I have a really specific use case I'm trying to solve and I'm just not having any luck searching for the powershell needed (possible graph may be the answer).
I want to create a custom AzureADDirectorySettingTemplate from the default template (Group.Unified), change the following settings; allowtoaddguests = $false, allowgueststoaccessgroups = $false. Then once the custom template is created, set that as the default settings template for all new groups in the tenant.
The reason is that security is requiring us to start with all new groups as guest access completely disabled, then only enable guest access on request. The main workflow we are pushing for guest access is Teams, but obviously SharePoint has use cases as well. Currently the only way I have to solve this is to run a script watching for newly created groups (say each hour), then update those groups to turn the settings off.
update a single group to no guest access
$Template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
$Setting = $Template.CreateDirectorySetting()
$Setting["AllowToAddGuests"]=$false
New-AzureADObjectSetting -TargetType Groups -TargetObjectId (ExternalDirectoryObjectId of UnifiedGroup) -DirectorySetting $Setting
This has the undesired affect of having a group be created as non-compliant and remaining that way for up to an hour. Then, of course, if the script fails for some reason, we could end up with a bunch of non-compliant groups.
Has anyone done this in their tenant? Change the default settings for all new unified groups? I'd love to know how! I also reached out to everyone I know at MS, so if I get a response, I'll be sure to share.
This is the best site I've found on the subject, but it doesn't quite cover what I need:
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-settings-cmdlets
Thanks!
BJ
