SOLVED

PowerShell doesn't follow configured policies for Groups creation

%3CLINGO-SUB%20id%3D%22lingo-sub-130768%22%20slang%3D%22en-US%22%3EPowerShell%20doesn't%20follow%20configured%20policies%20for%20Groups%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130768%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20the%20requirement%20to%20restrict%20creation%20of%20Office%20365%20Groups%20to%20only%20a%20number%20of%20people%2C%20and%20we%20have%20implemented%20for%20described%20in%20this%20article%20to%20achieve%20that%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FManage-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EManage%20who%20can%20create%20Office%20365%20Groups%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20OWA%2FOutlook%20we%20can%20see%20the%20configured%20policies%20are%20correctly%20followed%3A%20a%20user%20that%20is%20member%20of%20the%20allowed%20security%20group%20can%20create%20a%20new%20O365%20Group%2C%20independently%20from%20its%20role.%3C%2FP%3E%0A%3CP%3EThis%20means%20that%20if%20a%20Global%20Admin%20user%20isn't%20part%20of%20the%20security%20group%2C%20it%20won't%20be%20allowed%20to%20create%20new%20Groups%20via%20UI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20loading%20a%20EXO%20PowerShell%20session%20these%20policies%20aren't%20respected%3A%20only%20users%20with%20Global%20Admin%20role%20will%20get%2C%20and%20be%20able%20to%20execute%2C%20the%20cmdlet%20%3CEM%3ENew-UnifiedGroup%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3EA%20user%20that%20is%20member%20of%20the%20security%20group%20allowed%20to%20create%20new%20Groups%2C%20won't%20get%20the%20%3CEM%3ENew-UnifiedGroup%3C%2FEM%3E%20command%20available%2C%20despite%20that%20user%20is%20allowed%20to%20perform%20the%20operation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20find%20this%20inconvenient%2C%20and%20this%20won't%20let%20us%20to%20design%20and%20implement%20a%20Groups%20provisioning%20and%20governance%20solution%20as%20we%20expected%2C%20following%20'least%20privileges'%20principle.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe'd%20like%20to%20know%20if%20this%20incorrect%20behavior%20is%20known%20to%20Microsoft%2C%20and%20if%20it'll%20be%20addressed%20in%20the%20upcoming%20future.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EMassimo%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-130768%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGroups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131130%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20doesn't%20follow%20configured%20policies%20for%20Groups%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131130%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20assign%20groups%2C%20but%20they%20need%20to%20be%20mail-enabled%20security%20groups.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131037%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20doesn't%20follow%20configured%20policies%20for%20Groups%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131037%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20that%20seems%20to%20do%20the%20trick.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20record%2C%20seems%20that%3A%3C%2FP%3E%0A%3CP%3E-%20following%20permissions%20are%20needed%20for%20allowing%20group%20creation%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BMail%20Recipients%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BMail%20Recipients%20Creation%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E-%20still%20with%20this%20it%20isn't%20possible%20to%20assign%20that%20to%20a%20security%20group%2C%20but%20just%20to%20specific%20users%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20know%20if%20this%20last%20one%20is%20maybe%20just%20a%20limitation%20in%20the%20UI%3F%20And%20what%20are%20the%20cmdlets%20to%20perform%20this%20operation%20via%20PowerShell%3F%20(if%20you%20know)%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130994%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20doesn't%20follow%20configured%20policies%20for%20Groups%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130994%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20are%20the%20Exchange%20roles%2C%20not%20the%20Azure%20AD%20ones.%20You%20will%20find%20them%20under%20O365%20Admin%20portal%20-%26gt%3B%20Exchange%20-%26gt%3B%20Permissions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130982%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20doesn't%20follow%20configured%20policies%20for%20Groups%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130982%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20answer.%20Unfortunately%20this%20still%20won't%20let%20us%20achieving%20our%20requirement%20to%20control%20by%20applying%20it%20to%20a%20security%20group.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EAdd-AzureADDirectoryRoleMember%20%3A%20Error%20occurred%20while%20executing%20AddDirectoryRoleMember%0ACode%3A%20Request_BadRequest%0AMessage%3A%20Role%20membership%20changes%20can%20only%20contain%20objects%20of%20the%20following%20types%3A%20'ServicePrincipal%2CUser'.%3C%2FPRE%3E%0A%3CP%3ESo%20we'll%20have%20to%20create%20an%20Application%20(service%20principal)%20and%20delegate%20the%20operations%20to%20it%2C%20or%20assign%20the%20permissions%20per-user.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-130784%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20doesn't%20follow%20configured%20policies%20for%20Groups%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-130784%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20policy%20applies%20to%20%22client%22%20endpoints%2C%20PowerShell%20is%20not%20such.%20You%20can%20however%20create%2Fassign%20a%20custom%20role%20to%20any%20users%20you%20want%20to%20be%20able%20to%20create%20Groups%20via%20PowerShell.%20For%20example%2C%20the%20%22Mail%20Recipients%22%20role%20already%20has%20the%20New-UnifiedGroup%20cmdlet.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have the requirement to restrict creation of Office 365 Groups to only a number of people, and we have implemented for described in this article to achieve that:

Manage who can create Office 365 Groups

 

Within OWA/Outlook we can see the configured policies are correctly followed: a user that is member of the allowed security group can create a new O365 Group, independently from its role.

This means that if a Global Admin user isn't part of the security group, it won't be allowed to create new Groups via UI.

 

When loading a EXO PowerShell session these policies aren't respected: only users with Global Admin role will get, and be able to execute, the cmdlet New-UnifiedGroup.

A user that is member of the security group allowed to create new Groups, won't get the New-UnifiedGroup command available, despite that user is allowed to perform the operation.

 

We find this inconvenient, and this won't let us to design and implement a Groups provisioning and governance solution as we expected, following 'least privileges' principle.

 

We'd like to know if this incorrect behavior is known to Microsoft, and if it'll be addressed in the upcoming future.

 

Regards,

Massimo

5 Replies
Highlighted
Best Response confirmed by Massimo Prota (Occasional Contributor)
Solution

The policy applies to "client" endpoints, PowerShell is not such. You can however create/assign a custom role to any users you want to be able to create Groups via PowerShell. For example, the "Mail Recipients" role already has the New-UnifiedGroup cmdlet.

Highlighted

Thanks for your answer. Unfortunately this still won't let us achieving our requirement to control by applying it to a security group.

 

Add-AzureADDirectoryRoleMember : Error occurred while executing AddDirectoryRoleMember
Code: Request_BadRequest
Message: Role membership changes can only contain objects of the following types: 'ServicePrincipal,User'.

So we'll have to create an Application (service principal) and delegate the operations to it, or assign the permissions per-user.

 

Highlighted

Those are the Exchange roles, not the Azure AD ones. You will find them under O365 Admin portal -> Exchange -> Permissions.

Highlighted

Thanks, that seems to do the trick.

 

For the record, seems that:

- following permissions are needed for allowing group creation

  •      Mail Recipients
  •      Mail Recipients Creation

- still with this it isn't possible to assign that to a security group, but just to specific users

 

Do you know if this last one is maybe just a limitation in the UI? And what are the cmdlets to perform this operation via PowerShell? (if you know) 

Highlighted

You can assign groups, but they need to be mail-enabled security groups.