I want to share with you how to configure Office 365 Policy Settings, so that you can have more control over group creation, classification and configuration when rolling our Office 365 groups. At the time writing this blog post, most settings are configurable through PowerShell only.

Preparing your PowerShell Host Environment

We need the AzureADPreview PowerShell module, and also the Exchange Online PowerShell module.

#--------------------------------------------------
#---------------Modules and Connections------------
#--------------------------------------------------

#region References
    #https://support.office.com/en-us/article/Manage-Office-365-Groups-with-PowerShell-aeb669aa-1770-4537-9de2-a82ac11b0540
#endregion

#region Install the new Azure AD Module
    Uninstall-Module AzureAD
    Install-Module AzureADPreview
#endregion

#region Connect to Services

    #Connect to Azure AD
    Connect-AzureAD

    #Connect EXO
    $UserCredential = Get-Credential

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange `
     -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential `
      -Authentication Basic -AllowRedirection

    Import-PSSession $Session

#endregion

Office 365 Groups simple operations

In this section, I will be performing couple of simple operations. Note that an Office 365 Group can be configured using two commands, Set-AzureADGroup  and Set-UnifiedGroup . The relationship between the two commands is : The ObjectId retrieved from Get-AzureADGroup  matches the ExternalDirectoryObjectId retrieved from Get-UnifiedGroup

Office 365 Groups Policy Settings 1

 

Office 365 Groups Policy Settings 2

 

Now, let us perform simple operations on Office Groups

#region Get Groups

#Get Groups (Security and/or Office Group)
# https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadgroup?view=azureadps-2.0

    #Get list of groups
    Get-AzureADGroup |select displayname

    #Search for a specific group
    Get-AzureADGroup -SearchString "Security Group 1"

#endregion

#region make Office Group Security Enabled
    
    #Elevate Office 365 group to security group
    Set-AzureADGroup -ObjectId XXX -SecurityEnabled:$true

#endregion

#region Hide Office Group from GAL
    
    Set-UnifiedGroup -Identity "Group1" -HiddenFromAddressListsEnabled $true

#endregion

#region add Mail Tip for office group
    
    Set-UnifiedGroup -Identity "Group1" -MailTip “This group has a MailTip”

#endregion

#region Allow only internal users to send message to Office 365 group

    Set-UnifiedGroup -Identity "Groups Email Address" - RequireSenderAuthenticationEnabled $true
#endregion

#region change the Display Name for office group
    Set-UnifiedGroup -Identity "mygroup@contoso.com" -DisplayName “My new group”
#endregion

#region Auto-subscribe members
        Set-UnifiedGroup -Identity "Groups Email Address" `
        -AutoSubscribeNewMembers
#endregion

#region Apply Classification for a group

   Set-UnifiedGroup -Identity "Group1"  -Classification Public
#endregion

#region Create a group with hidden membership
    
    # You cannot modify existing group to be with hidden membership
    # You should specify AccessType Private for the command to work
    New-UnifiedGroup -DisplayName "Group3" -HiddenGroupMembershipEnabled -AccessType Private
    
#endregion

Office Groups Directory Setting

To configure advance Office groups operations, like who can create Office 365 groups, and setting group classification, we need to create something called Azure AD Directory Setting.

Azure AD Directory Setting is a way to group configurations related to the same service or configuration type. There are many service types of Azure AD Directory Settings , and when creating a new one, you usually create one from a ready made template the Microsoft provides.

Initially , you will not have any Azure AD Directory Setting objects in your environment, so running Get-AzureADDirectorySetting -All $true will return nothing. Now if you want to create one of those Azure AD Directory Settings, you do that by specifying a template. You can list all templates used to create Azure AD Directory Setting by typing Get-AzureADDirectorySettingTemplate .

Office 365 Groups Policy Settings 5

So, let us go through this again. You can create an Azure AD Directory Setting object, which will hold configurations related to a certain service types. Each service type has a template that can be used to create that directory setting object. Think about Azure AD Directory Setting as an Abstract Class in C#. You cannot instantiate one, but you derive from it a child class or classes (templates).

Office 365 Groups Policy Settings 3

Now, when we create a new Azure AD Directory Setting, we will do that by using the Group.Unified template. This template contains all the configurations that we need to configure Office 365 groups in our tenant. Below you can see the settings that the Group.Unified template provide.

Office 365 Groups Policy Settings 6

Office Groups Advanced Operations

Let us start creating a new Azure AD Directory Setting from the Group.Unified template, and then start configuring each of the settings inside the template as shown in the below figure.

#--------------------------------------------------
#---------------Directory Settings-----------------
#--------------------------------------------------

#region Explore Azure ADDirectory Settings and Templates

# By Default no settings exist
Get-AzureADDirectorySetting -All $true

# You create a setting from a template, here is list of them
# Each template has a unique ID
Get-AzureADDirectorySettingTemplate

# Get a template setting by specifying ID from previous command
# The Group.Unified template ID is 62375ab9-6b52-47ed-826b-58e47e0e304b
$GroupsTemplate =(Get-AzureADDirectorySettingTemplate -id 62375ab9-6b52-47ed-826b-58e47e0e304b)
$GroupsTemplate.Values
$GroupsTemplate.Values | FL -Expand EnumOnly


#endregion

Here is the output from the $GroupsTemplate.Values  command:

Office 365 Groups Policy Settings 7

 

Now, let us create an Azure AD Directory Setting from the Group.Unified template:

#-----------------------------------------------------------------------
#----------Create Directory Setting Based on Groups Template------------
#-----------------------------------------------------------------------

#region Create Unified Groups Azure AD Settings from the Unified Groups Template

#Get All Templates for Azure AD Directory Settings
Get-AzureADDirectorySettingTemplate

#Get the Template for creating Azure AD Directory Settings for Unified Groups
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}

#Create Azure AD Directory Setting based on Unified Groups Template
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting

#Now let us get that new directory setting we have just created
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

Now, that we have a new Azure AD Directory Setting based on the Group.Unified template, it is time to configure each and every setting inside that tempalte.

