O365 Groups Tidbit - Create/Delete/Upgrade O365 Groups
Hello All,
As O365 Groups become more important in managing SharePoint I thought I would provide you with some information about them
Who should be using O365 Groups?
Groups or people that work in the following manner:
- Frequent email communication
- Email distribution lists (Upgrade)
- Sharing Office documents
Who can create groups?
By default all users can create O365 Groups, this was done because groups are used in so many different locations that requests for groups could be to much for Helpdesk to keep up with, however there are times when companies need to restrict the ability to create groups for governance or other reasons, in that case I recommend you follow this article.
The article walks you thru the following steps (With in-depth information):
- Get the ObjectId of the security group for all users that are allowed to create groups. You can use the cmdlet Get-AzureADGroup to achieve this.
- Get the setting template for Unified Groups, by running the line
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
- Then configure new settings by running the lines
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString " <Name of your security group> ").objectid
- Save the settings template by running this line
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
NOTE: You must use AzureADPreview to achieve these results, and require AAD Premuim.
How to create O365 Groups?
Once you open your environment to being Self-Hosted end-users or if not self-hosted then anybody who has permission to create groups will have several ways to create O365 Groups:
- Outlook – When you create a group thru Outlook you get the following objects Shared Inbox, Shared Calendar, SharePoint Document Library, Shared OneNote Notebook, SharePoint Team Site, and Planner
- Teams – When you create a group thru Teams you get the following objects Chat based workspace, Shared Inbox, Shared Calendar, SharePoint Document Library, Shared OneNote Notebook, SharePoint Team Site, and Planner
- Yammer – When you create a group thru Yammer you get the following objects Yammer Group, SharePoint Document Library, SharePoint OneNote Notebook, SharePoint Team Site, and Planner
Administrators can create groups thru the following manners
- PowerShell/API
To create O365 Groups with PowerShell you will need to first connect to Exchange Online and retrieve cmdlet’s the following lines perform this
$Creds = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
Now we can create a group using the cmdlet New-UnifiedGroup and example of this would be:
New-UnifiedGroup -DLIdentity “My New Group”
If you wanted you can use several Optional parameters like this
New-UnifiedGroup -DLIdentity “My New Group” -Alias “GroupAlias” -SubscriptionEnabled -AutoSubscribeNewmembers -AccessType Private
We can modify the group settings by using the cmdlet Set-UnifiedGroup
Set-UnifiedGroup -Identity “My New Group” -AccessType Public -AlwaysSubscribeMembersToCalendarEvents
We can add Member or Owners by using the cmdlet Add-UnifiedGroupLinks
Add-UnifiedGroupLinks -Identity “My New Group” -LinkType Owners -Links chris@contoso.com #Adds owner
Add-UnifiedGroupLinks -Identity “My New Group” -LinkType Members -Links george@contoso.com,linda@contoso.com #Adds members
Note: See Remove-UnifiedGroupLinks to remove Members/Owners from group
You can manually create/modify O365 Groups using the following portals
-
- Azure Active Directory
- Office Admin Portal
- Exchange Admin Center
How to remove/cleanup O365 Groups?
- A great way to automate the cleanup of O365 Groups in your tenant is thru an Expiration Policy which is off by default. If you configure it, then owners will get an email XX days before it is soft-deleted at which point owners will have XX days to recover it before it is permanently deleted.
Configuring the policy requires Global Admin permission and is done in AAD portal, you can choose from 180 days, 365 days, or custom which has to be greater then 30 days. In the portal go to User and Groups -> Group Settings -> Expiration and set the desired policy.
Note: All objects attached to the group including the group itself can have a retention policy, and once the group is deleted those policies will be enforced (For more info see this article)
- PowerShell/API
To remove O365 Groups with PowerShell you will need to first connect to Exchange Online and retrieve cmdlet’s the following lines perform this
$Creds = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Creds -Authentication Basic -AllowRedirection
Import-PSSession $Session
To remove the O365 Group run the cmdlet Remove-UnifiedGroup
Remove-UnifiedGroup -Identity “My New Group” -Force
You can manually remove O365 Groups using the following portals
-
- Azure Active Directory
- Office Admin Portal
- Exchange Admin Center
How to upgrade Distribution lists and which ones can I not upgrade?
There are two ways to upgrade a DL to an O365 Group
- You can use the Exchange Admin center to upgrade all eligible DL’s, see this article for steps.
- You can use PowerShell to upgrade individual DL’s or all eligible DL’s, Cmdlets you will possibly use are Upgrade-DistributionGroup and Get-EligibleDistributionGroupForMigration and Get-UnifiedGroup
- To upgrade a single DL you would run the following command Upgrade-DistributionGroup -DLIdenties <DLName>
- To upgrade multiple DL you have two choices
- Upgrades all named DL’s Upgrade-DistributionGroup -DLIdenties <DLName1>,<DLName2>
- Upgrade all eligible DL’s Get-EligibleDistributionGroupForMigration | Upgrade-DistributionGroup
NOTE: You need to be either an Exchange Admin or a Global admin to perform this task
Any DL that falls into these categories will not be eligible for upgrade:
- Nested
- Security groups
- Dynamic distribution lists
- On-premises owned
Watch for further emails to look at further managing of O365 groups.
Pax