Exemplo de script do PowerShell – Criar grupos de segurança para educadores e alunos em sua escola
Use este script do PowerShell para criar os grupos de segurança necessários para gerenciar políticas do Microsoft Teams em sua escola. A atribuição de política ao recurso de grupos no Teams permite atribuir uma política a um grupo de usuários, como um grupo de segurança. As atribuições de política serão propagadas para os membros do grupo, de acordo com as regras de precedência. À medida que os membros forem adicionados ou removidos de um grupo, as atribuições de política herdadas serão atualizadas.
Este script do PowerShell cria dois grupos de segurança, um para funcionários e educadores e outro para alunos da sua escola, com base no tipo de licença. Em seguida, você pode atribuir políticas aos grupos de segurança que você criou. Para obter mais informações sobre como usar esse script, consulte Atribuir políticas a grandes conjuntos de usuários em sua escola.
Este script faz o seguinte:
- Identifica funcionários e educadores que recebem um SKU do Corpo Docente, cria um grupo de segurança e adiciona funcionários e educadores ao grupo.
- Identifica os alunos que recebem um SKU de Estudante, cria um grupo de segurança e adiciona os alunos ao grupo.
- Atualizações a associação de cada grupo de segurança para adicionar ou remover funcionários, educadores e alunos com base em se eles têm uma licença.
Você precisará executar esse script regularmente para manter os grupos de segurança atualizados e atualizados.
Importante
É importante entender regras de precedência e classificação de atribuição de grupo ao atribuir políticas a grupos. Certifique-se de ler e entender os conceitos no que você precisa saber sobre a atribuição de política para grupos.
Antes de começar
Baixe e instale o módulo Skype for Business Online do PowerShell e reinicie seu computador, se solicitado.
Nota
Azure AD Powershell está previsto para ser preterido em 30 de março de 2024. Para saber mais, leia a atualização de preterição.
Recomendamos migrar para o Microsoft Graph PowerShell para interagir com Microsoft Entra ID (anteriormente Azure AD). O Microsoft Graph PowerShell permite acesso a todas as APIs do Microsoft Graph e está disponível no PowerShell 7. Para obter respostas para consultas de migração comuns, consulte as perguntas frequentes sobre migração.
Para se inclinar mais, consulte Gerenciar Skype for Business Online com Office 365 visão geral do PowerShell e do Teams PowerShell.
Script de exemplo
<#
Script Name:
CreateOrUpdate_SecurityGroup_Per_LicenseType.ps1
Synopsis:
This script is designed to perform following operations:
1. Create a security group for faculty and student members based on the assigned license SKU and add the members accordingly.
2. Update the security group to add/remove teachers and students so that only users who have a valid teacher/student license are present in the group.
The output of the script is written in a log file present at location: C:\results\log.txt
Written By:
Mihir Roy
Change Log:
Version 1.0, 10/08/2019 - First Draft
#>
#Figure out to determine if the user is using an existing group or creating a new one
param
(
[string]$teachergroupname,
[string]$teachergroupdesc,
[string]$studentgroupname,
[string]$studentgroupdesc,
[Guid]$facultyid,
[Guid]$studentid
)
[bool] $create = $false
if ([string]::IsNullOrEmpty($teachergroupname) -and [string]::IsNullOrEmpty($studentgroupname) -and [string]::IsNullOrEmpty($studentid) -and [string]::IsNullOrEmpty($facultyid)) {
throw "Please enter valid groupnames to create groups for Teachers and Students. In order to update a group, please enter the teacher and/or student group id's."
