A new version of the Microsoft Azure Active Directory (WAAD) PowerShell module has been released, namely version 1.1.117.0. This version falls in the Preview “branch”, i.e. the one that has support for Modern authentication.
The first thing this update does is to bring some of the cmdlets that have been available for a while in the “GA” version of the module, such as:
Get-MsolDirSyncFeatures Set-MsolDirSyncFeature Disable-MsolDevice Enable-MsolDevice Get-MsolDevice Remove-MsolDevice Get-MsolDeviceRegistrationServicePolicy Set-MsolDeviceRegistrationServicePolicy
In addition, some bugfixes have been rolled out, for example the token cache is now properly cleared when one calls Connect-MsolService (previously this was causing issues when switching between accounts in the same tenant).
Of course, there are some entirely new bits as well. Those are focused around the new concept of “settings” that are stored in Azure AD and can be used to configure different functionalities for a given object type. The available object types in Azure AD are Groups, Users, ServicePrincipals, Applications, and Devices and the cmdlets in question are:
Get-MsolAllSettings Get-MsolAllSettingsTemplate Get-MsolSettings Get-MsolSettingsTemplate New-MsolSettings Remove-MsolSettings Set-MsolSettings
For now, the only object type that takes advantage of these “settings” are Office 365 groups. Indeed, this is immediately visible with the Get-MsolAllSettingTemplate cmdlet:
[15:08:41][O365]# Get-MsolAllSettingTemplate ObjectId DisplayName Description ------- ----------- ----------- 62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified ... 08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Unified Group
Let’s take a look at the actual template for Groups. To do so, we can use the Get-MsolSettingTemplate cmdlet:
[15:15:46][O365]# Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b | fl ObjectId : 62375ab9-6b52-47ed-826b-58e47e0e304b DisplayName : Group.Unified Description : Setting templates define the different settings that can be used for the associated ObjectSettings. This template defines settings that can be used for Unified Groups. Values : {GroupCreationAllowedGroupId, AllowToAddGuests, UsageGuidelinesUrl, ClassificationList...}
And if we want to take a look at the actual configurable parameters for the template:
[15:15:53][O365]# Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b | select -ExpandProperty Values Name Description Type DefaultValue ---- ----------- ---- ------------ GroupCreationAllowedGroupId Guid of the security group that is always allowed to create Unified Groups. System.Guid AllowToAddGuests Flag indicating if guests are allowed in any Unified Group. System.Boolean true UsageGuidelinesUrl A link to the Group Usage Guidelines. System.String ClassificationList A comma-delimited list of valid classification values that can be applied to Unified Groups. System.String EnableGroupCreation Flag indicating if group creation feature is on. System.Boolean true
Based on the template, we can configure a new set of “settings” and control some of the aspects of the Group functionality in Office 365. If you look at the output above, you can see that several settings are available, namely controlling group creation (via the EnableGroupCreation and GroupCreationAllowedGroupId parameters), controlling external/guest access to the group (AllowToAddGuests), configuring a link to the guidelines for group usage (UsageGuidelinesUrl) and providing a list of classifications (ClassificationList). For example, here’s how to limit group creation to only members of a specific security group:
[15:25:50][O365]# $setting = (Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b).CreateSettingsObject() [15:26:52][O365]# $setting["EnableGroupCreation"] = "False" [15:27:53][O365]# $setting["GroupCreationAllowedGroupId"] = "ad895142-6514-49d5-ab16-31d6cfeb17d5" [15:28:19][O365]# $setting.Values Name Value ---- ----- GroupCreationAllowedGroupId Ad895142-6514-49d5-ab16-31d6cfeb17d5 AllowToAddGuests True UsageGuidelinesUrl ClassificationList EnableGroupCreation False [15:28:26][O365]# New-MsolSettings -SettingsObject $setting ObjectId DisplayName TemplateId Values -------- ----------- ---------- ------ dbaac651-1324-4af8-9c53-f27a2500ff89 62375ab9-6b52-47ed-826b-58e47e0e304b {GroupCreationAllowedGroupId, AllowToAddGuests, UsageGuidelinesUrl, ClassificationList...}
From top to bottom, we create a new settings object by making a call to the CreateSettingsObject() method of the settings template object, then set the values of “EnableGroupCreation” and “GroupCreationAllowedGroupId”. Like most WAAD cmdlets, the “settings” cmdlets expect you to provide GUIDs for the parameter values most of the time. Once we set the new values, we review them and then use the settings object with the New-MsolSettings cmdlet.
After we have created a set or two of new “settings” based on some template, we can enumerate them using the Get-MsolAllSettings cmdlet:
[15:30:23][O365]# Get-MsolAllSettings ObjectId DisplayName TemplateId Values -------- ----------- ---------- ------ dbaac651-1324-4af8-9c53-f27a2500ff89 Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {GroupCreationAllowedGroupId, AllowToAddGuests, UsageGuidelinesUrl, ClassificationList...}
Or work with the Get/Set/Remove-MsolSettings cmdlet to view/change/remove the “settings” object, respectively.