├── .gitattributes ├── DrewO365GroupsScripts - Azure AD Cmdlets ├── DrewsO365GroupsScripts.ps1 └── Set-O365GroupSettings.ps1 /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /DrewO365GroupsScripts - Azure AD Cmdlets: -------------------------------------------------------------------------------- 1 | ##### Connect-AzureAD for all below ###### 2 | ############################################## 3 | 4 | # Create a new template - Required if it doesn't exist and does not exist by default 5 | $template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”} 6 | $setting = $template.CreateDirectorySetting() 7 | New-AzureADDirectorySetting -DirectorySetting $setting 8 | 9 | # Check Azure AD Group restriction settings 10 | Get-AzureADDirectorySetting | ForEach Values 11 | 12 | # Remove Azure AD Group restriction settings by removing all settings - This removes all settings not just group creation 13 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 14 | Remove-AzureADDirectorySetting -Id $settings.Id 15 | 16 | # Restrict all Group creation with no authorized users 17 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 18 | $settings["EnableGroupCreation"] = "false" 19 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 20 | 21 | # Set group creation settings to false and remove security group directly without removing all settings 22 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 23 | $settings["EnableGroupCreation"] = "false" 24 | $settings["GroupCreationAllowedGroupId"] = "" 25 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 26 | 27 | # Set group creation settings to true and include a security group without creating a new template 28 | $group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 29 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 30 | $settings["EnableGroupCreation"] = "false" 31 | $settings["GroupCreationAllowedGroupId"] = $group.ObjectId 32 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 33 | 34 | # Setting classification list, replace the comma separated values with what you would like 35 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 36 | $settings["ClassificationList"] = "Internal,External,Confidential" 37 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 38 | 39 | # Setting usage guidelines URL 40 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 41 | $settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 42 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 43 | 44 | # Set everything in one 45 | $group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 46 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 47 | $settings["ClassificationDescriptions"] = "" 48 | $settings["DefaultClassification"] = "" 49 | $settings["PrefixSuffixNamingRequirement"] = "" 50 | $settings["AllowGuestsToBeGroupOwner"] = "false" 51 | $settings["AllowGuestsToAccessGroups"] = "true" 52 | $settings["GuestUsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 53 | $settings["GroupCreationAllowedGroupId"] = $group.ObjectId 54 | $settings["AllowToAddGuests"] = "true" 55 | $settings["UsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 56 | $settings["ClassificationList"] = "Internal,External,Confidential" 57 | $settings["EnableGroupCreation"] = "true" 58 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 59 | 60 | # External Group Access # 61 | ######################### 62 | # Add external user to a group 63 | Add-UnifiedGroupLinks -Identity ‘Engineering Testers’ -LinkType Members -Links flayosc_outlook.com#EXT# 64 | 65 | # Set Guest usage guideline URL 66 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 67 | $settings["GuestUsageGuidelinesUrl"] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 68 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 69 | 70 | # Restrict external access to a group, this will not restrict guests from accessing already shared groups 71 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 72 | $settings["AllowToAddGuests"] = "False" 73 | $settings["AllowGuestsToAccessGroups"] = "True" 74 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 75 | 76 | # Turn off the switch so all guests instally no longer have access without creating a new template 77 | $settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”} 78 | $settings["AllowGuestsToAccessGroups"] = "False" 79 | Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings 80 | 81 | # Restrict external access to a specific group 82 | # TO DO - UPDATE TO AZURE AD V2 83 | 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /DrewsO365GroupsScripts.ps1: -------------------------------------------------------------------------------- 1 | ########################################### 2 | # Thank you to all who helped contribute. 3 | # Large thanks to Tony Redmond, Santhosh Balakrishnan, Juan Carlos Martin, Christophe Fiessinger for providing multiple scripts. 