#-----------------------------------------------------------------------
#----------Configure Unfied Groups Directory Setting-------------------
#----------------------------------------------------------------------- 

#region

#Reference: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-settings-cmdlets

#region Restrict Group creation based on security group
#______________________________________________________

#Get Azure AD Directory Setting that was created based on the unified group template
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Security Group 1").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

#Check the value of Azure AD Directory Setting related to Unified Groups
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

#region Configure Usage Guidelines URI
#_____________________________________

#Get Azure AD Directory Setting that was created based on the unified group template
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["UsageGuidelinesUrl"] = "https://me.ahasayen.com"


Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | 
where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

#Check the value of Azure AD Directory Setting related to Unified Groups
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

#region Apply Classification
#___________________________
#Get Azure AD Directory Setting that was created based on the unified group template
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["ClassificationList"] = "Public, Internal, Confidential, Top Secret"
$Setting["DefaultClassification"] = "Public"
$Setting["ClassificationDescriptions"] ="Public:Use this for public docs,Internal:Use this for internal docs,Confidential:use this for confidential, Top Secret:This is a top secret"

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | 
where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

#Check the value of Azure AD Directory Setting related to Unified Groups
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

#region Configure Naming Policy
#______________________________

#Get Azure AD Directory Setting that was created based on the unified group template
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["PrefixSuffixNamingRequirement"] = "Team - [GroupName]"


Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | 
where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

#Check the value of Azure AD Directory Setting related to Unified Groups
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

#region Configure Block List
#___________________________

#Get Azure AD Directory Setting that was created based on the unified group template
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["CustomBlockedWordsList"]="Payroll,CEO,HR,CDO"

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | 
where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

#Check the value of Azure AD Directory Setting related to Unified Groups 
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

#region Allow Guests to be owner : Default is False
#___________________________________________________

#Get Azure AD Directory Setting that was created based on the unified group template
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["AllowGuestsToBeGroupOwner"] = False #this is the default value

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | 
where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

#Check the value of Azure AD Directory Setting related to Unified Groups
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

#region Allow Guests To Access Groups : Default is True
#______________________________________________________

#Get Azure AD Directory Setting that was created based on the unified group template
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["AllowGuestsToBeGroupOwner"] = False #this is the default value

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | 
where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

#Check the value of Azure AD Directory Setting related to Unified Groups
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting.values

#endregion

#endregion

Groups Deletion and Restoration

We can use PowerShell to delete and restore Office 365 groups.

#-----------------------------------------------------------------------
#----------Groups Deletion and Restoration------------------------------
#-----------------------------------------------------------------------

#region Group Deletion & Restoration

#Get all Groups
Get-AzureADGroup |Sort-Object Displayname

#Soft Delete a specific group
Remove-AzureADGroup -ObjectId "ce520ea1-c1c5-4254-a7e8-a74911acb801"

#Show all Soft Deleted Groups
Get-AzureADMSDeletedGroup |Sort-object DeletedDateTime -Descending |
Format-Table id, DisplayName, Description, Visibility, DeletedDateTime

#Hard Delete a Group
Remove-AzureADMSDeletedDirectoryObject -Id <ObjectID of the soft deleted object>

#Restore a Group
Restore-AzureADMSDeletedDirectoryObject -Id ce520ea1-c1c5-4254-a7e8-a74911acb801


#endregion

Other Office 365 Groups Operations

Here is another script that can be used for various other operations:

#-----------------------------------------------------------------------
#----------Groups Expirations-------------------------------------------
#-----------------------------------------------------------------------

#region Group Expiration

#Gets current setting
Get-AzureADMSGroupLifecyclePolicy |Format-List

#Removes current policy
Remove-AzureADMSGroupLifecyclePolicy -ID "ID"

#Setup a new Groups Lifecycle Policy (None, All, Selected)
New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 30 -ManagedGroupTypes All `
-AlternateNotificationEmails hero@despacito.onmicrosoft.com

#Update of a policy
Set-AzureADMSGroupLifecyclePolicy -ID "ID" -GroupLifetimeInDays 30 `
-AlternateNotificationEmails hero@despacito.onmicrosoft.com -ManagedGroupTypes "Selected"

#Retrieves Lifecyclepolicy of a selected group
Get-AzureADMSLifecyclePolicyGroup -Id

#Renews a group by updating the RenewedDateTime property on a group to the current DateTime.
Reset-AzureADMSLifeCycleGroup -GroupId "ID"

#Adds a group to a lifecycle policy
Add-AzureADMSLifecyclePolicyGroup -Id <String> -GroupId <String>

#Removes a group from a lifecycle policy
Remove-AzureADMSLifecyclePolicyGroup -Id "ID" -GroupId "ID"


#endregion

#-----------------------------------------------------------------------
#----------Groups without owners----------------------------------------
#-----------------------------------------------------------------------

#region Get Ownerless Groups
Get-UnifiedGroup -ResultSize unlimited -Filter {ManagedBy -eq $null}
#endregion

#-----------------------------------------------------------------------
#----------Groups Query based on time of creation-----------------------
#-----------------------------------------------------------------------

#region Get Groups created in time frame


$date = Get-Date ; $Days = $date.AddDays(-7)
Get-UnifiedGroup -filter {whenCreatedUTC -gt $days} -ResultSize unlimited |Sort-Object -Property WhenChanged | Format-table Name, Alias, AccessType, WhenCreated,WhenChanged


#endregion