Background
In part 1 of my Office 365 group management blog (link), we covered how to manage the Send As permission for an O365 group. In part 2, we cover how to manage additional O365 group settings.
Solution
Using PowerShell, we have created a tool that allows an end-user to manage a multitude of settings for O365 groups by providing an interactive GUI window, which lists modifiable O365 group settings. The O365 Group Management script captures the UPN of logged in users and searches for any O365 groups that specific users manage. By returning only groups specific users manage, we ensure certain users will only be able to modify groups that they manage.
Note: You can limit the scope of groups end-users can manage in O365 by creating RBAC rules in Exchange Online. In a later post, I demonstrate how to create RBAC rules for O365 groups.
The Integration of the O365 Group Management PowerShell script is fairly straightforward. To implement the O365 Groups Management script, simply follow the steps below.
- Copy all content in the script section and save it as a.PS1 file under your file share location
- Change line 1 to a file share location
- Change line 2 to a file share location
- Change line 3 to an administrator account in your organization
- Perform a find and replace for the text \\fileshare\Backups\Temp\Services
to your file share location - I recommend converting the PS1 file to an .exe before providing the solution to end-users (link)
Result
The first time you run the script, you will be prompted to enter admin account password.
The GUI window with the O365 group management features will appear after connecting to the Office 365 services.
In the Select O365 Group windows, select the group that you are a manager of.
Once the group is selected, choose which setting you want to modify. In this example, I’ve selected, Hide from GAL.
The text box will notify the user that the O365 Group Management script is attempting to make the change.
Once the change has been made, the text box will notify the user that the requested change was successful.
Log File
A log file tracks if a module is successfully loaded or not. The log file can be found under \\fileshare\location\temp\O365Group.log.
Script
$logfile = ("\\fileshare\location\temp\O365Group.log")
$PasswordFile = "\fileshare\location\temp\cred.txt"
$AdminAccount = "admin@domain.com"
$Groups = @()
$Sender = @()
$Box = new-object -comobject wscript.shell
[void][Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
function log{
param (
[String]$text,
[Switch]$fout
)
ac $logfile $text
if($showConsoleOutput){
if($fout){
Write-Host $text -ForegroundColor Red
}else{
Write-Host $text -ForegroundColor Green
}
}
}
log -text "-----$(Get-Date) Services - $($env:USERNAME) on $($env:COMPUTERNAME) starting-----"
function SendAs {
$O365Group =$DropDownBox.SelectedItem.ToString()
#Dialog box header information
$titleSender = 'Sender'
$msgSender = 'Please Enter the senders name'
#Mail account that will be give send as rights
$SenderName = [Microsoft.VisualBasic.Interaction]::InputBox($msgsender, $titlesender)
#Get O365 group information
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
log -text "----- Attempting to provide $SenderName SendAs permission to group $O365Group"
$outputBox.text = "----- Attempting to provide $SenderName SendAs permission to group $O365Group"
#Try to add send as permissions
Try {
Add-RecipientPermission -Identity $groupsRecipientDetails.Name -Trustee $SenderName -AccessRights SendAs -Confirm:$False -ErrorAction Stop
$outputBox.text = "----- Added $SenderName SendAs permission to group $O365Group"
log -text "----- Added $SenderName SendAs permission to group $O365Group"
}
Catch {
$outputBox.text = "----- FAILED to add $SenderName SendAs permission to group $O365Group"
log -text "----- FAILED to add $SenderName SendAs permission to group $O365Group"
}
}
function SendOnBehalf {
$O365Group =$DropDownBox.SelectedItem.ToString()
#Dialog box header information
$titleSender = 'Sender'
$msgSender = 'Please Enter the senders name'
#Mail account that will be give send on behalf rights
$SenderName = [Microsoft.VisualBasic.Interaction]::InputBox($msgsender, $titlesender)
#Get O365 group information
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
log -text "----- Attempting to provide $SenderName send on behalf permission to group $O365Group"
$outputBox.text = "----- Attempting to provide $SenderName send on behalf permission to group $O365Group"
#Try to add send on behalf permissions
Try {
Set-UnifiedGroup -Identity $groupsRecipientDetails.Name -GrantSendOnBehalfTo $SenderName -ErrorAction Stop
$outputBox.text = "----- Added $SenderName Send on behalf permission to group $O365Group"
log -text "----- Added $SenderName Send on behalf permission to group $O365Group"
}
Catch {