4 | # This is mainly a collection of the great work that other people have put together into a central source and I am just the middle man 5 | ########################################### 6 | 7 | # Establish a remote session to Exchange Online 8 | $creds = Get-Credential 9 | $Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri ` https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirection 10 | Import-PSSession $Session 11 | 12 | # Create group 13 | New-UnifiedGroup –DisplayName “Legal” –Alias “Legal” –EmailAddresses legal@domain.com 14 | 15 | # Rename group 16 | Set-UnifiedGroup -Identity “Legal” -Alias “Legal” -DisplayName “New Legal” -PrimarySmtpAddress legal@domain.com 17 | 18 | # View all subscribers, members or owners 19 | Get-UnifiedGroupLinks -Identity “Legal” -LinkType Subscribers 20 | 21 | # Show detailed info for all groups 22 | Get-UnifiedGroup | 23 | select Id,Alias, AccessType, Language,Notes, PrimarySmtpAddress, ` 24 | HiddenFromAddressListsEnabled, WhenCreated, WhenChanged, ` 25 | @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Members)).Count }; ` 26 | Label='Members'}, ` 27 | @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Owners)).Count }; ` 28 | Label='Owners'} | 29 | Format-Table Alias, Members, Owners 30 | 31 | # Set OWA Mailbox Policy to restrict group creation for exchange Only 32 | Set-OwaMailboxPolicy -Identity test.com\OwaMailboxPolicy-Default -GroupCreationEnabled $false 33 | 34 | # Confifure multi-domain support to set all groups under 1 domain 35 | New-EmailAddressPolicy -Name Groups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates "SMTP:@groups.contoso.com" -Priority 1 36 | 37 | # Configure multi-domain support to set sub domains based on user parameters 38 | # Set students domain and all other domain 39 | New-EmailAddressPolicy -Name StudentsGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates "SMTP:@students.contoso.com" ManagedByFilter {Department -eq 'Students'} -Priority 1 40 | New-EmailAddressPolicy -Name OtherGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates "SMTP:@groups.contoso.com" -Priority 2 41 | 42 | # Set access type (private or public) 43 | Set-UnifiedGroup -Identity "Legal" -AccessType Private 44 | 45 | # Add quota setting for Group Sites ( must be connected to SPO through connect-sposervice) 46 | Get-SPOSite –Identity https://contoso.sharepoint.com/sites/ -detailed |fl 47 | Set-SPOSite –Identity https://contoso.sharepoint.com/sites/ -StorageQuota 3000 -StorageQuotaWarningLevel 2000 48 | 49 | # Set newly created Groups SharePoint site quota automatically 50 | #................................... 51 | # Setup in a daily timer job 52 | # Variables: 53 | # Cut off date in days 54 | # Storage quota in MB 55 | # Storage quota warning level in MB 56 | #................................... 57 | $cutoffdate = ((Get-Date).AddDays(-20)) 58 | $quota = 500 59 | $warning = 400 60 | # Retrieve recently created groups 61 | $Groups = Get-UnifiedGroup | Where-Object {$_.WhenCreated -ge $cutoffdate} | Sort-Object whencreated | Select DisplayName, WhenCreated, SharePointSiteUrl 62 | # For each new group update quota accordinly if a team site exists. 63 | ForEach ($G in $Groups) { 64 | try 65 | { 66 | Set-SPOSite –Identity ($G.SharePointSiteUrl) -StorageQuota $quota -StorageQuotaWarningLevel $warning 67 | Write-Host "The following site quota was updated:" $G.SharePointSiteUrl 68 | } 69 | catch 70 | { 71 | Write-Host "The following Groups does have a site:" $G.DisplayName 72 | } 73 | } 74 | 75 | # Allow users to send as the Office 365 Group 76 | $userAlias = “User” 77 | $groupAlias = “TestSendAs” 78 | $groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $groupAlias 79 | Add-RecipientPermission -Identity $groupsRecipientDetails.Name -Trustee $userAlias -AccessRights SendAs 80 | 81 | # Remove groups email from GAL (global address list) 82 | $groupAlias = “TestGAL” 83 | Set-UnifiedGroup –Identity $groupAlias –HiddenFromAddressListsEnabled $true 84 | 85 | # Accept/Reject certain users from sending emails to groups 86 | # -AcceptMessagesOnlyFromSendersOrMembers or -RejectMessagesFromSendersOrMembers 87 | $groupAlias = “TestSend” 88 | Set-UnifiedGroup –Identity $groupAlias –RejectMesssagesFromSendersOrMembers dmadelung@concurrency.com 89 | 90 | # Hide group members unless you are a member of the private group 91 | $groupAlias = “TestHide” 92 | Set-unifiedgroup –Identity $groupAlias –HiddenGroupMembershipEnabled:$true  93 | 94 | # View all subscribers, members or owners of a group 95 | # Available LinkTypes: Members | Owners | Subscribers 96 | $groupAlias = “TestView” 97 | Get-UnifiedGroupLinks -Identity $groupAlias -LinkType Subscribers 98 | 99 | # Find out which groups do not have owners 100 | $groups = Get-UnifiedGroup 101 | ForEach ($G