Presented by Max Fritz at SPS Omaha 2018

1. @theCloudSherpa
A user created an Office 365
Group
You’ll never believe what happens next!
Max Fritz

2. Max Fritz
Email : max@o365mn.org
Twitter : @TheCloudSherpa
Blog: maxafritz.com
LinkedIn : in/maxafritz
Senior Consultant
MCSA Office 365, MCSE Productivity
Founder/Leader of Minnesota Office 365 User
Group
Working with Office 365 for over 8 years
Focus in Azure AD, Exchange, and SharePoint
Online
Contact Details

3. Thank
You
Sponsors
!

4. Show of hands

6. Hub for TeamworkCo-AuthorConnect Across
the Organization
Intranets &
Content Management
Email & Calendar
TeamsOffice AppsYammerSharePointOutlook
Office 365 Groups
Single team membership
across apps and services
Microsoft Graph
Suite-wide intelligence
connecting people and content
Security and Compliance
Centralized policy management

8. Skype for Business
Call or Instant
Message (IM)
Outlook Email
OneDrive for
Business
Urgent/HightAd-Hoc/Low
Group size in the company
Office 365 Groups
Skype Meeting Broadcast
Yammer
(Groups and all company)
Skype for Business Online Meetings
Microsoft Teams
SP Team News, Files, OneNote, Calendar, Planner
Outlook Groups

9. Skype for Business
Call or Instant
Message (IM)
Outlook Email
OneDrive for
Business
Urgent/HightAd-Hoc/Low
Group size in the company
Office 365 Groups
Skype Meeting Broadcast
Yammer
(Groups and all company)
Skype for Business Online Meetings
Microsoft Teams
SP Team News, Files, OneNote, Calendar, Planner
Outlook Groups
Individual Team
Business
Unit
Entreprise wide /
Several Business
Units

11. SharePoint
SharePoint
Online AD
- Documents
- OneNote
Additional workloads
Workload scenarios
Local
Directory
(if applicable)
Exchange
- Conversations
- Calendar
Exchange
Online AD
- Identity
- Resource URLs
- Owners
- Members
Azure Active Directory

12. Azure Active Directory Admin Portal Office Admin Portal
Exchange Admin Center PowerShell

13. PowerShell Gallery
Office 365 Modules
SharePoint Online Module
SfB Online

14. Establish IT leadership eBook, Microsoft 2017

15. OPEN
CONTROLLED
Processes in
place
Reporting &
monitoring
Change
management

17. 1. User
enters
group
name in
PowerApps
2. Data is
sent to SPO
list
3. Flow is
triggered
and sends
approval
email
4. Manager
accepts or
rejects the
request
5. Reject:
Sender gets
a denied
email
6. Accept:
Azure
function
starts
7. Azure
function
creates the
group +
owner
8. Flow
sends email
to sender

18. Demo

20. Naming Policy
Expiration Policy
Soft Delete and Restore
Groups reporting
Security group for Group Creation

21. Documentation: What is Azure Active Directory? | Azure Active Directory pricing

22. Manage who can create Office 365 groups Populate groups dynamically based on object attributes

23. Manage who can create Office 365 Groups

24. Create attribute-based rules for dynamic
group membership in Azure Active Directory

25. Demo
Group Management

26. How do I apply
structure to how
my groups are
named?

27. Selective admin roles can override the
naming conventions and blocked words
check
Upload your organization specific blocked
words to restrict usage

28. Guidance for using prefixes and suffixes
Use Fixed strings or Attributes as prefixes and suffixes for group names and aliases
Fixed Strings
• Use short strings that can help you differentiate groups in the Global Address List (GAL) and in the
group apps.
• Some of the common prefixes and suffixes are Keywords like ‘Grp_Name’ , ‘#Name’, ‘_Name’
Attributes
• Use attributes that can help identify who created the group, like [Department] and where it was created,
like [CountryCode].
• Supported Azure AD attributes are [Department], [Company], [Office], [StateOrProvince],
[CountryOrRegion], [CountryCode], [Title]
• Only use attributes that have values filled in for all users in your organization and do not use
attributes that have long values

29. Custom Blocked Words
Specify a list of blocked words that will be restricted from user created group names and alias.
Reserve words for administrators and block Abusive words
• Use this option to restrict groups created with specific keywords that you want to reserve only for
admins like ‘Payroll’, ‘HR’, ‘CEO’, <VIP> names in your org, so that users cannot abuse them.
• Use this option to upload a list of abusive words that you want to restrict from users using in group
names and alias.

30. Selective administrator roles are exempted
Exempted administrators can create groups with the blocked words and with their
desired naming conventions.
List of exempted Azure AD administrator roles
Tenant Administrator
Partner Tier 1 Support Administrator
Partner Tier 2 Support Administrator
User Account Administrator
Directory Writers
These administrator roles are exempted across all group workloads and end points.

31. Administrator Options
Set the Prefixes and Suffixes for
group names and alias
Set Custom Blocked Words to be
restricted in group names and alias
Administrator Tools
Azure AD PowerShell – Supported
Azure AD portal – Not yet supported
View the current group settings
1. Fetch the current naming policy to view the current settings
> $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting
| where -Property DisplayName -Value "Group.Unified" -EQ).id
> $Setting.Values
Setting the prefixes, suffixes and custom blocked words
2. Set the prefixes and suffixes
> $Setting["PrefixSuffixNamingRequirement"] = “Grp [GroupName]
[Department]"
3. Set custom blocked words that need to restricted
> $Setting["CustomBlockedWordsList"]=“Payroll,CEO,HR"
4. Save the settings for the new policy to be effective.
> Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -
Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting
$Setting

32. Demo
Naming Policy

33. What if our user attributes are quite long? Will it impact group creation?
Yes, group alias is restricted to 64 chars and group name to 256 chars. So longer user attributes used as
prefixes/suffixes could block group creation in your organization
Can we use extension attributes and custom attributes?
Extension attributes and custom attributes are currently not supported
Can we have different naming policies for each group workload?
No, this will be a tenant wide policy and will apply to all group workloads
Can we create rule based policy where we can apply prefixes only for users in a
specific department?
We currently do not support rule based policy application. We suggest that you leverage user attributes for
these scenarios
Is this a premium feature?
Yes, Group naming policy requires Azure AD Premium P1 license for unique users that are members of Office
365 groups in tenants.

34. How can I recover
groups that were
accidentally deleted?

35. Admin can permanently delete the soft
deleted group
Admin can restore the soft deleted group
and its contents within 30 days of deletion
Any group that is deleted is stored in a
separate container for 30days

36. Administrator Tools
Azure AD PowerShell – Supported
Exchange Admin Center – Supported
Exchange PowerShell – Supported
Microsoft Graph APIs – Supported
Office Admin Center – Not yet supported

37. Azure AD PowerShell and
EAC
Soft Delete groups
View Soft Deleted groups and
when it was soft deleted
Hard Delete groups (only
PowerShell)
Restore Soft Deleted groups
Soft Delete a specific group
> Remove-AzureADGroup -ObjectId <objectId of the group>
Show all Soft Deleted Groups
> Get-AzureADMSDeletedGroup
Restore a specific soft deleted group
> Restore-AzureADMSDeletedDirectoryObject -Id <objectId of the soft deleted
group>
Hard Delete a Group
> Remove-AzureADMSDeletedDirectoryObject – Id <objectId of the soft deleted
group>

38. Demo
Soft Delete and Restore

39. Can I change the soft deletion period of 30 days?
Can I restore a soft deleted group, if another group with the same name exists?
Can I soft delete a group if the group mailbox is on legal hold?
Can I soft delete a group if I have setup an Advanced retention policy in the Security
and Compliance Center?
link

40. Office Documentation
https://support.office.com/en-us/article/Restore-a-deleted-Office-365-Group-b7c66b59-657a-4e1a-8aa0-
8163b1f4eb54
Azure AD Documentation
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-restore-azure-portal
MS graph API Documentation
https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/directory_deleteditems_restore
Exchange Online PowerShell
https://technet.microsoft.com/en-us/library/mt784604(v=exchg.160).aspx

41. How can I manage
unused groups?

42. Admins can select a specific set of groups and
apply the policy to those
Owners get notified by email to renew the
expiring group incase they still need to use it
Admins can expire groups created older than
x days
If the group expires and gets soft deleted,
owners can still restore the group

43. Group Owner
Renew expired groups
Restore expired groups that
were soft deleted

44. Pilot with select groups
Define a goal on which groups you want to expire
Get groups older than X days
> $date = Get-Date.AddDays(-X); > Get-UnifiedGroup -Filter {WhenCreatedUTC -le $date} -ResultSize
Unlimited
Get Ownerless groups
> Get-UnifiedGroup -ResultSize Unlimited -filter {ManagedBy -eq $null}

45. Build a strategy for Orphaned groups
Create a different email notification template to revert back to the IT admin from the group members, for
self-nomination of the person who reverts back and set them as group owners
Survey Pilot Users
To check if the owners noticed the expiry notification and to check the renewal rate

46. Roll out in phases
If your ultimate motive is to expire groups older than 6 months, start with 12 months - check the renewal rate, and
then proceed with 9 months and then finally 6 months
Onboard the Helpdesk team
Appraise the Helpdesk team of the prospective of getting more tickets during the soft deletion period of 30 days
for the groups that were not renewed and expired
If you have specific support teams for each workload such as Microsoft Teams, Sharepoint site, etc. you would
need to onboard all of them since the groups created across workloads will expire with the group expiration policy

48. Cmdlets
Add-AzureADMSLifecyclePolicyGroup
Get-AzureADMSGroupLifecyclePolicy
Get-AzureADMSLifecyclePolicyGroup
New-AzureADMSGroupLifecyclePolicy
Remove-AzureADMSGroupLifecyclePolicy
Remove-AzureADMSLifecyclePolicyGroup
Reset-AzureADMSLifeCycleGroup
Set-AzureADMSGroupLifecyclePolicy
Release Notes
Connect to Azure AD: Open AAD powershell with admin permissions and do
> Connect-AzureAD // Provide tenant admin credentials.
View current settings:
Get-AzureADMSGroupLifecyclePolicy
Setup new policy:
> New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 31 -ManagedGroupTypes All -
AlternateNotificationEmails admin@M365x931468.onmicrosoft.com
Update of current policy
> Set-AzureADMSGroupLifecyclePolicy -Id "9988f760-990b-47f7-9d87-549b929b605f" -GroupLifetimeInDays
32 -AlternateNotificationEmails admin@M365x931468.onmicrosoft.com
Reset of Group Expiration Date (updating the RenewedDateTime property on a group to the current
DateTime)
> Reset-AzureADMSLifeCycleGroup -GroupId <String>

49. Demo
Expiration Policy

50. Can I set an option to expire groups that are inactive?
This is not currently supported. The expiration policy is applied based on group creation date.
Can we change the expiry notification intervals?
The expiry notification intervals are fixed to 30 days, 15 days and 1 day prior to expiry and cannot be changed.
Can we apply expiration policy to specific group workloads?
The expiration policy applies to all groups workloads and it cannot be set for specific group workloads.
What happens to expiring groups if I have setup an Advanced retention policy in
Security and Compliance Portal?
When a group expires and gets soft deleted, the group’s conversations in mail box and files in the group site are
retained in the retention container for the specific number of days defined in the retention policy. Refer link for more
details.
Is this a premium feature?
Yes, Group expiration policy requires Azure AD Premium P1 license for unique users that are members of Office 365
groups in tenants.

51. Office Documentation: https://support.office.com/article/8d253fe5-0e09-4b3c-8b5e-f48def064733
Azure AD Documentation: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-
lifecycle-azure-portal
MS graph API Documentation: https://developer.microsoft.com/en-us/graph/docs/api-
reference/beta/resources/grouplifecyclepolicy
PowerShell Module: https://www.PowerShellgallery.com/packages/AzureADPreview/2.0.0.137
PowerShell Documentation: https://docs.microsoft.com/en-
us/PowerShell/module/azuread/?view=azureadps-2.0-preview&branch=master#groups

53. Manage who can create Office 365 groups Populate groups dynamically based on object attributes

54. View the group mailbox storage used and
the group site storage used
View group activity across Group mailbox,
SharePoint sites and Yammer groups
View the total groups created and how
many are active

55. Groups Activity across workloads
Admin can view group activity across Group mailbox Conversations, Group site/files activity, Yammer group activity

56. Audit Logs in the Azure
AD Admin Portal
Audit Log Search in
Security and Compliance
Center

57. Group Activities that are logged and can be audited
Added group
Updated group
Deleted group
Added member to group
Removed member from group

58. Options

59. How can I
collaborate
outside my
organization?

60. User adds
joe@gmail.com to an
O365 Group
Azure Active Directory
creates Guest ID and
makes guest a member of
the group
Guest ID synched to
Exchange Online,
SharePoint Online
Guest access in Office 365 groups | Guest access in Office 365 groups – Admin Help
Guest access to resources
governed by organization
policies

61. • Guest inviter role - Setup a
policy so that users with this
role can only invite guest
• This can be set using user AD
properties such - Title, Job
Description
Reach
• Admins can create an
allow/deny list of
external partner
domains that are
allowed to be added as
guests.
• Guest approved by IT admin
can be approved and added
to groups..
• Add guests through B2B
portal and turn off sharing
for tenant

63. AAD connect for hybrid
Distribution List, Public Folders Migration
Public Folder Migration | Upgrade DL’s to Groups | Configure Office 365 Groups with on-premises Exchange

64. aka.ms/whyupgradedls
PowerShell scripts

65. SharePoint - Connect a classic site
to an Office 365 group (team site)
Giving the ability to take an existing
SharePoint Online team site and connect it
to an Office 365 Group. The group
provides membership management and
other services like shared calendar, Planner,
etc. once it is created.

66. Proper Setup of Yammer Network
Yammer identity management
Enable Group creation through Yammer
(Big) Advantage!

67. Link an existing private group to a Microsoft Team
Use main Planner Site for Group plannings

68. https://graph.microsoft.com/v1.0/groups
https://dev.outlook.com/Connectors https://dev.office.com/teams https://dev.office.com/sharepoint

69. Documentation: What is Azure Active Directory? | Azure Active Directory pricing

70. 1. User
enters
group
name in
PowerApps
2. Data is
sent to SPO
list
3. Flow is
triggered
and sends
approval
email
4. Manager
accepts or
rejects the
request
5. Reject:
Sender gets
a denied
email
6. Accept:
Azure
function
starts
7. Azure
function
creates the
group +
owner
8. Flow
sends email
to sender

72. Questions

73. Thank you!
Email : max@o365mn.org
Twitter : @TheCloudSherpa
Website/Blog: maxafritz.com
Stay in touch!
Come ask me questions!
Leave feedback
Join me next for:
Become the Taskmaster