

 

If you’d like to add your votes and comments on this idea it looks like this idea on the O365 Groups User Voice forum is similar to what you are thinking:

https://office365.uservoice.com/forums/286611-office-365-groups/suggestions/16619995-ability-to-cont...

 


You got it perfectly there. I do believe that will not be tricky. It would actually be more helpful across all types of organisations. Something like what Teams does.. starts with chat, files, wiki and then "add a tab" for anything that users want to add. Groups could do the same. Start with just conversations, and then a big "add a service" call-to-action button right there in the user's face. User can then add whatever services/tools/workloads they need in their group and those will be provisioned just-in-time. No unnecessary artefacts. Adminstrators should be able to control what services should be available for use in that "add a service". If required, organisations can block certain services to be provisioned with a group, otherwise by default all services be allowed. Best of both the worlds.

 


 

View solution in original post