presentation title goes here - microsoft azuremsservicesday.azurewebsites.net/content... · yammer...
TRANSCRIPT
About
SharePoint Online and On-Premises
Development & Infrastructure
Doing SharePoint since 2001
Hub for TeamworkCo-AuthorConnect Across
the OrganizationIntranets &
Content Management
Email & Calendar
TeamsOffice AppsYammerSharePointOutlook
Office 365 GroupsSingle team membership
across apps and services
Microsoft GraphSuite-wide intelligence
connecting people and content
Security and ComplianceCentralized policy management
SharePoint
SharePoint Online AD
- Documents - OneNote
Additional workloads
Workload scenarios
LocalDirectory
(if applicable)
Exchange
- Conversations - Calendar
Exchange Online AD
- Identity- Resource URLs- Owners- Members
Azure Active Directory
Office 365 Groups
Outer Loop Inner Loop FilesSites
Content
SharePoint
Apps
One identity Federated resources Loose coupling
Azure AD is the master for
group identity & membership
Office 365 services extend with
their data
Service notify each other of
changes to a group
Attributes
FlowUser creates new group
for teamwork
Group experience
populated in app of
choice
Group identity created in
Azure Active Directory
of employees believe IT is ineffective at providing collaboration,
data analysis, and mobility capabilities.60%
80%
Establish IT leadership eBook, Microsoft 2017
OPEN
CONTROLLED
Processes in place
Reporting & monitoring
Change management
Benefits
Guidance
Documentation: Manage who can create Office 365 groups | Populate groups dynamically based on object attributes
Benefits
Guidance
Documentation: Office 365 Groups Naming Policy
What if our user attributes are quite long? Will it impact group creation?
Yes, group alias is restricted to 64 chars and group name to 256 chars. So longer user attributes used as
prefixes/suffixes could block group creation in your organization
Can we use extension attributes and custom attributes?
Extension attributes and custom attributes are currently not supported
Can we have different naming policies for each group workload?
No, this will be a tenant wide policy and will apply to all group workloads
Can we create rule based policy where we can apply prefixes only for users in a
specific department?
We currently do not support rule based policy application. We suggest that you leverage user attributes for
these scenarios
Is this a premium feature?
Yes, Group naming policy requires Azure AD Premium P1 license for unique users that are members of Office
365 groups in tenants.
Benefits
Guidance
Documentation: Office 365 Group Expiration Policy | Configure Office 365 groups expiration (preview)
CmdletsAdd-AzureADMSLifecyclePolicyGroup
Get-AzureADMSGroupLifecyclePolicy
Get-AzureADMSLifecyclePolicyGroup
New-AzureADMSGroupLifecyclePolicy
Remove-AzureADMSGroupLifecyclePolicy
Remove-AzureADMSLifecyclePolicyGroup
Reset-AzureADMSLifeCycleGroup
Set-AzureADMSGroupLifecyclePolicy
Release Notes
Connect to Azure AD: Open AAD powershell with admin permissions and do
> Connect-AzureAD // Provide tenant admin credentials.
View current settings:
Get-AzureADMSGroupLifecyclePolicy
Setup new policy:
> New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 31 -ManagedGroupTypes All -AlternateNotificationEmails [email protected]
Update of current policy
> Set-AzureADMSGroupLifecyclePolicy -Id "9988f760-990b-47f7-9d87-549b929b605f" -GroupLifetimeInDays 32 -AlternateNotificationEmails [email protected]
Reset of Group Expiration Date (updating the RenewedDateTime property on a group to the current DateTime)
> Reset-AzureADMSLifeCycleGroup -GroupId <String>
Group Owner
• Renew expired groups
• Restore expired groups that
were soft deleted
Pilot with select groups
Define a goal on which groups you want to expire
Get groups older than X days
> $date = Get-Date.AddDays(-X); > Get-UnifiedGroup -Filter {WhenCreatedUTC -le $date} -ResultSizeUnlimited
Get Ownerless groups
> Get-UnifiedGroup -ResultSize Unlimited -filter {ManagedBy -eq $null}
Build a strategy for Orphaned groupsCreate a different email notification template to revert back to the IT admin from the group members, for
self-nomination of the person who reverts back and set them as group owners
Survey Pilot Users
To check if the owners noticed the expiry notification and to check the renewal rate
Roll out in phases
If your ultimate motive is to expire groups older than 6 months, start with 12 months - check the renewal rate, and
then proceed with 9 months and then finally 6 months
Onboard the Helpdesk team
Appraise the Helpdesk team of the prospective of getting more tickets during the soft deletion period of 30 days
for the groups that were not renewed and expired
If you have specific support teams for each workload such as Microsoft Teams, Sharepoint site, etc. you would
need to onboard all of them since the groups created across workloads will expire with the group expiration policy
Can I set an option to expire groups that are inactive?
This is not currently supported. The expiration policy is applied based on group creation date.
Can we change the expiry notification intervals?