in $Groups) { 102 | If ($G.ManagedBy -Ne $Null)  103 | { 104 | $GoodGroups = $GoodGroups + 1 105 | } 106 | Else 107 | { 108 | Write-Host "Warning! The" $G.DisplayName "has no owners" 109 | $BadGroups = $BadGroups + 1  110 | } 111 | } Write-Host $GoodGroups "groups are OK but" $BadGroups "groups lack owners" 112 | 113 | 114 | # Get all storage being used by O365 groups 115 | # from Juan Carlos Gonzalez https://gallery.technet.microsoft.com/How-to-get-the-storage-fe6d5b1f 116 | $spoO365GroupSites=Get-UnifiedGroup 117 | ForEach ($spoO365GroupSite in $spoO365GroupSites){ 118 | If($spoO365GroupSite.SharePointSiteUrl -ne $null) 119 | { 120 | $spoO365GroupFilesSite=Get-SPOSite -Identity $spoO365GroupSite.SharePointSiteUrl 121 | $spoO365GroupFilesUsedSpace=$spoO365GroupFilesSite.StorageUsageCurrent 122 | Write-Host "Office 365 Group Files Url: " $spoO365GroupSite.SharePointSiteUrl " - Storage being used (MB): " $spoO365GroupFilesUsedSpace " MB" 123 | } 124 | } 125 | 126 | 127 | ##### Connect-MsolService for all below ###### 128 | ############################################## 129 | 130 | # Restrict all Group creation with no authorized users 131 | $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”} 132 | $setting = $template.CreateSettingsObject() 133 | $setting[“EnableGroupCreation”] = “false” 134 | New-MsolSettings –SettingsObject $setting 135 | 136 | # Setup Azure AD Group restriction creation by allowed group ID, the declared group will be able to create O365 groups 137 | $group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 138 | $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”} 139 | $setting = $template.CreateSettingsObject() 140 | $setting[“EnableGroupCreation”] = “false” 141 | $setting[“GroupCreationAllowedGroupId”] = $group.ObjectId 142 | New-MsolSettings –SettingsObject $setting 143 | 144 | # Check Azure AD Group restriction settings 145 | Get-MsolAllSettings | ForEach Values 146 | 147 | # Remove Azure AD Group restriction settings by removing all settings - This removes all settings not just group creation 148 | $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} 149 | Remove-MsolSettings -SettingId $settings.ObjectId 150 | 151 | # Set default settings for Azure AD Group restriction settings by creating a new default template - This sets all settings back to default 152 | $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”} 153 | $setting = $template.CreateSettingsObject() 154 | New-MsolSettings –SettingsObject $setting 155 | 156 | # Set group creation settings to false and remove security group directly without removing all settings 157 | $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} 158 | $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId 159 | $value = $singlesettings.GetSettingsValue() 160 | $value["EnableGroupCreation"] = "false" 161 | $value["GroupCreationAllowedGroupId"] = "" 162 | Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value 163 | 164 | # Set group creation settings to true and include a security group without creating a new template 165 | $group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 166 | $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} 167 | $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId 168 | $value = $singlesettings.GetSettingsValue() 169 | $value["EnableGroupCreation"] = "false" 170 | $value["GroupCreationAllowedGroupId"] = $group.ObjectId 171 | Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value 172 | 173 | # Setting classification list, replace the comma separated values with what you would like 174 | $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} 175 | $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId 176 | $value = $singlesettings.GetSettingsValue() 177 | $value[“ClassificationList”] = “Internal,External,Confidential” 178 | Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value 179 | 180 | # Setting usage guidelines URL 181 | $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} 182 | $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId 183 | $value = $singlesettings.GetSettingsValue() 184 | $value[“UsageGuidelinesUrl”] = "https://domain.sharepoint.com/sites/intranet/Pages/Groups-Usage-Guidelines.aspx" 185 | Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value 186 | 187 | # External Group Access # 188 | ######################### 189 | # Add external user to a group 190 | Add-UnifiedGroupLinks -Identity ‘Engineering Testers’ -LinkType Members -Links flayosc_outlook.com#EXT# 191 | 192 | # Restrict external access to a group with no setting set, this will not restrict guests from accessing already shared groups 193 | $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”} 194 | $setting = $template.CreateSettingsObject() 195 | $setting["AllowToAddGuests"] = "False" 196 | $setting["AllowGuestsToAccessGroups"] = "True" 