Planner: Group control–new PowerShell commands


Since posting my blogs that covered control of Group creation using PowerShell as a means of setting who can and cannot create Plans (which create Groups) there has been a new release of the Azure AD PowerShell module which supersedes the ‘v1 Preview’ that contained the earlier commands – such as Get-MSOLAllSettingTemplate and New-MsolSettings.  The new modules are still ‘Preview’ but in v2 and the new module details can be found at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-settings-cmdlets and the PowerShell v2 Preview module can be installed in PowerShell using the following command from within PowerShell:

install-module -Name AzureADPreview -RequiredVersion 2.0.0.85

I’m guessing this will get updated – I only show that version as that is the 3/17/2017 release that you need – and that command will ensure that any earlier versions you may have installed are updated.  As with all Azure AD commands – the first thing you will need to do is connect and log in:

Connect-AzureAD

This will pop up a login dialog – just use your Office 365 credentials (I’m assuming you are an admin) and you should see your Account, Environment and Tenant details returned.

The logic for controlling group creation is pretty much the same – and builds on the previous commands such that the new commands will read the previous settings.  For example I can use the new commands to read current settings to see what I have set in my test tenant.  Get-AzureADDirectorySetting replaces Get-MsolAllSettings.  The old commands will still work if you have the v1 Preview module installed – but you can no longer download the v1 Preview module:

Get-AzureADDirectorySetting -All $true | Format-Table Id, DisplayName

This returns a formatted table just showing the Id and name:

Id                                                              DisplayName 
--                                                                ----------- 
78589c63-72cd-47d2-a187-86092a5f16e7   Group.Unified

To enumerate all the settings values we can use the new command Get-AzureADDirectorySetting with the –All parameter set to true then loop through the objects (settings):

Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"} | ForEach-Object Values

This returns my current settings:

Name                                                  Value                              
----                                                      -----                              
ClassificationDescriptions                                       
DefaultClassification                                            
PrefixSuffixNamingRequirement                                    
AllowGuestsToBeGroupOwner               False                              
AllowGuestsToAccessGroups                 True                               
GuestUsageGuidelinesUrl                                          
GroupCreationAllowedGroupId              7edd1d0b-557d-43e6-b583-4f3e0198c167
AllowToAddGuests                                True                               
UsageGuidelinesUrl                                               
ClassificationList                                               
EnableGroupCreation                            False

If you are watching closely you will notice there are a few more settings now compared to v1, and I have highlighted the new ones.  I’ll concentrate of the lower ones in this post as the other ones don’t really affect Planner (yet) but soon they will – and I will post again!

My configuration is to only allow my users to create Groups if they are in the Group with Id of 7edd1d0b-557d-43e6-b583-4f3e0198c167.  I can use the following command to get that group:

Get-AzureADGroup -ObjectId 7edd1d0b-557d-43e6-b583-4f3e0198c167

ObjectId                                                        DisplayName              Description                  
--------                                                          -----------                   -----------                  
7edd1d0b-557d-43e6-b583-4f3e0198c167      CanCreateGroups       Users allowed to create groups

Everything is set as it was before when I used the old Msol commands – but if I was starting from scratch what would I do?  I can start by removing my settings and walk through the steps to get them back:

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}

Remove-AzureADDirectorySetting -Id $SettingId.Id

The steps to create a new set of settings are to read the settings template for unified groups, then set the settings and finally to save as a new set of settings.  All set?

$template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}

If you take a look at the $Template object while you have it in PowerShell then the $Template.Values | fl gives a nice list of the names and descriptions of the settings if you are interested in trying out some of the others.  For now I’m just going to set the ones I’m interested in.  I’m also going to hard code the GroupId – but at the foot of this blog I’ll include a couple of options to populate a variable with specific groups:

$settings = $template.CreateDirectorySetting()

$settings["GroupCreationAllowedGroupId"] = '7edd1d0b-557d-43e6-b583-4f3e0198c167'

$settings["AllowToAddGuests"] = "true"

$settings["UsageGuidelinesUrl"] = "http://aka.ms/o365g"

$settings["ClassificationList"] = "Low,Medium,High"

$settings["EnableGroupCreation"] = "false"

New-AzureADDirectorySetting -DirectorySetting $settings

And then I can confirm these are set using the same command as above Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"} | ForEach-Object Values and I see these settings – some of the ones I didn’t set take their default values.

