SOLVED

Enforce naming conventions across Office 365 Groups

Iron Contributor

Now that we can enforce naming standards in Azure AD vs exchange, has anyone tried yet?

 

Does it update existing groups like exchange did?

 

thanks,jb

16 Replies

Jason it only applies to net new created groups and it does not update existing ones, please see this article for more details, please note it's a "Public Preview": https://support.office.com/en-us/article/office-365-groups-naming-policy-6ceca4d3-cad1-4532-9f0f-d46...

I'm trying to create a new policy with the command 

Set-AzureADDirectorySetting -Id group-policy -DirectorySetting “[Company]-"

I'm getting an error

 

Set-AzureADDirectorySetting : Cannot bind parameter 'DirectorySetting'. Cannot convert the "[Company]-" value of type "System.String" to type "Microsoft.Open.MSGraph.Model.DirectorySetting".

 

Any ideas?

 

 

I had a lot of success configuring and using the Groups AAD settings last week, with one exception:  Naming Policy.  Below is the output from the Groups Settings I have in place.

 

I cannot get the "O365Grp-[GroupName]" prefix to be generated on any new groups.  Based on the research I did, the brackets serve to insert the actual group name, and it's just not happening.  When I created the 'PrefixSuffixNamingRequirement' setting, I didn't get an error.  I've also changed it around a bit, to include/exclude the [GroupName] component but nothing made any difference.

Any suggestions are appreciated.

Thx

 

Any suggestions?

 

 

GroupsPolicy.png

Is [Company] actually one of the available options?  Maybe it's 'companyname', or something else?  I haven't started playing with the AAD components yet, but that's a guess.  I'd like to see a list of accepted attributes if one exists.

There's a list on this post

 

https://docs.microsoft.com/en-us/azure/active-directory/groups-naming-policy

 

User attributes

You can use attributes that can help you and your users identify which department, office or geographic region for which the group was created. For example, if you define your naming policy as PrefixSuffixNamingRequirement = “GRP [GroupName] [Department]”, and User’s department = Engineering, then an enforced group name might be “GRP My Group Engineering." Supported Azure AD attributes are [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], [Title]. Unsupported user attributes are treated as fixed strings; for example, “[postalCode]”. Extension attributes and custom attributes aren't supported.

Here is an example in addition to the documentation, note the policy does not apply when you are logged in as an administrator so you will need to test with a 'regular" end user + see this as well: https://support.office.com/en-us/article/office-365-groups-naming-policy-6ceca4d3-cad1-4532-9f0f-d46...

 

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["CustomBlockedWordsList"]=“contoso,payroll,ceo,cfo,hr,sales,marketing,info,admin,null,vulgar,ass,shit,zut,merde"
$Setting["PrefixSuffixNamingRequirement"]=“G_[GroupName]_[Department]"

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Get-AzureADDirectorySetting 

returns nothing, so when I try to run 

 

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
 
its empty
 

Get-AzureADDirectorySetting : Cannot bind argument to parameter 'Id' because it is null.
At line:1 char:44
+ ... Setting -Id (Get-AzureADDirectorySetting | where -Property DisplayNam ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-AzureADDirectorySetting], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.MSGraphBeta.PowerShell.GetDirectorySetting

Cannot index into a null array.
At line:3 char:1
+ $Setting["PrefixSuffixNamingRequirement"] = “[Company]-[GroupName]"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

Set-AzureADDirectorySetting : Cannot bind argument to parameter 'Id' because it is null.
At line:4 char:33
+ ... Setting -Id (Get-AzureADDirectorySetting | where -Property DisplayNam ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Set-AzureADDirectorySetting], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.MSGraphBeta.PowerShell.SetDirectorySetting

best response confirmed by Jason Benway (Iron Contributor)
Solution

I ran into that too, and I think my problem was because I hadn't actually created the Group.Unified object/setting in AzureAD yet.  Therefore, the error report was technically correct.

Check this to see if you have anything configured:

Get-AzureADDirectorySetting | ForEach Values

 

If not, create the settings AAD object:

Creating the Group.Unified Settings object (1-time task)

$template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”}

$setting = $template.CreateDirectorySetting()

New-AzureADDirectorySetting -DirectorySetting $setting

 

After that, the 'is null' error should go away as the setting actually exists.  

Re-run Get-AzureADDirectorySetting | ForEach Values and you should at least see the blank settings.

 

I found this site extremely helpful getting my settings configured & managing them:

https://drewmadelung.com/managing-office-365-group-using-azure-ad-powershell-v2/ 

HTH

Thank you, this was the part I was missing!

Correct syntax for an existing policy:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["CustomBlockedWordsList"]=“contoso,payroll,ceo,cfo,hr,sales,marketing,info,admin,null,vulgar,ass,shit,zut,merde"
$Setting["PrefixSuffixNamingRequirement"]=“G_[GroupName]_[Department]"

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

I've been working on this and it appears the PowerShell for this has been changed and I can't get a Microsoft support engineer that knows to what. The Group.Unified object/setting in AzureAD appears to have been deprecated. However, this can be accomplished via the Exchange Admin Center. Navigate to Recipients->Groups section. Select the elipses for options. Select, "Group Naming Policy". That will allow you to specify a prefix, suffix or blocked words for groups created by users.

Kindly suggest what is wrong happening here, Tried everything in Directory Parameter.