197 | New-MsolSettings –SettingsObject $setting 198 | 199 | 200 | # Restrict external access to a group without creating a new template 201 | $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} 202 | $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId 203 | $value = $singlesettings.GetSettingsValue() 204 | $value["AllowToAddGuests"] = "False" 205 | $value["AllowGuestsToAccessGroups"] = "True" 206 | Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value 207 | 208 | # Turn off the switch so all guests instally no longer have access without creating a new template 209 | $settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”} 210 | $singlesettings = Get-MsolSettings -SettingId $settings.ObjectId 211 | $value = $singlesettings.GetSettingsValue() 212 | $value["AllowGuestsToAccessGroups"] = "False" 213 | Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value 214 | 215 | # Restrict external access to a specific group 216 | $group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”} 217 | $groupsettings = Get-MsolAllSettings -TargetObjectId $group.ObjectId 218 | if($groupsettings) 219 | { 220 | $value = $groupsettings.GetSettingsValue() 221 | $value["AllowToAddGuests"] = "False" 222 | Set-MsolSettings -SettingId $groupsettings.ObjectId -SettingsValue $Value -TargetObjectId $group.ObjectId 223 | Write-Host "Settings existed for "$group.DisplayName 224 | } 225 | else 226 | { 227 | $template = Get-MsolSettingTemplate -TemplateId 08d542b9-071f-4e16-94b0-74abb372e3d9 228 | $setting = $template.CreateSettingsObject() 229 | $settingsnew = New-MsolSettings -SettingsObject $setting -TargetObjectId $group.ObjectId 230 | $settings = Get-MsolAllSettings -TargetObjectId $group.ObjectId 231 | $value = $GroupSettings.GetSettingsValue() 232 | $value["AllowToAddGuests"] = "False" 233 | Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value -TargetObjectId $group.ObjectId 234 | Write-Host "New Template created for "$group.DisplayName 235 | } 236 | 237 | # Run a check to see if it worked 238 | (Get-MsolAllSettings -TargetObjectId $group.ObjectId).GetSettingsValue() | foreach values -------------------------------------------------------------------------------- /Set-O365GroupSettings.ps1: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Create function 4 | #Name : ClassificationDescriptions 5 | #Description : A comma-delimited list of structured strings describing the classification values in the ClassificationList. The structure of the string is: Value: Description 6 | #Type : System.String 7 | #DefaultValue : 8 | 9 | #Name : DefaultClassification 10 | #Description : The classification value to be used by default for Unified Group creation. 11 | #Type : System.String 12 | #DefaultValue : 13 | 14 | #Name : PrefixSuffixNamingRequirement 15 | #Description : A structured string describing how a Unified Group displayName and mailNickname should be structured. Please refer to docs to discover how to structure a valid requirement. 16 | #Type : System.String 17 | #DefaultValue : 18 | 19 | #Name : AllowGuestsToBeGroupOwner 20 | #Description : Flag indicating if guests are allowed to be owner in any Unified Group. 21 | #Type : System.Boolean 22 | #DefaultValue : false 23 | 24 | #Name : AllowGuestsToAccessGroups 25 | #Description : Flag indicating if guests are allowed to access any Unified Group resources. 26 | #Type : System.Boolean 27 | #DefaultValue : true 28 | 29 | #Name : GuestUsageGuidelinesUrl 30 | #Description : A link to the Group Usage Guidelines for guests. 31 | #Type : System.String 32 | #DefaultValue : 33 | 34 | #Name : GroupCreationAllowedGroupId 35 | #Description : Guid of the security group that is always allowed to create Unified Groups. 36 | #Type : System.Guid 37 | #DefaultValue : 38 | 39 | #Name : AllowToAddGuests 40 | #Description : Flag indicating if guests are allowed in any Unified Group. 41 | #Type : System.Boolean 42 | #DefaultValue : true 43 | 44 | #Name : UsageGuidelinesUrl 45 | #Description : A link to the Group Usage Guidelines. 46 | #Type : System.String 47 | #DefaultValue : 48 | 49 | #Name : ClassificationList 50 | #Description : A comma-delimited list of valid classification values that can be applied to Unified Groups. 51 | #Type : System.String 52 | #DefaultValue : 53 | 54 | #Name : EnableGroupCreation 55 | #Description : Flag indicating if group creation feature is on. 56 | #Type : System.Boolean 57 | #DefaultValue : true 58 | 59 | $ClassificationDescription 60 | $DefaultClassification 61 | $PrefixSuffixNamingRequirement 62 | $AllowGuestsToBeGroupOwner 63 | $AllowGuestsToAccessGroups 64 | $GuestUsageGuidelinesUrl 65 | $GroupCreationAllowedGroupId 66 | $AllowToAddGuests 67 | $UsageGuidelinesUrl 68 | $ClassificationList 69 | $EnableGroupCreation --------------------------------------------------------------------------------