$outputBox.text = "----- FAILED to add $SenderName send on behalf permission to group $O365Group"
log -text "----- FAILED to add $SenderName send on behalf permission to group $O365Group"
}
}
function HideFromGAL {
$O365Group =$DropDownBox.SelectedItem.ToString()
#Get O365 group information
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
log -text "----- Attempting to hide $O365Group from GAL"
$outputBox.text = "----- Attempting to hide $O365Group from GAL"
#Try to hide group from the GAL
Try {
Set-UnifiedGroup -Identity $groupsRecipientDetails.Name -HiddenFromAddressListsEnabled:$True -ErrorAction Stop
$outputBox.text = "----- Hide $O365Group from GAL"
log -text "----- Hide $O365Group from GAL"
}
Catch {
$outputBox.text = "----- FAILED to Hide $O365Group from GAL"
log -text "----- FAILED to Hide $O365Group from GAL"
}
}
function UnHideFromGAL {
$O365Group =$DropDownBox.SelectedItem.ToString()
#Get O365 group information
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
log -text "----- Attempting to unhide $O365Group from GAL"
$outputBox.text = "----- Attempting to unhide $O365Group from GAL"
#Try to hide group from the GAL
Try {
Set-UnifiedGroup -Identity $groupsRecipientDetails.Name -HiddenFromAddressListsEnabled:$False -ErrorAction Stop
$outputBox.text = "----- Unhide $O365Group from GAL"
log -text "----- Unhide $O365Group from GAL"
}
Catch {
$outputBox.text = "----- FAILED to Unhide $O365Group from GAL"
log -text "----- FAILED to Unhide $O365Group from GAL"
}
}
function HideGroupMembership {
$O365Group =$DropDownBox.SelectedItem.ToString()
#Get O365 group information
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
log -text "----- Attempting to hide $O365Group group membership"
$outputBox.text = "----- Attempting to hide $O365Group roup membership"
#Try to hide group membership
Try {
Set-UnifiedGroup -Identity $groupsRecipientDetails.Name -HiddenGroupMembershipEnabled:$true -ErrorAction Stop
$outputBox.text = "----- Hide $O365Group membership from GAL"
log -text "----- Hide $O365Group membership from GAL"
}
Catch {
$outputBox.text = "----- FAILED to Hide $O365Group membership from GAL"
log -text "----- FAILED to Hide $O365Group membership from GAL"
}
}
function CalendarReadOnly {
$O365Group =$DropDownBox.SelectedItem.ToString()
#Get O365 group information
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
log -text "----- Attempting to set calendar read only for group $O365Group"
$outputBox.text = "----- Attempting to set calendar read only for group $O365Group"
#Try to hide group membership
Try {
Set-UnifiedGroup -Identity $groupsRecipientDetails.Name -CalendarMemberReadOnly -ErrorAction Stop
$outputBox.text = "----- Set calendar read only for group $O365Group"
log -text "----- Set calendar read only for group $O365Group"
}
Catch {
$outputBox.text = "----- FAILED to aet calendar read only for group $O365Group"
log -text "----- FAILED to set calendar read only for group $O365Group"
}
}
function AllowSenders {
$O365Group =$DropDownBox.SelectedItem.ToString()
#Dialog box header information
$titleSender = 'Sender'
$msgSender = 'Please Enter the senders names. Example user@domain.com, user2@domain.com'
#Mail account that will be give send as rights
$SenderName = [Microsoft.VisualBasic.Interaction]::InputBox($msgsender, $titlesender)
#What users can send to the group
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
log -text "----- Attempting to set the allow message only sent to $O365Group"
$outputBox.text = "----- Attempting to set the allow message only sent to $O365Group"
#Try to to set the allow only allowed messages
Try {
$sendername = $SenderName.split(",")
$SenderName = $sendername.trim()
foreach ($Sender in $SenderName){
Set-UnifiedGroup -Identity $groupsRecipientDetails.Name -AcceptMessagesOnlyFromSendersOrMembers @{add=$sender} -ErrorAction Stop
}
$outputBox.text = "----- Allowed $sender to email $O365Group group"
log -text "----- Allowed $sender to email $O365Group group"
}
Catch {
$outputBox.text = "----- FAILED to set the allow message only sent to $O365Group"
log -text "----- FAILED to set the allow message only sent to $O365Group"
}
}
function GetAllowSenders {
$O365Group =$DropDownBox.SelectedItem.ToString()
#What users can send to the group
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $O365Group
Try {
$List = Get-UnifiedGroup -Identity $groupsRecipientDetails.Name | Ft AcceptMessagesOnlyFromSendersOrMembers -HideTableHeaders | out-string
$list = $list.trim()
$outputBox.text = "----- Allowed $List to email $O365Group group"
log -text "----- Allowed $List to email $O365Group group"
}
Catch {
$outputBox.text = "----- FAILED to set the allow message only sent to $O365Group"
log -text "----- FAILED to set the allow message only sent to $O365Group"
}
}
$PasswordFileCheck = Test-Path $PasswordFile
If($PasswordFileCheck -eq $False){