 

PS C:\WINDOWS\system32> Get-AzureADGroup -SearchString "AllowedtocreateO365Groups"

ObjectId DisplayName Description
-------- ----------- -----------
ad5ceeae-033f-46e8-99dd-fbc570bbc0e8 AllowedtocreateO365Groups


PS C:\WINDOWS\system32> Get-AzureADGroup -SearchString "AllowedtocreateO365Groups"

ObjectId DisplayName Description
-------- ----------- -----------
ad5ceeae-033f-46e8-99dd-fbc570bbc0e8 AllowedtocreateO365Groups


PS C:\WINDOWS\system32> $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
PS C:\WINDOWS\system32> $Setting = $Template.CreateDirectorySetting()
PS C:\WINDOWS\system32> New-AzureADDirectorySetting -DirectorySetting $Setting
New-AzureADDirectorySetting : Error occurred while executing NewDirectorySetting
StatusCode: BadRequest
ErrorCode: Request_BadRequest
Message: A conflicting object with one or more of the specified property values is present in the directory.
At line:1 char:1
+ New-AzureADDirectorySetting -DirectorySetting $Setting
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADDirectorySetting], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.NewDirectorySetting

PS C:\WINDOWS\system32> Get-AzureADDirectorySetting

Id DisplayName TemplateId Values
-- ----------- ---------- ------
0dd206ca-7d7d-4649-bb2e-ca8246f11a3e Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {class SettingValue {...


PS C:\WINDOWS\system32> $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
Get-AzureADDirectorySetting : A parameter cannot be found that matches parameter name 'Id'.
At line:1 char:40
+ $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetti ...
+ ~~~
+ CategoryInfo : InvalidArgument: (:) [Get-AzureADDirectorySetting], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Open.MSGraphBeta.PowerShell.GetDirectorySetting

PS C:\WINDOWS\system32> $Setting = Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ
PS C:\WINDOWS\system32> $Setting["EnableGroupCreation"] = $False
PS C:\WINDOWS\system32> $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "AllowedtocreateO365Groups").objectid
PS C:\WINDOWS\system32> Set-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ -DirectorySetting $Setting

cmdlet Set-AzureADDirectorySetting at command pipeline position 1
Supply values for the following parameters:
DirectorySetting: AllowedtocreateO365Groups
Set-AzureADDirectorySetting : Cannot bind parameter 'DirectorySetting'. Cannot convert the "AllowedtocreateO365Groups" value of type "System.String" to type "Microsoft.Open.MSGraph.Model.DirectorySetting".
At line:1 char:1
+ Set-AzureADDirectorySetting | where -Property DisplayName -Value "Gr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AzureADDirectorySetting], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Open.MSGraphBeta.PowerShell.SetDirectorySetting

PS C:\WINDOWS\system32> $setting

Id DisplayName TemplateId Values
-- ----------- ---------- ------
0dd206ca-7d7d-4649-bb2e-ca8246f11a3e Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {class SettingValue {...


PS C:\WINDOWS\system32> (Get-AzureADDirectorySetting).values

Name Value
---- -----
CustomBlockedWordsList
EnableMSStandardBlockedWords False
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation True


PS C:\WINDOWS\system32>

 

 

Lots of errors in your multiple cmdlets, please follow the step by step from this article: https://support.office.com/en-us/article/Manage-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-...

Hello Sir,

I generated those error in my question to show you. And I am following the same article.

-----------------------------------------------------------------------

New-AzureADDirectorySetting -DirectorySetting $Setting - Here is an error in the original post and it is expected as per the article.

----------------------------------------------------------------------

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
Get-AzureADDirectorySetting : A parameter cannot be found that matches parameter name 'Id'

- According to error, I did a little different but same task.

$Setting = Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ

So I have proceeded further.

----------------------------------------------------------------------------------------

on Last step, I am struggling

Set-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ -DirectorySetting $Setting

 

It is not recognizing $settings parameter...tried different values. 

----------------------------------------------------

And in My original post, you can see I have posted in last $setting parameter value as to eliminate the doubt of null value.

-----------------------------------------------------

May I request you to provide your comment on this? It would be grateful.

 

 

Thank you sir for your response. It worked by this. And I am cursing myself why didn't i try tab before.

 

Set-AzureADDirectorySetting -ObjectId $settings.Id -DirectorySetting $settings

 

-objectID instead of -id

 

Have a great day.

Thanks a lot! This was essential in order to get Move-StaffHubTeam to work! The documentation is, to put it mildly, incomplete and misleading...

1 best response

Accepted Solutions
best response confirmed by Jason Benway (Iron Contributor)
Solution

I ran into that too, and I think my problem was because I hadn't actually created the Group.Unified object/setting in AzureAD yet.  Therefore, the error report was technically correct.

Check this to see if you have anything configured:

Get-AzureADDirectorySetting | ForEach Values

 

If not, create the settings AAD object:

Creating the Group.Unified Settings object (1-time task)

$template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”}

$setting = $template.CreateDirectorySetting()

New-AzureADDirectorySetting -DirectorySetting $setting

 

After that, the 'is null' error should go away as the setting actually exists.  

Re-run Get-AzureADDirectorySetting | ForEach Values and you should at least see the blank settings.

 

I found this site extremely helpful getting my settings configured & managing them:

https://drewmadelung.com/managing-office-365-group-using-azure-ad-powershell-v2/ 

HTH

View solution in original post