The education institution, I am helping, uses the Moodle Plugin Microsoft 0365 Integration which I believe uses the latest MgGraph v1.0 to create Microsoft 365 Teams Groups.
The Moodle plugin creates Microsoft 365 Teams Groups but some Settings can not be updated on the Admin Exchange Center after its creation, It returns an Error.
The property to be set being
The error received is not really helping
This Microsoft 365 Teams Group uses the HiddenMembership Visibility since MS Teams Classes can also be used and for privacy reasons this visibility is used. Unfortunately, the PHP code created by the Moodle MS Plugin adds more security features that prevents the groups from sending emails to each other since the above property can not be updated.
To get more information about the error, I tried to use MgGraph to set the Setting programmatically
$params = #{
AutoSubscribeNewMembers = $true
}
Update-MgGroup -GroupId $groupid -BodyParameter $params
Than I go the below error:
AutoSubscribeNewMembers parameter can't be true when SubscriptionEnabled
is set to false on the group.
Looking all around, I finally found where the SubscriptionEnabled value is set.
((get-MgGroup -GroupId $groupid).AdditionalProperties).resourceBehaviorOptions
Outputs :
SubscriptionDisabled
SharePointMemberReadonly
CalendarMemberReadOnly
WelcomeEmailDisabled
SubscribeNewGroupMembers
HideGroupInOutlook
ConnectorsDisabled
AllowOnlyMembersToPost
I tried to remove that value from the Group's AdditionalProperties.resourceBehaviorOptions but get this error.
$resourceBehaviorOptionsParams = #{
"SubscriptionDisabled" = "false";
}
$additionalParams = #{
resourceBehaviorOptions = $resourceBehaviorOptionsParams
}
Update-MgGroup -GroupId $groupid -AdditionalProperties $additionalParams
Error
An unexpected 'StartObject' node was found for property named 'resourceBehaviorOptions' when
| reading from the JSON reader. A 'StartArray' node was expected.
How can I remove the SubscriptionDisabled Option from the resourceBehaviorOptions section ?
I tried to reproduce the same in my environment and got same error like below
The error usually occurs if you don't have proper license like
Exchange Online or the subscription is disabled on that teams group.
When I ran the same MgGraph commands as you to know more about error, I got same response like below:
Connect-MgGraph
$groupid = "f2210ee6-451a-496b-8b39-c2xxxxxxxf"
$params = #{
AutoSubscribeNewMembers = $true
}
Update-MgGroup -GroupId $groupid -BodyParameter $params
Response:
When I tried the same script as you to remove the SubscriptionDisabled Option, I got same error like below:
$groupid = "f2210ee6-451a-496b-8b39-c289xxxxxdaf"
$resourceBehaviorOptionsParams = #{
"SubscriptionDisabled" = "false";
}
$additionalParams = #{
resourceBehaviorOptions = $resourceBehaviorOptionsParams
}
Update-MgGroup -GroupId $groupid -AdditionalProperties $additionalParams
Response:
To resolve the error, you can enable subscription for that teams group using below Exchange Online commands:
Connect-ExchangeOnline
Set-UnifiedGroup -Identity "Devi Team" -SubscriptionEnabled:$true
Response:
After enabling the subscription, I ran below command to enable AutoSubscribeNewMembers like this:
Set-UnifiedGroup -Identity "Devi Team" -AutoSubscribeNewMembers:$true
Response:
When I checked the same in Exchange Admin Center, option enabled successfully like below:
You can also enable "Allow external senders to email this group" option if needed from Portal like this after enabling subscription:
Related
I am trying to understand the correct PowerShell command to remove one or more users which have a role granted to them which is scoped over the members of an Administrative Unit.
For example, a Help Desk Employee that is empowered with Authentication Administrator over an AU that contains all the staff at their office location.
It would appear that the correct way to do this using Azure AD Powershell would be to use Remove-AzureADMSScopedRoleMembership but I cannot find any documentation on what inputs are desired for this command or if this is even the right method to reach the desired outcome.