}
#Connect to Azure AD
Write-Host "`n"
Write-Host -ForegroundColor Green "Please enter your Global Administrator Username and Password"
Write-Host "`n"
Connect-MsolService
[Guid] $teachergroupid = New-Guid
[Guid] $studentgroupid = New-Guid
if (![string]::IsNullOrEmpty($teachergroupname)) {
New-MsolGroup -DisplayName $teachergroupname -Description $teachergroupdesc
$Group = Get-MsolGroup -SearchString $teachergroupname
$teachergroupid = $Group.ObjectId
$create = $true
}
if (![string]::IsNullOrEmpty($studentgroupname)) {
New-MsolGroup -DisplayName $studentgroupname -Description $studentgroupdesc
$Group = Get-MsolGroup -SearchString $studentgroupname
$studentgroupid = $Group.ObjectId
$create = $true
}
#Build the Students Array
$StudentsArray = @()
#Build the Teachers Array
$TeachersArray = @()
#Build the Student Sku Array
$StudentSkus = @()
$AllSkus = Get-AzureADSubscribedSku
$StudentSkuIDs = ($AllSkus | ? {$_.skupartnumber -like "*student*"}).skuid
Write-Host -ForegroundColor Green "The Student Skus identified are listed below:"
Foreach ($Element in $StudentSkuIDs) {
$SkuPart = (Get-AzureADSubscribedSku | ? {$_.SkuID -eq $Element}).SkuPartNumber
Write-Host -ForegroundColor Green "Student SkuID ${Element} for License $SkuPart"
}
Write-Host "`n"
#Build the Teacher Sku Array
$TeacherSkus = @()
$AllSkus = Get-AzureADSubscribedSku
$TeacherSkuIDs = ($AllSkus | ? {$_.skupartnumber -like "*faculty*"}).skuid
Write-Host -ForegroundColor Green "The Teacher Skus identified are listed below:"
Foreach ($Element in $TeacherSkuIDs) {
$SkuPart = (Get-AzureADSubscribedSku | ? {$_.SkuID -eq $Element}).SkuPartNumber
Write-Host -ForegroundColor Green "Teacher SkuID ${Element} for License $SkuPart"
}
Write-Host "`n"
#Get All Users in AAD
Write-Host -ForegroundColor Green "Getting All Users in Azure Active Directory with an assigned license"
Write-Host "`n"
$AllUsers = Get-AzureADUser -All $true | ? {$_.AssignedLicenses -ne $null}
$teacherAdd = $create -and ($teachergroupid -ne $null)
$studentAdd = $create -and ($studentgroupid -ne $null)
#Start foreach loop for all users with student licenses
if ($teacherAdd -or $studentAdd) {
Foreach ($User in $AllUsers) {
$ObjectID = $User.ObjectID
Write-host "`n"
Write-Host -ForegroundColor Green "Getting Assigned Licenses for $DN"
$GetUser = Get-AzureADUser -objectid $user.objectid
$AssignedLicenses = ($GetUser | select -ExpandProperty assignedlicenses).skuid
Write-Host -ForegroundColor Green "User Assigned License: " $User.Displayname "-" $AssignedLicenses "-" $User.ObjectId
#Set Variables
$UPN = $User.userprincipalname
$DN = $User.Displayname
$OBJ = $User.ObjectID
$Age = $User.AgeGroup
$Consent = $User.ConsentProvidedForMinor
$Legal = $User.LegalAgeGroupClassification
#Start foreach loop for all assigned skus
Foreach ($License in $AssignedLicenses) {
#Creating new PS Object for each Sku and adding to the array
If ($TeacherSkuIDs -contains $License) {
$TeacherObj = New-Object PSObject
$TeacherObj | Add-Member NoteProperty -Name UserPrincipalName -Value $UPN
$TeacherObj | Add-Member NoteProperty -Name DisplayName -Value $DN
$TeacherObj | Add-Member NoteProperty -Name ObjectID -Value $OBJ
$TeacherObj | Add-Member NoteProperty -Name SkuID -Value $License
$TeacherObj | Add-Member NoteProperty -Name AgeGroup -Value $Age
$TeacherObj | Add-Member NoteProperty -Name ConsentProvidedForMinor -Value $Consent
$TeacherObj | Add-Member NoteProperty -Name LegalAgeGroupClassification -Value $Legal
$TeachersArray += $TeacherObj
if ($teachergroupid -ne $null) {
Add-MsolGroupMember -GroupObjectId $teachergroupid -GroupMemberType User -GroupMemberObjectId $OBJ
}
}
If ($StudentSkuIDs -contains $License) {
$StudentObj = New-Object PSObject
$StudentObj | Add-Member NoteProperty -Name UserPrincipalName -Value $UPN
