Create Office 365 Groups Naming Policy

Leave a comment

As we see greater interest from our clients in Teams, I’ve turned my attention to Office 365 groups administration, specifically on groups naming policy.

To create a naming policy for groups in your Office 365 tenant, you’ll need to use PowerShell.

I followed these instructions to view the current naming policy settings in my tenant by typing the following command:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

I expected to get some values, but I got this wonderful error instead:

O365GroupNamingPolicySettingsError

So, where did I go from here?

I started to breakdown the command above, by running just the Get-AzureDirectorySetting.

It returned nothing. This tells me that there are no settings currently in place.

So, I had to configure the groups settings in my Office 365 tenant.

To do that, I could get the available template IDs by typing Get-AzureAdDirectorySettingTemplate or use the DisplayName value for “Group.Unified”

AzureADTemplateSettings

To Create a Naming Policy

I followed these steps to complete the creation of my naming policy:

  1. Create a new settings object for the Group.Unified template
  2. Configure the object to allow guests access (You could apply additional settings or leave this step out completely.)
  3. Set my settings to the new object

GroupsSettings

I applied the groups naming policy as seen in the below screenshot.

O365GroupNamingPolicySettings2

 

In OWA, I could see the new settings in effect. Be sure to use an account not in these administrator roles: Global Admin, Partner Tier 1 and 2 Support, User Account Admin, or Directory Writers to test the policy.

O365GroupNameOWA

In summary, creating a naming policy can help users identify and categorize groups in the address book and enforces a consistent naming standard for Office 365 groups in your organization.

The naming policy is applied to groups created in Outlook, Microsoft Teams, SharePoint, Planner, Microsoft Stream, Dynamics 365 for Customer Engagement, Power BI, and many others.

Azure Active Directory (Azure AD) attributes are used in the creation of this policy. The supported attributes are [Department], [Company], [Office], [StateOrProvince], [CountryOrRegion], and [Title].

If you include these attributes in your naming policy, keep in mind that the total length of these prefixes and suffixes is restricted to 53 characters.

Thanks for reading!

Advertisements

Office 365 – Sharing with External Users

Leave a comment

When it comes to collaborating, Office 365 allows colleagues to check availability in Outlook, schedule a Skype for Business meeting, and share files in SharePoint, OneDrive for Business, or Office 365 Groups.  While sharing within your own organization is fairly simple, sharing with external users requires some planning.  External users can be anyone outside your organization; this can include partners and customers.  A technical description of an external user, is a user who does not have an account registered or licensed in your Office 365 tenant.

There are two types of external users – authenticated and anonymous.

Authenticated users are users with a Microsoft account from another Office 365 subscription.  Authenticated users can have the same permissions as any of the internal users within your organization.  You can assign a license to them.

Anonymous users are users who can access a folder or document via a shareable link.  Anonymous users can view, edit, or upload to the folder without having to log in with a username or password.  Anonymous users cannot access sites, and you cannot assign licenses to them.

Where do you start?

Before you can start allowing external users to access your data, you should consider the existing policies set by your organization.  Some of these policies may include:

  • Is external sharing allowed for anyone (anonymous) or just authenticated users?
  • Which domains should be allowed or blocked in Skype for Business?
  • What types of content that cannot or should not be stored in O365?
  • Who can (and should) extend an invitation to an external user?

You may also find that your organization does not have policies in place that address the sharing of content with external users except through e-mail.  If this applies to your organization, it’s important that your Office 365 tenant is configured to limit external sharing until the proper policies and controls can be put into place, thus limiting the risk to the organization.

What are some of the security risks?

While external sharing is a great way to extend your organization to your partners, suppliers, and perhaps even your customers, there are risks that must accounted for.  Some of those risks include

  • Accidental sharing of sensitive content
  • External users with full control might be able to share content with other unintended external users
  • Changes made by anonymous users cannot be tracked

While these risks, and potentially others, apply to your organization, there are processes, settings, and tools within Office 365 that can mitigate the risks and protect your corporate assets and intellectual property.

  • Implement and enforce governance for external sharing
  • Consider using Azure Rights Management (RMS) to encrypt and restrict sharing of the data
  • Implement Data Loss Prevention (DLP) policies to automatically detect sensitive data
  • Send links, not attachments
  • Grant minimum level of permissions to external users
  • Disable external sharing on site collections with sensitive data
  • Disable anonymous sharing

What can you share?

External sharing can be configured separately for the different capabilities in Office 365, but primarily for SharePoint Online, OneDrive for Business, Outlook, Skype for Business, and Office 365 Groups.

SharePoint Online and OneDrive for Business: you can share an entire site, lists and libraries, and documents.  Keep in mind that the external users will need to authenticate to see all of these items while anonymous users can only see documents.  Additionally, SharePoint gives you the ability to limit users who can share with external users.

SharePointOneDriveSharing

Office 365 Groups:

  • Conversations – no access to conversation history, but may participate by receiving an e-mail sent to the distribution list
  • Files, Notebook, and Site – you can share an entire site, lists and libraries, and documents
  • Calendar – no access

Office365GroupsSharing

Exchange (Calendar): you can share free/busy information with time only, with subject and location, or full details

CalendarSharing

Skype for Business: you can schedule meetings or chat

SkypeforBusinessSharing

When it comes to sharing, or collaborating with partners and customers, it is critical to include external sharing as part of your Office 365 governance and security planning.  Remember that a governance plan is not a guarantee for security compliance, users and administrators must observe and follow good practices and policies to minimize the risks.