Documentation: https://learn.microsoft.com/en-us/powershell/module/azuread/remove-azureadmsscopedrolemembership?view=azureadps-2.0
Iterations I have tried:
Remove-AzureADMSScopedRoleMembership -id "Object ID of user with scoped role" -ScopedRoleMembershipId "/administrativeUnits/ObjectId of AU"
Remove-AzureADMSScopedRoleMembership : Error occurred while executing RemoveMSScopedRoleMembership
Code: BadRequest
Message: Resource not found for the segment
Remove-AzureADMSScopedRoleMembership -id "Object ID of AU with scoped roles" -ScopedRoleMembershipId "Object ID of user with scoped role"
Remove-AzureADMSScopedRoleMembership : Error occurred while executing RemoveMSScopedRoleMembership
Code: BadRequest
I have reproduced in my environment and got expected results as below and followed Microsoft-Document:
Firstly, I have added a scopedrole as below:
Connect-AzureAD
$User = Get-AzureADUser -SearchString "Display Name of User"
$Role = Get-AzureADDirectoryRole | Where-Object -Property DisplayName -EQ -Value "User Administrator"
$RoleMember = New-Object -TypeName Microsoft.Open.AzureAD.Model.RoleMemberInfo
$Unit = Get-AzureADAdministrativeUnit | Where-Object -Property DisplayName -Eq -Value Test
$RoleMember.ObjectId = $User.ObjectID
Add-AzureADScopedRoleMembership -ObjectId $unit.ObjectId -RoleObjectId $Role.ObjectId -RoleMemberInfo $RoleMember
I have taken ScopedRoleMembershipId from microsoft Graph api using below request:
https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/scopedRoleMembers
Then used below command to remove user and I followed Microsoft-Document:
Remove-AzureADScopedRoleMembership -ObjectId $unit.ObjectId -ScopedRoleMembershipId "08ovlLXBT0CMQ7kJaZRJU"
Try to follow the above process user will be removed as mine got.
I would like to do a validation of members who have an "Active assignment" role in Azure AD. Is there a way to know if the role was granted by a group or directly? How could I get the information into my script? Thank you for your help
connect-azuread
$roles = Get-AzureADDirectoryRole | select objectid, displayname
ForEach($role in $roles){
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select #{n="Azure role";e={$role.DisplayName}}, displayname
}
You found the easiest solution using powershell.I check with Ms graph it is bit difficult than powershell. I also removed one of the statement from your code which is not required .
I tested in my environment working fine for me.
connect-azuread
$roles = Get-AzureADDirectoryRole
ForEach($role in $roles){
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | select #{n="Azure role";e={$role.DisplayName}}, displayname
}
output:
I have an automation script for creating applications/resources in a ADB2C Tenant. Recently I ran into a troubling issue with the AzureADPreview.
Basically I create an Application, I create it's service principal then I'm assigning roles to this application. One role in particular that is causing me the issues is: User Administrator, or better said User Administrator | User Account Administrator.
What I mean by this? Basically for one tenant, the cmdlet: Get-AzureADDirectoryRoleTemplate either returns User Administrator or User Account Administrator which is strange.
Here is the code:
# Grant needed Service Principals Permissions
foreach ($displayName in $_.ServicePrincipal.ApplicationRoles) {
$adDirectoryRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $displayName }
if ($null -eq $adDirectoryRole) {
$adDirectoryRoleTemplate = Get-AzureADDirectoryRoleTemplate | Where-Object { $_.displayName -eq $displayName }
Enable-AzureADDirectoryRole -RoleTemplateId $adDirectoryRoleTemplate.ObjectId | Out-Null
$adDirectoryRole = Get-AzureADDirectoryRole | Where-Object { $_.displayName -eq $displayName }
}
Add-AzureADDirectoryRoleMember -ObjectId $adDirectoryRole.ObjectId -RefObjectId $servicePrincipal.ObjectId | Out-Null
}
The line Enable-AzureADDirectoryRole -RoleTemplateId $adDirectoryRoleTemplate.ObjectId | Out-Null throws an error SOMETIMES when the DisplayName is not User Account Administrator.
Please don't tell me the Azure's API code looks like this:
if (rand() > 0.5f) { role.DisplayName = 'User Administrator'; }
else { role.DisplayName = 'User Account Administrator'; }
What is going on? Why is this the case?
The error thrown
Enable-AzureADDirectoryRole : Error occurred while executing ActivateDirectoryRole
Code: Request_BadRequest
Message: Could not resolve request to a valid role template. A valid value must be specified for 'displayName' or 'roleTemplateId'.
RequestId: 6bc26cc3-ce6d-41d0-abe0-2635d9897b75
DateTimeStamp: Thu, 14 Jan 2021 14:50:19 GMT
Details: PropertyName - roleTemplateId, PropertyErrorCode - PropertyRequired
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
PS module: 2.0.2.119 AzureADPreview
UPDATE
Since a lot of the comments are missing the point, I think I need to emphasize the issue.
Depending on the tenant when I do the queries mentioned above I get different results. That shouldn't be the case at all, it is a BUG. I don't know where is the bug, in the Azure API, in the PowerShell module, this started some days ago to occur. We didn't change nothing, so I'm blaming the Azure API.
