Transcription
Tony RedmondSensitivity: Confidential
Sensitivity: Confidential
Using PowerShellto manageOffice 365 GroupsandMicrosoft TeamsTony Redmond@12KnocksinnaSensitivity: Confidential
Tony Redmond Lead author for “Office 365 for ITPros” eBook pros/ MVP since 2004 Columnist for Petri.com nsitivity: Confidential
ContextSensitivity: Confidential Not an Expertclass Practical ratherthan beautiful Focused ongetting workdone You can alwaysimprovePowerShell codelater
Office 365 is great,so why do I needPowerShell? Admin Tools are imperfect Microsoft cannot anticipateevery possible administrativetask PowerShell helps you tounderstand Office 365 PowerShell isn’t difficult, andit can be fun But sometimes, PowerShell isthe wrong answer Sensitivity: Confidential
Tools of the Trade Exchange Online (*-UnifiedGroup and *UnifiedGroupLinks, and Search-UnifiedAuditLog) Teams PowerShell module SharePoint Online PowerShell module Security and Compliance Center Azure Active Directory Preview (V2.0.0.137)Sensitivity: Confidential
A ComplexEnvironment Teams depend on Office 365 Groups andshare common membership Azure Active Directory is the master UnifiedGroup cmdlets read EXODS;SharePoint cmdlets read SPODS Whenever possible, use Teams cmdlets toupdate groups used with Teams andGroups cmdlets otherwise We can read settings, but not content(conversations)Sensitivity: Confidential
Avoid PowerShell Throttling Use server-side filters wheneverpossible Select properties to reduce datapassing between client and server Use Invoke-Command to process dataremotely Groups (Invoke-Command -Session Session -ScriptBlock {GetUnifiedGroup -ResultSize Unlimited Select-Object DisplayName, Alias,GroupMemberCount, WhenCreated})Sensitivity: Confidential
Connect to Exchange Online to use*–UnifiedGroups cmdlets and other Exchangecmdlets (like Search-UnifiedAuditLog)Connect to Teams to use Teams cmdletsConnectingtoPowerShell(otherwise yourcmdlets won’t work )Connect to Azure Active Directory to use Azure ADcmdletsConnect to SharePoint Online to interact with sitesConfused? Use Michel de Rooij’s PowerShell profilefor Office office-365exchange/Sensitivity: Confidential
Some Basic CmdletsFunctionCmdletsCreate Groups and TeamsNew-UnifiedGroup/New-TeamRetrieve FunSettingsGet-TeamChannelUpdate settingsSet-UnifiedGroupSet-Team*Access membershipGet-UnifiedGroupLinks [-LinkType Members, erSensitivity: Confidential
Cmdlet Identities Groups cmdlets behave like Exchange mailbox cmdletsGet-UnifiedGroup –IdentityGroupAdmins@Office365ItPros.com Some Exchange mailbox cmdlets work against groupmailboxes Teams and Azure AD cmdlets use GUIDsGet-TeamUser -GroupId 72ee570e-3dd8-41d2-bc847c9eb8024dd4 If you don’t know a GUID, ask GroupsGet-TeamUser –GroupId (Get-UnifiedGroup Get-AzureADGroupMember –ObjectId (Get-UnifiedGroup–Identity : Confidential
DemoHacking Around with Groups and Teams in PowerShellSensitivity: Confidential
Azure ADPolicy forGroupsSensitivity: Confidential Controls whether userscan create groups andteams Controls whetherguest users aresupported on atenant-wide or groupspecific basis Defines classifications Defines naming policyfor new groups andteams Must be manipulatedwith PowerShell Policy settings in AzureAD settings object
[PS] C:\ Connect-AzureADCreating anewGroupspolicy[PS] C:\ Policy GetAzureADDirectorySettingTemplate ?{ .DisplayName -eq "Group.Unified"}[PS] C:\ Settings Policy.CreateDirectorySetting()[PS] C:\ NewAzureADDirectorySetting DirectorySetting SettingsSensitivity: Confidential
[PS] C:\ Get-AzureADDirectorySetting ForEach iningGroups PolicySettingsClassificationDescriptionsGeneral Usage:Anyone can access,ExternalAccess:Available outside the company,Internal Only:Must not be sharedwith external people,Confidential:Can only be disclosed with managementpermissionDefaultClassificationGeneral uidelines.htmlSensitivity: eral Usage,External Access,InternalEnableGroupCreationFalse
GUID for group specifying people who can create groups[PS] C:\ ObjectId ol).ObjectIdUpdatingGroup PolicySetting forGroupCreation[PS] C:\ Settings Get- Retrieve current policy settingsAzureADDirectorySetting ?{ .DisplayName -eq "Group.Unified"}[PS] C:\ Settings[“EnableGroupCreation”] "False"Block general group creation[PS] C:\ Settings[“GroupCreationAllowedGroupId”] ObjectIdExcept for the group pointed to in ObjectId[PS] C:\ Set-AzureADDirectorySetting-Id Settings.Id -DirectorySetting SettingsAnd update the policy Sensitivity: Confidential
Who Can Create Groups and Teams?Get-AzureADGroupMember –ObjectId ObjectId Format-TableDisplayName, UserPrincipalNameSensitivity: Confidential
Some PowerShell Projects withGroups and TeamsJust to get your creative juices going Sensitivity: Confidential
Project: Find InactiveGroups and Teams Some groups and teams are created and then go into astate of disuse after a short period Goal is to find these groups and teams and thenremove or archive them No functionality available in standard product To detect latest activity: Look for SharePoint activity in Office 365 AuditLog Look for conversations in group inbox Look for Teams compliance records Generate nice reportSensitivity: Confidential
Project: Archive ObsoleteGroups and TeamsSensitivity: Confidential If we find obsoletegroups or teams, wemight want to keepthem in an inactivestate, just in case theyare needed again Remove currentmembership Add new owner Replace SMTP address Set custom attributeto make it easy to findarchived groups
Project:FindGroupsAbout toExpireSensitivity: Confidential Notifications generated by theGroups expiration policy tellowners when their groups expire Tenant admins might like to knowtoo, just in case an importantgroup or team is removed in error Look for groups in scope ofexpiration policy Calculate next expiration date Sort report by days left beforeexpiry
Project: WhoShared Documents? Groups and Teams make SharePointdocument libraries very accessible Users can share documents easily,including with users outside thetenant Office 365 audit records give us away to check who sharesdocumentsSensitivity: Confidential
Unified Audit Log Ingests data from multiple Office365 sources and normalizes auditrecords Retained for 90 days (180 dayswith Advanced SecurityManagement, or more with ISVproducts) Rich source for investigationsabout what happens inside Office365Sensitivity: Confidential
Project: Report GuestUsersSensitivity: Confidential It’s easy for GroupOwners to add gueststo Teams and Groups,but do you know whothe guests are andwhere they comefrom? It’s a bad idea to putvery confidentialinformation in agroup that has guests,unless you intend toshare that way
Project: Last Time GuestUsers ConnectedSensitivity: Confidential Teams, Office 365Groups, SharePointOnline, andPlanner use AzureB2B Collaborationfor guest useraccess How do you knowwhether guestsactually connectand use resourcesin your tenant?
Lots of PowerShell examples andadvice available on the internetThings toRememberNever download and run codewithout checking it firstYou don’t have to be an expertto screw things up Sensitivity: Confidential
Thanks!Sensitivity: Confidential
PowerShell? Admin Tools are imperfect Microsoft cannot anticipate every possible administrative task PowerShell helps you to understand Office 365 PowerShell isn’t difficult, and it can be fun But so
