Jaa


O365 Groups Tidbit - Create/Delete/Upgrade O365 Groups

Hello All,

As O365 Groups become more important in managing SharePoint I thought I would provide you with some information about them

Who should be using O365 Groups?

Groups or people that work in the following manner:

  • Frequent email communication
  • Email distribution lists (Upgrade)
  • Sharing Office documents

Who can create groups?

By default all users can create O365 Groups, this was done because groups are used in so many different locations that requests for groups could be to much for Helpdesk to keep up with, however there are times when companies need to restrict the ability to create groups for governance or other reasons, in that case I recommend you follow this article.

The article walks you thru the following steps (With in-depth information):

  1. Get the ObjectId of the security group for all users that are allowed to create groups.  You can use the cmdlet Get-AzureADGroup to achieve this.
  2. Get the setting template for Unified Groups, by running the line

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}

  1. Then configure new settings by running the lines

$Setting = $Template.CreateDirectorySetting()

New-AzureADDirectorySetting -DirectorySetting $Setting

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["EnableGroupCreation"] = $False

$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString " <Name of your security group> ").objectid

  1. Save the settings template by running this line

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

NOTE: You must use AzureADPreview to achieve these results, and require AAD Premuim.

How to create O365 Groups?

Once you open your environment to being Self-Hosted end-users or if not self-hosted then anybody who has permission to create groups will have several ways to create O365 Groups:

  1. Outlook – When you create a group thru Outlook you get the following objects Shared Inbox, Shared Calendar, SharePoint Document Library, Shared OneNote Notebook, SharePoint Team Site, and Planner
  2. Teams – When you create a group thru Teams you get the following objects Chat based workspace, Shared Inbox, Shared Calendar, SharePoint Document Library, Shared OneNote Notebook, SharePoint Team Site, and Planner
  3. Yammer – When you create a group thru Yammer you get the following objects Yammer Group, SharePoint Document Library, SharePoint OneNote Notebook, SharePoint Team Site, and Planner

Administrators can create groups thru the following manners

  1. PowerShell/API

To create O365 Groups with PowerShell you will need to first connect to Exchange Online and retrieve cmdlet’s the following lines perform this

$Creds = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Creds -Authentication Basic -AllowRedirection

Import-PSSession $Session

Now we can create a group using the cmdlet New-UnifiedGroup and example of this would be:

              New-UnifiedGroup -DLIdentity “My New Group”

If you wanted you can use several Optional parameters like this

New-UnifiedGroup -DLIdentity “My New Group” -Alias “GroupAlias” -SubscriptionEnabled -AutoSubscribeNewmembers -AccessType Private

We can modify the group settings by using the cmdlet Set-UnifiedGroup

Set-UnifiedGroup -Identity “My New Group” -AccessType Public -AlwaysSubscribeMembersToCalendarEvents

We can add Member or Owners by using the cmdlet Add-UnifiedGroupLinks

Add-UnifiedGroupLinks -Identity “My New Group” -LinkType Owners -Links chris@contoso.com          #Adds owner

Add-UnifiedGroupLinks -Identity “My New Group” -LinkType Members -Links george@contoso.com,linda@contoso.com         #Adds members

Note: See Remove-UnifiedGroupLinks to remove Members/Owners from group

  1. You can manually create/modify O365 Groups using the following portals

    1. Azure Active Directory
    2. Office Admin Portal
    3. Exchange Admin Center

How to remove/cleanup O365 Groups?

  1. A great way to automate the cleanup of O365 Groups in your tenant is thru an Expiration Policy which is off by default.  If you configure it, then owners will get an email XX days before it is soft-deleted at which point owners will have XX days to recover it before it is permanently deleted.

Configuring the policy requires Global Admin permission and is done in AAD portal, you can choose from 180 days, 365 days, or custom which has to be greater then 30 days.  In the portal go to User and Groups -> Group Settings -> Expiration and set the desired policy.

Note: All objects attached to the group including the group itself can have a retention policy, and once the group is deleted those policies will be enforced (For more info see this article)

  1. PowerShell/API

To remove O365 Groups with PowerShell you will need to first connect to Exchange Online and retrieve cmdlet’s the following lines perform this

$Creds = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Creds -Authentication Basic -AllowRedirection

Import-PSSession $Session

              To remove the O365 Group run the cmdlet Remove-UnifiedGroup

Remove-UnifiedGroup -Identity “My New Group” -Force

  1. You can manually remove O365 Groups using the following portals

    1. Azure Active Directory
    2. Office Admin Portal
    3. Exchange Admin Center

How to upgrade Distribution lists and which ones can I not upgrade?

There are two ways to upgrade a DL to an O365 Group

  1. You can use the Exchange Admin center to upgrade all eligible DL’s, see this article for steps.
  2. You can use PowerShell to upgrade individual DL’s or all eligible DL’s, Cmdlets you will possibly  use are Upgrade-DistributionGroup and Get-EligibleDistributionGroupForMigration and Get-UnifiedGroup
    1. To upgrade a single DL you would run the following command Upgrade-DistributionGroup -DLIdenties <DLName>
    2. To upgrade multiple DL you have two choices
  3. Upgrades all named DL’s Upgrade-DistributionGroup -DLIdenties <DLName1>,<DLName2>
  4. Upgrade all eligible DL’s Get-EligibleDistributionGroupForMigration | Upgrade-DistributionGroup

NOTE: You need to be either an Exchange Admin or a Global admin to perform this task

Any DL that falls into these categories will not be eligible for upgrade:

  • Nested
  • Security groups
  • Dynamic distribution lists
  • On-premises owned

Watch for further emails to look at further managing of O365 groups.

Pax