Configure Office 365 Group Governance

In this blog post I want to explain about the opportunities you have as an admin to make sure you keep in control with Office 365 Group governance. Think of naming policies, classifications, blocked words and control who is able to create Groups.

Important notes up front

All Posts are provided “AS IS” with no warranties, and confers no rights.

By the time of writing, the cmdlets required are only available in the preview module of Azure AD. In case you have already installed the AzureAD module you might need to remove it first before continuing with step 1. Removing the current module can be done with this cmdlet:  Remove-Module -Name AzureAD

All users need to have an Azure AD Premium license assigned when they are member of an Office 365 group getting these governance policies enforced.

Not all services fully support naming conventions and blocked words. Examples are: Dynamic CRM, School Data Sync, Classroom App, Power BI and the AAD Portal.

Step 1: Install the required cmdlets and connect to Azure AD

Open Powershell ISE as an admin
Install-Module -Name AzureADPreview

Step 2: Check if you already have a unified group object

$Setting = Get-azureADDirectorySetting | Where-Object {$_.displayname -eq “Group.Unified”}

Step 3: Create the object if the result was empty in step 2

$SettingTempplate = Get-AzureADDirectorySettingTemplate | where {$_.Displayname -eq “Group.Unified”}
$NewAADSetting = $SettingTempplate.CreateDirectorySetting()
$NewAADSetting = New-AzureADDirectorySetting -DirectorySetting $NewAADSetting

Step 4: Configure the settings as required per your scenario

#Configure a naming convention
$Setting[“PrefixSuffixNamingRequirement”] = “GRP [Department] [GroupName] [CountryOrRegion]”

#Configure custom blocked words for your O365 Group

#Configure O365 group classifications

#Configure descriptions to your classifications
$Setting[“ClassificationDescriptions”]=”Green:Green means that this data can be shared with both employees and external guests,Yellow:Yellow classification means that it might cause harm to the business when information is leaked,Red:Super confidential information and also the highest level of classification”

#Disable creation of Office 365 Groups
$Setting[“EnableGroupCreation”] = “False”

#Allow Office 365 Group creation by members of a group named “Office 365 Group Creators”
$Group = Get-AzureADGroup -SearchString “Office 365 Group Creators”
$Setting[“GroupCreationAllowedGroupId”] = $Group.ObjectID

Step 5: Apply the configuration

Set-AzureADDirectorySetting -Id $ -DirectorySetting $Setting

Verify if your settings applied successfully:

$Setting = Get-azureADDirectorySetting | Where-Object {$_.displayname -eq “Group.Unified”}

Verify blocked words

The word “CEO” will give an error when trying to create a group with that name

Group creation

Creating a group based on current configuration

Viewing available classifications:

Classifications including descriptions are also correctly displayed.

Share this blog!

Leave a Reply

Your email address will not be published. Required fields are marked *