A new version of the WAAD PowerShell module brings support for “settings” for Azure AD objects

A new version of the Microsoft Azure Active Directory (WAAD) PowerShell module has been released, namely version This version falls in the Preview “branch”, i.e. the one that has support for Modern authentication.

The first thing this update does is to bring some of the cmdlets that have been available for a while in the “GA” version of the module, such as:


In addition, some bugfixes have been rolled out, for example the token cache is now properly cleared when one calls Connect-MsolService (previously this was causing issues when switching between accounts in the same tenant).

Of course, there are some entirely new bits as well. Those are focused around the new concept of “settings” that are stored in Azure AD and can be used to configure different functionalities for a given object type. The available object types in Azure AD are Groups, Users, ServicePrincipals, Applications, and Devices and the cmdlets in question are:


For now, the only object type that takes advantage of these “settings” are Office 365 groups. Indeed, this is immediately visible with the Get-MsolAllSettingTemplate cmdlet:

[15:08:41][O365]# Get-MsolAllSettingTemplate

ObjectId                             DisplayName         Description
-------                             -----------         -----------
62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified       ...
08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Unified Group

Let’s take a look at the actual template for Groups. To do so, we can use the Get-MsolSettingTemplate cmdlet:

[15:15:46][O365]# Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b | fl

ObjectId    : 62375ab9-6b52-47ed-826b-58e47e0e304b
DisplayName : Group.Unified
Description :                      Setting templates define the different settings that can be used for the associated ObjectSettings. This template defines
                      settings that can be used for Unified Groups.
Values      : {GroupCreationAllowedGroupId, AllowToAddGuests, UsageGuidelinesUrl, ClassificationList...}

And if we want to take a look at the actual configurable parameters for the template:

[15:15:53][O365]# Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b | select -ExpandProperty Values

Name                        Description                                                                                  Type           DefaultValue
----                        -----------                                                                                  ----           ------------
GroupCreationAllowedGroupId         Guid of the security group that is always allowed to create Unified Groups.                      System.Guid
AllowToAddGuests                Flag indicating if guests are allowed in any Unified Group.                                      System.Boolean true
UsageGuidelinesUrl              A link to the Group Usage Guidelines.                                                            System.String
ClassificationList                  A comma-delimited list of valid classification values that can be applied to Unified Groups.     System.String
EnableGroupCreation             Flag indicating if group creation feature is on.                                                 System.Boolean true

Based on the template, we can configure a new set of “settings” and control some of the aspects of the Group functionality in Office 365. If you look at the output above, you can see that several settings are available, namely controlling group creation (via the EnableGroupCreation and GroupCreationAllowedGroupId parameters), controlling external/guest access to the group (AllowToAddGuests), configuring a link to the guidelines for group usage (UsageGuidelinesUrl) and providing a list of classifications (ClassificationList). For example, here’s how to limit group creation to only members of a specific security group:

[15:25:50][O365]# $setting = (Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b).CreateSettingsObject()
[15:26:52][O365]# $setting["EnableGroupCreation"] = "False"
[15:27:53][O365]# $setting["GroupCreationAllowedGroupId"] = "ad895142-6514-49d5-ab16-31d6cfeb17d5"
[15:28:19][O365]# $setting.Values

Name                        Value
----                        -----
GroupCreationAllowedGroupId         Ad895142-6514-49d5-ab16-31d6cfeb17d5
AllowToAddGuests                True
EnableGroupCreation             False

[15:28:26][O365]# New-MsolSettings -SettingsObject $setting

ObjectId                             DisplayName TemplateId                           Values
--------                             ----------- ----------                           ------
dbaac651-1324-4af8-9c53-f27a2500ff89                     62375ab9-6b52-47ed-826b-58e47e0e304b     {GroupCreationAllowedGroupId, AllowToAddGuests, UsageGuidelinesUrl, ClassificationList...}

From top to bottom, we create a new settings object by making a call to the CreateSettingsObject() method of the settings template object, then set the values of “EnableGroupCreation” and “GroupCreationAllowedGroupId”. Like most WAAD cmdlets, the “settings” cmdlets expect you to provide GUIDs for the parameter values most of the time. Once we set the new values, we review them and then use the settings object with the New-MsolSettings cmdlet.

After we have created a set or two of new “settings” based on some template, we can enumerate them using the Get-MsolAllSettings cmdlet:

[15:30:23][O365]# Get-MsolAllSettings

ObjectId                             DisplayName   TemplateId                           Values
--------                             -----------   ----------                           ------
dbaac651-1324-4af8-9c53-f27a2500ff89    Group.Unified        62375ab9-6b52-47ed-826b-58e47e0e304b    {GroupCreationAllowedGroupId, AllowToAddGuests, UsageGuidelinesUrl, ClassificationList...}

Or work with the Get/Set/Remove-MsolSettings cmdlet to view/change/remove the “settings” object, respectively.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.