Last active
May 26, 2017 08:55
-
-
Save mrik23/839144ebd0faf642cc8c6fc8c8dab8cf to your computer and use it in GitHub Desktop.
PowerShell script to change Azure AD Directory Settings so basic users are not able to create Office 365 Groups AKA Unified Groups, a security group is added the right to create Office 365 Groups, and Guest users are blocked to join and access Office 365 Groups. This is a quick way to regain control on your tenant as an admin.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Description: | |
| This script modifies the existing Azure AD Directory Setting for Unified Groups with the objective to block users to create Office 365 Groups, and only allow users member of a dedicated security group. | |
| Also it blocks external users to be added to Office 365 Groups (it's possible to by-pass this in applying a different setting to specific groups) and access Office 365 Groups. | |
| It's recommended to run this script step by step PowerShell ISE. You can modify the settings or add others as you need. | |
| Prerequisites: | |
| - Install Azure Active Directory V2 PowerShell Module - Public Preview Release 2.0.0.114 from https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.114 | |
| - Create a security group in your Azure AD tenant or local synced AD for users allowed to create Office 365 Groups | |
| Official documentation: | |
| https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-settings-cmdlets?view=azureadps-1.0 | |
| https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618?ui=en-US&rs=en-US&ad=US | |
| https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview#directory_settings | |
| #> | |
| ## Connect with your tenant admin | |
| Connect-AzureAD | |
| ## Replace with the name of the security group you want to allow to create Office 365 Groups AKA Unified Groups. This can be a pure Azure AD security group or synced from local AD. | |
| $GroupName = "AllowO365Groups" | |
| ## Retrieve the security group in Azure AD | |
| $AllowedGroup = Get-AzureADGroup -SearchString $GroupName | |
| ## Check the current settings in place | |
| Get-AzureADDirectorySetting | |
| ## Check the settings for Unified Groups prior to change | |
| (Get-AzureADDirectorySetting | where {$_.DisplayName -eq 'Group.Unified'}).values | |
| ## Check the settings template available | |
| Get-AzureADDirectorySettingTemplate | |
| ## Get the settings template for Unified Group AKA Office 365 Groups | |
| $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'} | |
| ## Method to create the settings object | |
| $Settings = $template.CreateDirectorySetting() | |
| ## Check the default settings values | |
| $Settings.Values | |
| ## Disable Office 365 Groups creation | |
| $settings["EnableGroupCreation"] = $False | |
| ## Add the security group allowed to create Office 365 groups (by-pass) | |
| $settings["GroupCreationAllowedGroupId"] = $AllowedGroup.ObjectId | |
| ## Disable Guests to be added to Office 365 Groups | |
| $settings["AllowToAddGuests"] = $False | |
| ## Disable Guests access to Office 365 Groups | |
| $settings["AllowGuestsToAccessGroups"] = $False | |
| ## Check the settings values are as expected | |
| $Settings.Values | |
| ## Apply the settings to the current Directory setting for Unified Groups | |
| Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where {$_.DisplayName -eq 'Group.Unified'}).id -DirectorySetting $settings | |
| ## Check the settings have been applied correctly | |
| (Get-AzureADDirectorySetting | where {$_.DisplayName -eq 'Group.Unified'}).values | |
| ## Disconnect from Azure AD | |
| Disconnect-AzureAD |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment