Powershell

Managing Microsoft 365 Group Creation Permissions: Allowing Specific Users to Create Teams

Leave a Comment / Group, M365, Powershell / EliteGo IT

In Microsoft 365, everyone can create groups by default, which enables seamless collaboration across Teams, Outlook, SharePoint, and more. However, organizations may want to limit this to specific users, such as team leads or trained staff, to manage resources and maintain compliance. In this guide, we’ll configure permissions so that only selected users can create Microsoft 365 Groups and Teams. (Image – 1 showing the message received when a restricted user attempts to create a team.) Why Enable Group Creation for Specific Users? By limiting group creation permissions to a designated set of users, you gain greater control over the Teams environment and avoid unnecessary or non-compliant teams being created. This setup allows only approved users to create groups across various services, like Microsoft Teams, while keeping everyone else’s permissions restricted. Note: These restrictions impact various Microsoft services, including Outlook, SharePoint, Viva Engage, and Planner, along with Teams. Key Roles That Retain Group Creation Abilities Certain admin roles retain permissions to create Microsoft 365 Groups, even if general creation permissions are restricted: Global Admins: Can create groups in the Microsoft 365 admin center, Exchange, SharePoint Teams Service Admins: Can create groups in the Teams admin center, Microsoft Entra ID SharePoint Admins: Can create groups in SharePoint admin center, Microsoft Entra ID Admins in these roles can create groups for restricted users and assign them as group owners. Steps to Enable Group Creation for a Specific Group of Users Let’s go through the process of allowing only members of a designated group to create Microsoft 365 Groups, particularly in Teams. Step 1: Create a Group to Control Permissions Begin by creating a group in Microsoft 365 for the users who should be able to create Microsoft 365 Groups: Open the Microsoft 365 Admin Center and go to Groups. Click Add a Group and choose the group type. Name your group (e.g., “Group Creators”) and add the people you want to allow group creation as members (not as owners). Tip: You can add multiple people or even nest other groups under this main group for more flexible control. (Image – 2 Created Group) Step 2: Run PowerShell Commands to Apply Settings Next, we’ll use PowerShell to update settings and allow only the users in your newly created group to create Microsoft 365 Groups: Install the Microsoft Graph PowerShell Beta module if you haven’t already. Run Update-Module Microsoft.Graph.Beta to ensure it’s up to date. Copy the following script into a text editor, replacing <GroupName> with the name of the group created in Step 1. Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement Import-Module Microsoft.Graph.Beta.Groups Connect-MgGraph -Scopes “Directory.ReadWrite.All”, “Group.Read.All” $GroupName = “” $AllowGroupCreation = “False” $settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id if(!$settingsObjectID) { $params = @{ templateId = “62375ab9-6b52-47ed-826b-58e47e0e304b” values = @( @{ name = “EnableMSStandardBlockedWords” value = “true” } ) } New-MgBetaDirectorySetting -BodyParameter $params $settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).Id } $groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq $GroupName}).Id $params = @{ templateId = “62375ab9-6b52-47ed-826b-58e47e0e304b” values = @( @{ name = “EnableGroupCreation” value = $AllowGroupCreation } @{ name = “GroupCreationAllowedGroupId” value = $groupId } ) } Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter $params (Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values Important If you want to switch to a different group in the future, update $GroupName in the script with the new group name and rerun the script. Save the file as GroupCreators.ps1. Open PowerShell, navigate to the file location, and run: .GroupCreators.ps1 (Image – 3 Result After executing the Script) Step 3: Verify the Changes After updating, allow about 30 minutes for the changes to take effect. Here’s how to verify: Log in with a user account that is not a member of the “Group Creators” group. Open Microsoft Teams and attempt to create a new team. You should see a message indicating that team creation is disabled. Now, try the same with a user who is a member of the “Group Creators” group. They should be able to create a team successfully Suggested Articles 1. Getting Started with Conditional Access Policies in Azure Entra: Enable MFA with Microsoft’s Default Policies 2. Use Case Scenario: Adding Multiple Users to Calendar Access 3. How to Silently Synchronize SharePoint Site Library to File Explorer using Intune Reference https://learn.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide

Managing Microsoft 365 Group Creation Permissions: Allowing Specific Users to Create Teams Read More »

Use Case Scenario: Adding Multiple Users to Calendar Access

Leave a Comment / Calendar, Collaboration, Outlook, Powershell, Sharing / EliteGo IT