The expiry notification intervals are fixed to 30 days, 15 days and 1 day prior to expiry and cannot be changed.
Can we apply expiration policy to specific group workloads?
The expiration policy applies to all groups workloads and it cannot be set for specific group workloads.
What happens to expiring groups if I have setup an Advanced retention policy in
Security and Compliance Portal?
When a group expires and gets soft deleted, the group’s conversations in mail box and files in the group site are
retained in the retention container for the specific number of days defined in the retention policy. Refer link for more
details.
Is this a premium feature?
Yes, Group expiration policy requires Azure AD Premium P1 license for unique users that are members of Office 365
groups in tenants.
Benefits
Guidance
Documentation: Restore a deleted Office 365 Group
Admin (EAC)
• Soft Delete groups
• View Soft Deleted groups and
when it was soft deleted
• Restore soft deleted groups
Admin Tool
• Azure AD powershell – Supported
• Exchange Admin Center – Supported
• Exchange powershell - Supported
• Office Admin Center – Not yet
supported
Admin (AAD powershell)
• Soft Delete groups
• View Soft Deleted groups and when it
was soft deleted
• Hard Delete groups
• Restore soft deleted groups
Note!
• Remove-MsolGroup purges the
group permanently
• Always use Remove-
AzureADMSGroup to delete an O365
group
• Restore might take some time
1. Get all the Groups
> Get-AzureADGroup
2. Soft Delete a specific group
> Remove-AzureADGroup -ObjectId b7d81c81-9b77-40c5-b50a-b1017e8d6c27
3. Show all Soft Deleted Groups
> Get-AzureADMSDeletedGroup
4. Restore a specific soft deleted group
> Restore-AzureADMSDeletedDirectoryObject -Id b7d81c81-9b77-40c5-b50a-b1017e8d6c27
5. Hard Delete a Group
> Remove-AzureADMSDeletedDirectoryObject – Id <objectId of the soft deleted object.>
Can I change the soft deletion period of 30 days?
Can I restore a soft deleted group, if another group with the same name exists?
Can I soft delete a group if the group mailbox is on legal hold?
Can I soft delete a group if I have setup an Advanced retention policy in the Security
and Compliance Center?
link
Benefits
Guidance
Documentation: Group settings | Overview of retention policies | Overview of labels | Search the audit log
Benefits
Guidance
Documentation: Guest access in Office 365 groups | Guest access in Office 365 groups – Admin Help | Azure AD access reviews
Benefits
Guidance
• Office 365 Adoption content pack• Azure AD content pack
Office 365 Groups Report (Unified Groups)
Documentation: Office 365 Reports in the admin center
Groups Activity across workloadsAdmin can view group activity across Group mailbox Conversations, Group site/files activity, Yammer group activity
Audit Logs in the
Azure AD Admin
Portal
Audit Log Search in
Security and
Compliance Center
Group Activities that are logged and can be audited
Added group
Updated group
Deleted group
Added member to group
Removed member from group
Options
Policy enforcement for groups in Microsoft Enabled
Enable self-service Yes
Collect classification Yes
User awareness Yes
Usage guideline Yes
Set public vs. private based on classification Yes (Custom)
Guest access/external based on classification (HBI) No (future)
Guest membership disallowed with classification (HBI) Yes (Custom)
• Guest inviter role - Setup a
policy so that users with this
role can only invite guest
• This can be set using user AD
properties such - Title, Job
Description
Reach
• Admins can create an
allow/deny list of
external partner
domains that are
allowed to be added as
guests.
• Guest approved by IT admin
can be approved and added
to groups..• Add guests through B2B
portal and turn off sharing
for tenant
Rolling Out
In Development
goals
pilot
Office ProPlus
successful
▪ Upgrade
AAD connect for hybrid
Distribution List, Public Folders Migration
Public Folder Migration | Upgrade DL’s to Groups | Configure Office 365 Groups with on-premises Exchange
Why you should upgrade your DL to groups in Outlook aka.ms/whyupgradedls
Upgrade with one click via Exchange admin center or via PowerShell scripts
Proper Setup of Yammer Network
Yammer identity management
Enable Group creation through Yammer
(Big) Advantage!
Link an existing private group to a Microsoft Team
Use main Planner Site for Group plannings
Access group data using the Microsoft Graph API:https://graph.microsoft.com/v1.0/groups
• Group creation
• Membership updates;
• Sender restrictions, thread operations
Keep users updated with notificationshttps://dev.outlook.com/Connectors https://dev.office.com/teams https://dev.office.com/sharepoint
Conversations
DocumentsCalendar
Tasks
Photo
Notes
Capability Free Premium
P1
Create, read, update, delete X
Group activities report X
Soft-delete & restore X
Hidden membership X
Dynamic group membership X
Self-Service group management X
Group creation permissions X
Groups naming convention X
Groups expiration X
Usage guidelines X
Default classification X
Documentation: What is Azure Active Directory? | Azure Active Directory pricing
50
Q&A