Read-Host -Prompt "Enter Admin Password" -AsSecureString | ConvertFrom-SecureString | Out-File $PasswordFile
log -text "Created a password file under $PasswordFile"
}
Else{
log -text "Password file already created under $PasswordFile"
}
function Online{
#Connect to Azure & Exchange Online Services
$Pass = Get-Content $PasswordFile | ConvertTo-SecureString
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminAccount, $Pass
Import-Module MSOnline
$Connect = Connect-MsolService -Credential $cred -ErrorAction SilentlyContinue -ErrorVariable ProcessError
If ($ProcessError) {
log -text "------ Didn't Connect to Office 365 services"
}
Else{
log -text "Connected to Office 365 Services"
}
$Pass = Get-Content $PasswordFile | ConvertTo-SecureString
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $AdminAccount, $Pass
$Connect2 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -Credential $Cred -Authentication "Basic" -AllowRedirection -ErrorAction SilentlyContinue -ErrorVariable ProcessError
Import-PSSession $Connect2 -DisableNameChecking
If ($ProcessError) {
log -text "------ Didn't Connect to Exchange Online"
}
Else{
log -text "Connected to Exchange Online"
}
#>
}
Online
# Convert logged in user's UPN to Displayname
$upn = whoami /upn
log -text "------ User Account $UPN"
$Name = Get-MsolUser -UserPrincipalName $UPN | ft Displayname -HideTableHeaders | Out-String
$name = $Name.trim()
#Get all the O365 groups
$O365Groups = Get-UnifiedGroup
#Loop through all the groups checking the manager of the group against the logged in user
ForEach ($Group in $O365Groups){
$Owner = $Group.ManagedBy
Foreach ($Manager in $Owner){
If ($Manager -eq $Name){
$Groups += $Group
}
}
}
############################################## Start drop down boxes
$Form = New-Object System.Windows.Forms.Form
$Form.Size = New-Object System.Drawing.Size(600,400)
$Form.Text = "O365 Group Management Options"
#Creating Drop down box
$DropDownBox = New-Object System.Windows.Forms.ComboBox
$DropDownBox.Text = "Select O365 Group"
$DropDownBox.Name = "O365 Groups"
$DropDownBox.Location = New-Object System.Drawing.Size(20,50)
$DropDownBox.Size = New-Object System.Drawing.Size(180,20)
$DropDownBox.DropDownHeight = 200
$Form.Controls.Add($DropDownBox)
#Build the list of O365 groups that the logged in user has rights to
foreach ($wks in $Groups) {
$DropDownBox.Items.Add($wks)
}
#Test Box
$outputBox = New-Object System.Windows.Forms.TextBox
$outputBox.Location = New-Object System.Drawing.Size(10,250)
$outputBox.Size = New-Object System.Drawing.Size(500,100)
$outputBox.MultiLine = $True
$outputBox.ScrollBars = "Vertical"
$Form.Controls.Add($outputBox)
#Creating the Send As button
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(10,100)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Send As Permissions"
$Button.Add_Click({SendAs})
$Form.Controls.Add($Button)
#Creating the Send on Behalf button
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(110,100)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Send on Behalf"
$Button.Add_Click({SendOnBehalf})
$Form.Controls.Add($Button)
#Creating the Calendar read only button
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(210,100)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Calendar read only"
$Button.Add_Click({CalendarReadOnly})
$Form.Controls.Add($Button)
$Form.Add_Shown({$Form.Activate()})
#Creating the HideFromGAL button
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(10,150)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Hide From GAL"
$Button.Add_Click({HideFromGAL})
$Form.Controls.Add($Button)
$Form.Add_Shown({$Form.Activate()})
#Creating the unHideFromGAL button
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(110,150)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Unhide From GAL"
$Button.Add_Click({unHideFromGAL})
$Form.Controls.Add($Button)
$Form.Add_Shown({$Form.Activate()})
#Creating the Hide Group Membership button
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(210,150)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Hide Group Members"
$Button.Add_Click({HideGroupMembership})
$Form.Controls.Add($Button)
$Form.Add_Shown({$Form.Activate()})
#Allow only senders
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(310,150)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Allow Senders"
$Button.Add_Click({AllowSenders})
$Form.Controls.Add($Button)
$Form.Add_Shown({$Form.Activate()})
#Get Allow only senders
$Button = New-Object System.Windows.Forms.Button
$Button.Location = New-Object System.Drawing.Size(310,100)
$Button.Size = New-Object System.Drawing.Size(100,40)
$Button.Text = "Get Allow Senders"
$Button.Add_Click({GetAllowSenders})
$Form.Controls.Add($Button)
$Form.Add_Shown({$Form.Activate()})
[void] $Form.ShowDialog()
#Clear group information
$Groups = ""