In today’s collaborative work environment, sharing calendar access efficiently can streamline communication and scheduling. Recently, I implemented a script to add multiple users to a shared calendar in my real-time environment, enhancing our team’s collaboration. Calendar Access Permissions When adding users to your calendar, it’s important to consider the level of access they need. Here are the available permissions in Outlook (Windows, Mac, and OWA) Here’s a quick overview of the permissions you can set: Permission Level Description Can view when I’m busy Shows the times of items on your calendar without any other details. Can view titles and locations Shows the time, subject, and location of events. Can view all details Shows the time, subject, location, and other details of all calendar items. Can Edit Allows users to edit your calendar as well as view all details of calendar items. Delegate Can edit your calendar, view full details, and send/accept meeting requests on your behalf. None or Not shared No permissions to view the calendar. How to Share Your Calendar in Outlook on the Web Sharing your Outlook calendar is simple with these easy steps: Open Outlook: Access Outlook on the web. Go to Calendar: Click the ‘Calendar’ icon at the top left. Select Calendar: In ‘My Calendars’, right-click the calendar you want to share and choose ‘Sharing and permissions’. (Image 1: Navigating to “Sharing and permissions”) Enter the Email: Type in the email addresses of the people you want to share with. (Image 2: Enter the email) Add People: Click ‘Share’ at the top right and enter the email addresses. Set Permissions: Send Invitation: Click ‘Send’ to share the calendar. Recipients will receive an email invitation. (Image 3: Choosing permissions) Script Example Here’s a simplified PowerShell script I used to add users to our shared calendar # Connect to Exchange OnlineConnect-ExchangeOnline $users = @( “User One”, “User Two”, “User Three”, “[email protected]”, “[email protected]” ) foreach ($user in $users) { Add-MailboxFolderPermission -Identity “[email protected]:Calendar” -User $user -AccessRights Editor } # Disconnect from Exchange Online Disconnect-ExchangeOnline -Confirm:$false Benefits of This Script Executing this script significantly simplified the process of sharing calendar access with a large number of users in our environment. By automating the permissions setup, I was able to ensure that everyone had the necessary access to collaborate effectively. Confirm Sharing: Once recipients accept, they can access your calendar according to the permissions you set. (User Will get the Invite) Conclusion Implementing this script was incredibly helpful in my environment, allowing me to efficiently share calendar access with multiple users. If you’re looking to improve collaboration and streamline scheduling, consider using this approach. Suggested Posts How to Silently Synchronize SharePoint Site Library to File Explorer using Intune How to Configure OneDrive Files On-Demand Sync: Mastering Configuration for Intune Administrators Easily Copy Group Memberships Between Users in Microsoft 365 Using PowerShell These posts can further enhance your understanding of tools and methods that improve productivity in your organization.

Use Case Scenario: Adding Multiple Users to Calendar Access Read More »

Easily Copy Group Memberships Between Users in Microsoft 365 Using PowerShell

Leave a Comment / Automation, Azure, Entra, Exchange, M365, Powershell / EliteGo IT

Managing users and their group memberships is a critical task in any IT environment. In Microsoft 365 (M365), this often involves Azure Active Directory (Azure AD) and Exchange Online. Admins frequently need to copy group memberships from one user to another. While this task is relatively simple in traditional on-premises Active Directory, the process in M365, particularly for Azure AD and Exchange distribution lists, requires more steps. This blog will introduce a PowerShell script that automates the process of copying Azure AD group memberships and Exchange distribution lists from one user to another. Whether you’re onboarding a new employee, handling a role change, or transferring permissions, this script will save time and reduce errors. (Image-1: for the line that needs to change) Why Would You Need to Copy Group Memberships? In various scenarios, copying a user’s group memberships becomes a vital part of user management: Onboarding and Role Transition: When a new user joins or an existing employee changes roles, they may need to inherit group memberships from another user. User Offboarding: Transferring permissions and group memberships to another user ensures continued access to resources without manual intervention. Standardization: Assigning consistent permissions and access rights by copying group memberships from a template user to new users can standardize access across the organization. In on-premises Active Directory, copying group memberships between users can be easily done through PowerShell or even GUI-based tools. However, in the cloud-based M365 environment, this becomes more complex as it involves Azure AD and Exchange Online, which manage both security groups and distribution lists. Why Not Use GUI Tools? While Microsoft 365 Admin Center provides tools for managing users and groups, there is no out-of-the-box feature to easily copy group memberships between users. The process becomes tedious if you manually go through each group for one user, especially when dealing with a large number of groups or distribution lists. Using a PowerShell script helps streamline the process, making it faster, more accurate, and more repeatable. Plus, it can log each action taken, providing admins with visibility into what’s been done. Introducing the PowerShell Script This PowerShell script is designed to: Copy all Azure AD security group memberships from one user to another. Copy all Exchange Online distribution lists from the source user to the target user. Log the results (both successes and failures) to a CSV file for easy review. By the end of this process, the target user will have the same group memberships as the source user, ensuring consistent access across Azure AD and Exchange Online environments. Pre-requisites: Before running the script, make sure: You have PowerShell installed on your machine. You have administrative credentials for Azure AD and Exchange Online. You’re familiar with the users whose memberships you need to copy. Customization: Based on your requirements, update the following lines in the script: Line 23: Connect-ExchangeOnline -UserPrincipalName [email protected] – Replace with the admin email you use for Exchange Online. Lines 26-27: sourceUser and targetUser – Replace these with the email addresses of the users you’re working with. You can change these variables to suit your needs and copy memberships between any users in your tenant. For more clarification check the Image-1 above The Script: Here’s the full PowerShell script for copying group memberships from a source user to a target user, along with logging and module checks: # Script created by Nifan for copying Azure AD and Exchange Online group memberships # This script connects to Azure AD and Exchange Online, copying group memberships # and logging the results. # Check and install the AzureAD module if not already installed if (-not (Get-Module -ListAvailable -Name AzureAD)) { Install-Module -Name AzureAD -Force -AllowClobber } # Check and install the Exchange Online module if not already installed if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) { Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber } # Import the installed modules Import-Module AzureAD Import-Module ExchangeOnlineManagement # Connect to Azure AD (will prompt for credentials) Connect-AzureAD # Connect to Exchange Online (will prompt for credentials again) Connect-ExchangeOnline -UserPrincipalName [email protected] # Enter your admin user for Exchange Online # Define the source and target users $sourceUser = “[email protected]” $targetUser = “[email protected]” # Output file for logging results $logFile = “C:GroupCopyResults.csv” # Initialize the log file with headers and credit “Created by: Nifan`nGroup Name,Type,Status” | Out-File $logFile # Step 1: Get the Azure AD group memberships of the source user $groups = Get-AzureADUserMembership -ObjectId (Get-AzureADUser -ObjectId $sourceUser).ObjectId # Add the target user to each of the Azure AD groups the source user is a member of foreach ($group in $groups) { try { # Add the target user to the Azure AD group Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId (Get-AzureADUser -ObjectId $targetUser).ObjectId # Log success “$($group.DisplayName),Azure AD Group,Success” | Out-File $logFile -Append } catch { # Log failure with error message “$($group.DisplayName),Azure AD Group,Failed – $($_.Exception.Message)” | Out-File $logFile -Append } } # Step 2: Now handle distribution lists (DLs) in Exchange Online # Get the list of distribution groups the source user is a member of $dlGroups = Get-DistributionGroup | Where-Object { (Get-DistributionGroupMember -Identity $_.Identity).PrimarySmtpAddress -contains $sourceUser } # Add the target user to each distribution list foreach ($dl in $dlGroups) { try { # Add the target user to the distribution list Add-DistributionGroupMember -Identity $dl.Identity -Member $targetUser # Log success “$($dl.DisplayName),Distribution List,Success” | Out-File $logFile -Append } catch { # Log failure with error message “$($dl.DisplayName),Distribution List,Failed – $($_.Exception.Message)” | Out-File $logFile -Append } } # Notify the user where the results are saved Write-Host “Results saved to $logFile” # Disconnect from Azure AD and Exchange Online Disconnect-AzureAD Disconnect-ExchangeOnline -Confirm:$false # Use -Confirm:$false to suppress confirmation prompt Key Components of the Script Azure AD Group Membership: This part of the script copies Azure AD security groups using the Get-AzureADUserMembership and Add-AzureADGroupMember cmdlets. The source user’s groups are fetched and the target user is added to each group. Exchange Distribution Groups: Exchange Online’s distribution groups are handled using the Get-DistributionGroup and Add-DistributionGroupMember cmdlets. The script checks if the source user is part of a distribution

Easily Copy Group Memberships Between Users in Microsoft 365 Using PowerShell Read More »

Managing Microsoft 365 Group Creation Permissions: Allowing Specific Users to Create Teams

Easily Copy Group Memberships Between Users in Microsoft 365 Using PowerShell

Partner with Us for Comprehensive IT

Your benefits:

What happens next?

Schedule a Free Consultation

Service

Useful Links