Managing Microsoft 365 Group Settings with PnP PowerShell and Microsoft Graph
Introduction
Managing Microsoft 365 Group settings is crucial for maintaining a compliant and secure environment.PowerShell and Microsoft Graph can be used to configure various group settings, including naming policies, guest access, and more.
As a regular user of PnP PowerShell, I aimed to replicate the functionality of the Microsoft Entra cmdlets for configuring group settings using PnP PowerShell.
Example Script to Update naming policy Settings
The following PowerShell script updates the naming group settings using the Microsoft Graph API and PnP PowerShell.
A naming policy is useful for end users to identify the purpose and functionality of a M365 group.
Output of the script
Refer to Microsoft 365 Groups and Microsoft Teams naming policy for more details.
Some administrators are exempt from these policies across all group workloads and endpoints, allowing them to create groups with blocked words and custom naming conventions. The exempted administrator roles include:
- Global admin
- Partner Tier 1 Support
- Partner Tier 2 Support
- User account admin
Example to Update other M365 group settings
The following PowerShell script updates other group settings using the Microsoft Graph API and PnP PowerShell.
Explanation of Some of the Group Settings
NewUnifiedGroupWritebackDefault
- Description: Controls whether new unified groups (Microsoft 365 Groups) are written back to on-premises Active Directory by default.
- Configuration: Can be set to
TrueorFalse. - Reference: Microsoft Documentation on Group Writeback
EnableMIPLabels
- Description: Controls whether Microsoft Information Protection (MIP) labels are enabled for the groups.
- Configuration: Can be set to
TrueorFalse. - Reference: How to disable sensitivity labels for containers
CustomBlockedWordsList
- Description: Allows you to specify a custom list of blocked words that cannot be used in group names. This helps in maintaining a standard naming convention and avoiding inappropriate names.
- Reference: Microsoft 365 Groups and Microsoft Teams naming policy
EnableMSStandardBlockedWords
- Description: Controls whether the Microsoft standard list of blocked words is enabled.
- Configuration: Can be set to
TrueorFalse. - Note: Deprecated. Do not use.
ClassificationDescriptions
- Description: Allows you to provide descriptions for the classifications used in your organization. This helps users understand the purpose and usage of each classification.
- Note: This is related to classic classifications.
- Reference: Microsoft Entra classification and sensitivity labels for Microsoft 365 groups
DefaultClassification
- Description: The default classification that will be applied if the Group owner or an administrator has not applied a classification yet.
- Note: This is related to classic classifications.
- Reference: Microsoft Entra classification and sensitivity labels for Microsoft 365 groups
PrefixSuffixNamingRequirement
- Description: Allows you to define a naming convention for groups. Example:
Test_[Department][GroupName][Office] - Reference: Microsoft 365 Groups and Microsoft Teams naming policy
AllowGuestsToBeGroupOwner
- Description: Controls whether guests can be assigned as group owners.
- Configuration: Can be set to
TrueorFalse.
AllowGuestsToAccessGroups
- Description: Controls whether external users will be allowed to have access to Groups content.
- Configuration: Can be set to
TrueorFalse.
GuestUsageGuidelinesUrl
- Description: A link to Groups usage guidelines for guest users. This should be an externally-accessible URL.
GroupCreationAllowedGroupId
- Description: Can be configured with the GUID of a security group that will be allowed to create Microsoft 365 Groups when
EnableGroupCreationis set toFalse. - Reference: Manage who can create Microsoft 365 Groups
AllowToAddGuests
- Description: Controls whether guests can be added to groups. If set to ‘No’, it cannot be overridden to ‘Yes’ for individual Microsoft 365 groups. Additionally, if sensitivity labels are applied to Microsoft 365 Groups to manage this setting, it will take precedence and this setting will have no effect.
- Configuration: Can be set to
TrueorFalse.
UsageGuidelinesUrl
- Description: A link to Groups usage guidelines for your organization. This could be the URL of an intranet page that informs users about how to effectively use Groups for collaboration.
ClassificationList
- Description: A comma-delimited list of classifications that can be applied to Groups, such as Internal Only, Confidential, Public, or any other classifications that are part of your information architecture. These classifications are a visual cue for your users to understand the nature of the information in the Group, but are not actually enforced by Office 365.
- Note: After you enable sensitivity labels for containers, the group classifications from Microsoft Entra ID are no longer supported by Microsoft 365 and won’t display on sites that support sensitivity labels.
- Reference: SharePoint “modern” sites classification
EnableGroupCreation
- Description: Controls whether users who do not have admin rights can create Microsoft 365 Groups.
- Configuration: Can be set to
TrueorFalse. - Reference: Manage who can create Microsoft 365 Groups
GroupCreationAllowedGroupId
- Description: Can be configured with the GUID of a security group that will be allowed to create Microsoft 365 Groups when
EnableGroupCreationis set toFalse. - Reference: Manage who can create Microsoft 365 Groups
Disclaimer
Please note that I have not tested all the settings mentioned in this above except the naming policies. The information provided is based on available documentation and resources.