$StudentObj | Add-Member NoteProperty -Name DisplayName -Value $DN
$StudentObj | Add-Member NoteProperty -Name ObjectID -Value $OBJ
$StudentObj | Add-Member NoteProperty -Name SkuID -Value $License
$StudentObj | Add-Member NoteProperty -Name AgeGroup -Value $Age
$StudentObj | Add-Member NoteProperty -Name ConsentProvidedForMinor -Value $Consent
$StudentObj | Add-Member NoteProperty -Name LegalAgeGroupClassification -Value $Legal
$StudentsArray += $StudentObj
if ($studentgroupid -ne $null) {
Add-MsolGroupMember -GroupObjectId $studentgroupid -GroupMemberType User -GroupMemberObjectId $OBJ
}
}
}
}
}
if ((!$teacherAdd) -and ($facultyid -ne $null)) {
#Users to be Added in the Teacher Group that are not present
$teacherGrpMembers = Get-MsolGroupMember -GroupObjectId $facultyid
$teachersToAdd = ($AllUsers | ? {$_.ObjectId -ne $null}).objectid | Where {($teacherGrpMembers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
Foreach ($id in $teachersToAdd) {
$GetUser = Get-AzureADUser -objectid $id
$AssignedLicenses = ($GetUser | select -ExpandProperty assignedlicenses).skuid
Foreach ($License in $AssignedLicenses) {
#Adding faculty members to the security group
If ($TeacherSkuIDs -contains $License) {
Add-MsolGroupMember -GroupObjectId $facultyid -GroupMemberType User -GroupMemberObjectId $id
}
}
}
#Users (Faculty) to be removed from the group that are not in tenant anymore
$teachersToRemove = ($teacherGrpMembers | ? {$_.ObjectId -ne $null}).objectid | Where {($AllUsers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
if ($teachersToRemove.Count > 0) {
Foreach ($id in $teachersToRemove) {
Remove-MsoLGroupMember -GroupObjectId $facultyid -GroupMemberType User -GroupmemberObjectId $id
}
}
}
if ((!$studentAdd) -and ($studentid -ne $null)) {
#Users to be Added in the Student Group that are not present
$studentGrpMembers = Get-MsolGroupMember -GroupObjectId $studentid
$studentsToAdd = ($AllUsers | ? {$_.ObjectId -ne $null}).objectid | Where {($studentGrpMembers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
Foreach ($id in $studentsToAdd) {
$GetUser = Get-AzureADUser -objectid $id
$AssignedLicenses = ($GetUser | select -ExpandProperty assignedlicenses).skuid
Foreach ($License in $AssignedLicenses) {
#Adding student members to the security group
If ($StudentSkuIDs -contains $License) {
Add-MsolGroupMember -GroupObjectId $studentid -GroupMemberType User -GroupMemberObjectId $id
}
}
}
#Users (Students) to be removed the group that are not in tenant anymore
$studentsToRemove = ($studentGrpMembers | ? {$_.ObjectId -ne $null}).objectid | Where {($AllUsers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
if ($studentsToRemove.Count > 0) {
Foreach ($id in $studentsToRemove) {
Remove-MsolGroupMember -GroupObjectId $studentid -GroupMemberType User -GroupmemberObjectId $id
}
}
}
Start-Transcript -Path "C:\results\log.txt"
if ($facultyid -ne $null) {
$TeacherGroup = Get-MsolGroupMember -GroupObjectId $facultyid
Write-Host -ForegroundColor Green "Teacher Group Count:" $TeacherGroup.Count
Write-Host -ForegroundColor Green "Teacher Group Id:" $facultyid
}
else {
$TeacherGroup = Get-MsolGroupMember -GroupObjectId $teachergroupid
Write-Host -ForegroundColor Green "Teacher Group Count:" $TeacherGroup.Count
Write-Host -ForegroundColor Green "Teacher Group Id:" $teachergroupid
}
if ($studentid -ne $null) {
$StudentGroup = Get-MsolGroupMember -GroupObjectId $studentid
Write-Host -ForegroundColor Green "Student Group Count:" $StudentGroup.Count
Write-Host -ForegroundColor Green "Student Group Id:" $studentid
}
else {
$StudentGroup = Get-MsolGroupMember -GroupObjectId $studentgroupid
Write-Host -ForegroundColor Green "Student Group Count:" $StudentGroup.Count
Write-Host -ForegroundColor Green "Student Group Id:" $studentgroupid
}
Stop-Transcript