Name                                          Value                              
----                                              -----                              
ClassificationDescriptions                                       
DefaultClassification                                            
PrefixSuffixNamingRequirement                                    
AllowGuestsToBeGroupOwner     False                              
AllowGuestsToAccessGroups       True                               
GuestUsageGuidelinesUrl                                          
GroupCreationAllowedGroupId   7edd1d0b-557d-43e6-b583-4f3e0198c167
AllowToAddGuests                      True                               
UsageGuidelinesUrl                     Http://aka.ms/o365g                
ClassificationList                          Low,Medium,High                    
EnableGroupCreation                  False

As before you can re-open the settings object to update the values – or sometimes easier to remove and re-create as I have here.  I haven’t checked in v2 Preview – but in v1 if you removed then the settings still held true – you needed to set the EnableGroupCreation to True rather than just remove the settings.

Thanks to Rob de Jong and Rob Whaley for their guidance and input on using these new commands, and particularly the 2nd Rob for these commands to set a variable to use as the ‘allowed’ group – where $GlobalAdminsObjectID can be used in place of my hard-coded group.

# If we want to control who can create groups we can do the following:

# We can use this for canned Azure Roles:

$GlobalAdmins = Get-AzureADDirectoryRole | ? { $_.DisplayName -like "Company Administrator"}

$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()

# Or we can create a security group and set its object id as a variable:

New-AzureADGroup -Description "Security Group for users allowed to create Office 365 Groups" -DisplayName "Office 365 Group Creators" -MailEnabled $false -SecurityEnabled $true -MailNickName "O365GC"

$GlobalAdminsObjectID = (Get-AzureADGroup -SearchString "Office 365 Group Creators").ObjectId.ToString()

# Or we can call an existing security group and set its object id as a variable:

$GlobalAdminsObjectID = "b39e2044-a139-4463-8c9a-4578e43676ca"


Comments (4)

  1. Jason Bowne says:

    Hello Brian – this is great information. We are struggling in our company on the usage strategy across all of the collaboration and file services options for our users (file shares, onedrive for business, team sites, groups, planner, yammer etc..) we are narrowing down things and one that is causing some issues is the planner-group tight integration. I want to provide planner to our users, but NOT allow users to create planner plans AND get a O365 group automatically. I have not found out anything definitive about the ability to create a plan and NOT create a group. Most things say that if you create a plan you create a group and vice versa – yet the AzureAD documentation says if you put in the group permissions like you describe above it will stop programatic group creation – what I don’t read is, will the setup above still allow a planner plan to be created – just not get a group and the functions of the group (like it did when planner was first released and wasn’t tightly coupled with groups? any help would be appreciated! Thanks Jason

  2. Hi Jason, even at First Release Planner required and was tightly bound to Groups as far as I recall, and there is no way to create a Plan that doesn’t have some relationship to a Group. What I haven’t tried is making these settings and then creating a Plan within a Team. Currently within Teams is the only place there is a many to one relationship between the Plan and the Group – so this action doesn’t require a Group to be created as it already exists for the Plan. Going forward the many to one relationship will be available beyond Teams – so that may help your scenario. There will still be a group needed – but not one for every plan. Best way to think of this is that a Group will own the Plan. We are still a few months off delivering this as far as I am aware.
    Best regards,
    Brian.

  3. David B says:

    This doesn’t seem to work with the latest version of AzureADPreview 2.0.0.129. Maybe I’m just brain fried on a Friday.

    1. Hi David, I haven’t had a chance to try that yet – but let me know if the new week didn’t help resolve this for you!
      Best regards,
      Brian.

Skip to main content