I'm going to attach some photos so you can see clearly the results I'm getting on two different tenants. Please understand that I tested this with 5 or more tenants and this randomness occurs on for each of them.
Some return User Administrator and some return User Account Administrator. This value doesn't change for that particular tenant after it's deployed. But at the deployment time, that value varies.
Look over these photos:
These results are obtained from different tenants!!!
After a lot of back and forth with Azure Support, we reached the conclusion that this was indeed a bug. They made a blog post about renaming some user roles:
A 30-day notice announcing the proposed change was posted to the Message center in M365 Admin center in Message ID MC218295 as of July 2020 with information to customers to update their scripts by August 14, 2020.
The update was finalized in January 20 and today January 29 all my tenants have the same value for the User Administrator role.
In the GUI of Azure it is really easy to do this you simply create a new office 365 group and set dynamic Rules but it seems difficult to do via powershell closest i can get is using the following Powershell line. it seems to error out on the Group types portion. I can't seem to get it to create a group with both types, My guess is am just not formatting it correctly. I am using the AzureADPreview module at version 2.0.2.85 since the normal AzureAD module does not work at all for this.
New-AzureADMSGroup -DisplayName "name" -Description "description" -MailEnabled $True -MailNickName "MailName" -SecurityEnabled $True -GroupTypes 'Unified, DynamicMembership' -MembershipRule '(user.userPrincipalName -contains "somafeasokdfalksjfjlkads")' -MembershipRuleProcessingState $true
give me the error
Code: Request_BadRequest
Message: Invalid value specified for property 'groupTypes' of resource 'Group'.
GUI Creation
Powershell Get
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadmsgroup?view=azureadps-2.0
The gist is I am trying to find a powershell way to get a Azure group like the second photo. Ie both dynamic and unified.
I figured out a work around you can create the group just as unified then use a script microsoft posted
https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-change-type
I had to modify it to get it to work but basically i ran the following
$knowngoodgroup = 'INSERTGUID'
$BadGroup = 'INSERTGUID'
$memberRule = 'INSERTMEMBERRULE'
[System.Collections.ArrayList]$groupTypes = (Get-AzureAdMsGroup -Id $knowngoodgroup).GroupTypes
Set-AzureAdMsGroup -Id $BadGroup -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "On" -MembershipRule $memberrule
my guess is they will fix this in the future.
I'm using the following article View account license and service details with Office 365 PowerShell to try to obtain a report of all users in our tenant where the product license Office 365 Enterprise E3 is assigned but with only the the service Exchange Online (Plan 2) enabled.
The article suggests this can be done with a command similar to the following:
Get-MsolUser |
Where-Object {
$_.isLicensed -eq $true
-and $_.Licenses[0].ServiceStatus[16].ProvisioningStatus -eq "Enabled"
}
In my case [16] being the 17th service in the list for Office 365 Enterprise E3.
There are additional lines before to set the criteria for the rest of the services as "disabled" but hopefully you get the idea however, the article also states that the index number reflects the order that the product license and service plan appears when running either of the below script blocks:
Licenses:
Get-MsolUser -UserPrincipalName o365.test1#tenant.com | Format-List DisplayName,Licenses
Services:
Get-MsolUser -UserPrincipalName o365.test2#tenant.com).Licenses.ServiceStatus
The issue with the above is that many users have different combinations of plans enabled so for some, a license index of [0] would refer to a different service plan. e.g. user1 has Visio Online Plan 2 and Office 365 Enterprise E3 product licenses assigned but user2 only Office 365 Enterprise E3. Index [0] in this instance would be different making the initial script block useless in finding all users with a specific service enabled regardless of combination of product licenses assigned.
Am I missing something here?
Not really sure how I missed it on my searches but the following will provide the information I require without the need to script it: Office 365 License Reporting and Management Tool -Assign Remove Licenses in Bulk
I know it's a bit old but today I've had exactly same problem and managed to write a quick function which just does what you asked for.
[cmdletbinding()]
param (
#Provide service name e.g. SWAY
[Parameter(Mandatory)]
[string]$Service,
#Specifies if to search for enabled or disabled service. Success = enabled.
[Parameter(Mandatory)]
[ValidateSet("Success","Disabled")]
[string]$Status
)
foreach ($User in ($Users = Get-MsolUser -All) ) {
$ServiceStatus = $user.licenses.ServiceStatus
$ProvisionName = $ServiceStatus | Where {$_.ServicePlan.ServiceName -eq "$Service" }
$Data = [PSCustomObject]#{
"USER" = $User.UserPrincipalName
"Software" = $ProvisionName.ServicePlan.ServiceName
"Status" = $ProvisionName.ProvisioningStatus
}
$Data | Where {$_.Status -eq "$Status" }
}