Planner: Group control–new PowerShell commands
Published Mar 06 2019 03:11 PM 3,287 Views
Brass Contributor
First published on MSDN on Apr 07, 2017
Since posting my blogs that covered control of Group creation using PowerShell as a means of setting who can and cannot create Plans (which create Groups) there has been a new release of the Azure AD PowerShell module which supersedes the ‘v1 Preview’ that contained the earlier commands – such as Get-MSOLAllSettingTemplate and New-MsolSettings.  The new modules are still ‘Preview’ but in v2 and the new module details can be found at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups... and the PowerShell v2 Preview module can be installed in PowerShell using the following command from within PowerShell:
install-module -Name AzureADPreview -RequiredVersion 2.0.0.85 (always use the latest available)

*** Update 1/5/2018 - best to use the latest here rather than the version I specify above - as things invariably move on (Thanks Rob Whaley for keeping me honest here and suggesting the update!) ***

I’m guessing this will get updated – I only show that version as that is the 3/17/2017 release that you need – and that command will ensure that any earlier versions you may have installed are updated.  As with all Azure AD commands – the first thing you will need to do is connect and log in:
Connect-AzureAD

This will pop up a login dialog – just use your Office 365 credentials (I’m assuming you are an admin) and you should see your Account, Environment and Tenant details returned.

The logic for controlling group creation is pretty much the same – and builds on the previous commands such that the new commands will read the previous settings.  For example I can use the new commands to read current settings to see what I have set in my test tenant.  Get-AzureADDirectorySetting replaces Get-MsolAllSettings.  The old commands will still work if you have the v1 Preview module installed – but you can no longer download the v1 Preview module:
Get-AzureADDirectorySetting -All $true | Format-Table Id, DisplayName

This returns a formatted table just showing the Id and name:
Id                                                              DisplayName
--                                                                -----------
78589c63-72cd-47d2-a187-86092a5f16e7   Group.Unified

To enumerate all the settings values we can use the new command Get-AzureADDirectorySetting with the –All parameter set to true then loop through the objects (settings):
Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"} | ForEach-Object Values

This returns my current settings:
Name                                                  Value
----                                                      -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner               False
AllowGuestsToAccessGroups                 True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId              7edd1d0b-557d-43e6-b583-4f3e0198c167
AllowToAddGuests                                True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation                            False

If you are watching closely you will notice there are a few more settings now compared to v1, and I have highlighted the new ones.  I’ll concentrate of the lower ones in this post as the other ones don’t really affect Planner (yet) but soon they will – and I will post again!

My configuration is to only allow my users to create Groups if they are in the Group with Id of 7edd1d0b-557d-43e6-b583-4f3e0198c167.  I can use the following command to get that group:
Get-AzureADGroup -ObjectId 7edd1d0b-557d-43e6-b583-4f3e0198c167

ObjectId                                                        DisplayName              Description
--------                                                          -----------                   -----------
7edd1d0b-557d-43e6-b583-4f3e0198c167      CanCreateGroups       Users allowed to create groups

Everything is set as it was before when I used the old Msol commands – but if I was starting from scratch what would I do?  I can start by removing my settings and walk through the steps to get them back:
$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}

Remove-AzureADDirectorySetting -Id $SettingId.Id

The steps to create a new set of settings are to read the settings template for unified groups, then set the settings and finally to save as a new set of settings.  All set?
$template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}

If you take a look at the $Template object while you have it in PowerShell then the $Template.Values | fl gives a nice list of the names and descriptions of the settings if you are interested in trying out some of the others.  For now I’m just going to set the ones I’m interested in.  I’m also going to hard code the GroupId – but at the foot of this blog I’ll include a couple of options to populate a variable with specific groups:
$settings = $template.CreateDirectorySetting()

$settings["GroupCreationAllowedGroupId"] = '7edd1d0b-557d-43e6-b583-4f3e0198c167'

$settings["AllowToAddGuests"] = "true"

$settings["UsageGuidelinesUrl"] = " http://aka.ms/o365g "

$settings["ClassificationList"] = "Low,Medium,High"

$settings["EnableGroupCreation"] = "false"

New-AzureADDirectorySetting -DirectorySetting $settings

And then I can confirm these are set using the same command as above Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"} | ForEach-Object Values and I see these settings – some of the ones I didn’t set take their default values.
Name                                          Value
----                                              -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups       True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId   7edd1d0b-557d-43e6-b583-4f3e0198c167
AllowToAddGuests                      True
UsageGuidelinesUrl Http://aka.ms/o365g
ClassificationList                          Low,Medium,High
EnableGroupCreation                  False

As before you can re-open the settings object to update the values – or sometimes easier to remove and re-create as I have here.  I haven’t checked in v2 Preview – but in v1 if you removed then the settings still held true – you needed to set the EnableGroupCreation to True rather than just remove the settings.

Thanks to Rob de Jong and Rob Whaley for their guidance and input on using these new commands, and particularly the 2nd Rob for these commands to set a variable to use as the ‘allowed’ group – where $GlobalAdminsObjectID can be used in place of my hard-coded group.
# If we want to control who can create groups we can do the following:

# We can use this for canned Azure Roles:

$GlobalAdmins = Get-AzureADDirectoryRole | ? { $_.DisplayName -like "Company Administrator"}

$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()

# Or we can create a security group and set its object id as a variable:

New-AzureADGroup -Description "Security Group for users allowed to create Office 365 Groups" -DisplayName "Office 365 Group Creators" -MailEnabled $false -SecurityEnabled $true -MailNickName "O365GC"

$GlobalAdminsObjectID = (Get-AzureADGroup -SearchString "Office 365 Group Creators").ObjectId.ToString()

# Or we can call an existing security group and set its object id as a variable:

$GlobalAdminsObjectID = "b39e2044-a139-4463-8c9a-4578e43676ca"
Version history
Last update:
‎Mar 06 2019 03:11 PM
Updated by: