Upload
drew-madelung
View
196
Download
1
Embed Size (px)
Citation preview
Office 365 GroupsFrom the ground up
SPTechCon San Francisco 2016
Drew Madelung
Email : [email protected] Twitter : @dmadelung Website: drewmadelung.com
Senior SharePoint and Office 365 consultant.
What are Office 365 Groups?
How do I work with them?
How do they work technically?
How can I administer?
Agenda
Demos, Demos & more Demos
What’s new & What’s Next?Office 365 GroupsFrom the ground up
SPTechConSan Francisco 2016
Collaboration is evolving…
Collaboration has evolvedEmployees work on 2x more teams
now than they did five years ago1
1 Source: 2009, 2014 US IW Survey
Office 365 Groups
Brings together people, information, and apps across Office 365, to enable better communication and collaboration.
Office 365 Designed for the unique workstyle of every group
SharePoint
Teams
Office 365 ProPlus
Yammer
Outlook
Skype
Intranets, Team Sites & Apps
Chat-based Workspace
Co-Authoring Content
Enterprise Social
Mail & Calendar
Voice, Video & Meetings
Complete Collaboration SolutionOffice 365 addresses the breadth of collaboration needs across your company
Integrated ExperiencesOffice 365 Groups and Graph enable integrated experiences that facilitate effective collaboration
Security and ComplianceOffice 365 delivers the security, compliance and manageability required in today’s workplace
Office 365 Groups
SELF-SERVICE
PUBLIC BY DEFAULT
SHARING TO NON-MEMBERS
CONTEXT & HISTORY
SINGLE DEFINITION
SIMPLE TO MANAGE
Office 365 Groups
Azure Active Directory
AppsOffice 365 Groups
Office 365 Groups building blocksIdentity
Office GraphSk
ype
Conv
ersa
tions
Shar
ePoi
nt
Cale
ndar
Note
book
Dyna
mics
CRM
Plan
s
Powe
r BI
Conn
ecto
rs
Yam
mer
Team
s
All new Team Sites will get an Office 365 Group and all new Office 365 Groups will get a Team Site.
Groups & SharePoint “Groups, Graph, and Governance” – Jeff Teper
Existing Office 365 Groups will get a full SharePoint Team Site.
rolling out
rolled out
Projects
Popular Group Scenarios
Organization Interest
How do I access Office 365 Groups?There are multiple endpoints to get started…
Groups in Outlook on the web
Fully immersive experience accessible via the left navigation. Inner group navigation available once in a group.
Groups through OneDrive (SharePoint!)
Can be accessed through OneDrive and redirects to a document library in a SharePoint site.
SharePoint, SharePoint, SharePoint
The SharePoint tile takes you to a list of Sites which includes your Group sites.
I found a SharePoint site
A full SharePoint team site is connected to the Group.
Groups in Outlook 2016
Participate in conversations, schedule meetings, share files & notes and even initiate a Skype for Business voice and video call for urgent real-time decisions.
Office 365 PlannerCreate new plans, organize & assign tasks, share files, talk about what you’re working on, and get updates on progress.
Integrated with Office 365 Groups, so all of the
conversations in Planner are available in Outlook 2016,
Outlook on the web and the Outlook Groups mobile app.
Power BICreate a workspace to collaborate with your team.
Leverage the Groups collaboration & communication
capabilities to create and review insights.
Dynamics CRMCreate Office 365 Groups for opportunities, cases, accounts and all other entities..
Groups experiences are surfaced in-context within CRM
Outlook Groups app
Available on iOS, Android & Windows Phone. Continue conversations, view files, @mention colleagues and even discover other relevant groups.
Demo!
Office 365 Groups things to know
Eligible to use the NGSC for sync as of Sept release
Anyone can create a group and available in the Global Address List by default
A group can’t have more than 10 owners and a user can’t create more than 250 groups
Currently not supported in Outlook 2016 on the Mac
Groups with more than 1000 members are supported but will decrease performance
When a group owner leaves, all content is saved but new admin must be set at high level
Office 365 Groups can be used as security groups in SharePoint (but not O365 Video)
Group site collections exist under “/sites” managed path but cannot be seen via SP Admin Center
Joining vs SubscribingOn creation, the option is available to subscribe all new members automatically
• Joined = only appear in group mailbox
• Subscribed = receives in private inbox and group
Group email options
What’s behind the scenes
Office 365 plans that include GroupsAny O365 plan that includes Exchange and SharePoint
• Enterprise E1-E5• Academic A2-A4• Government G1-G4• Business Essentials• Business Premium• Enterprise K1 (kiosk)*Exchange-only license can only access Inbox & Calendar
One group system across Office 365One identityAzure Active Directory (AAD) is the master for group identity and membership across Office 365 (Exchange, SharePoint, etc.)
Federated resourcesO365 services extend with their data(e.g., conversations stored in Exchange mailbox & documents stored in SharePoint for a group)
Loose couplingServices notify each other of changes to a group (e.g., creation, deletion, updates)Using sync from AAD to Exchange Online AD and SharePoint Online AD they achieve reliability if they miss notifications
SharePoint
SharePoint Online AD Documents
OneNote
Site collection
Additional workloads
Workload scenarios
Workload resourcesLocal
directory
Exchange
Conversations Calendar
Group mailboxExchange
Online AD
IdentityResource URLsOwnersMembers
AAD
Group identity
Office 365 Admin Center
Management Options – User Interface
Office 365 Admin App
Azure AD Admin Portal
Exchange Admin Console
Outlook Groups App
Clients – (Outlook, Planner, PowerBI)
Demo!
Management Options – ScriptingPowershell
Manipulating groupsAdd-UnifiedGroupLinksGet-UnifiedGroupLinksRemove-UnifiedGroupLinks
Get-UnifiedGroupNew-UnifiedGroupRemove-UnifiedGroupSet-UnifiedGroup
Manipulating group membership
Owners | Members | Subscribers
$creds = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri ` https://outlook.office365.com/powershell-liveid/ -Credential $creds -Authentication Basic -AllowRedirectionImport-PSSession $Session
Establish a remote session to Exchange Online
Useful Scripts for Groups to Get StartedCreate groupNew-UnifiedGroup –DisplayName “Legal” –Alias “Legal” –EmailAddresses [email protected]
Rename groupSet-UnifiedGroup -Identity “Legal” -Alias “Legal” -DisplayName “New Legal” -PrimarySmtpAddress [email protected]
View all subscribers, members or owners for a groupGet-UnifiedGroupLinks -Identity “Legal” -LinkType Subscribers
Show detailed info for all groupsGet-UnifiedGroup | select Id,Alias, AccessType, Language,Notes, PrimarySmtpAddress, ` HiddenFromAddressListsEnabled, WhenCreated, WhenChanged, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Members)).Count }; ` Label='Members'}, ` @{Expression={([array](Get-UnifiedGroupLinks -Identity $_.Id -LinkType Owners)).Count }; ` Label='Owners'} | Format-Table Alias, Members, Owners
Managing Group CreationThe old way but still can be used for OWA and Outlook 2016Use an OWA Mailbox Policy to disable group creation for ALL users or a SUBSET of users
This does NOT disable group creation EXCEPT when trying to create through Outlook/Exchange Creating groups in other clients/admin areas (PowerBI, Planner, etc…) would
NOT disable
Set-OwaMailboxPolicy -Identity test.com\OwaMailboxPolicy-Default -GroupCreationEnabled $false
Managing Group Creation through Azure ADThe new way uses Azure AD No longer dependency on Exchange so it passes throughout Office 365 If OWA policy exists and AAD policy is enabled, OWA policy will be ignored
You can do 2 things: Disable the default ability of everyone to create a new Office 365 Group Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of
people who are allowed to create groups This group cannot have a group in it, must be individual users Users with higher tenant roles already have access (company admin, mailbox admin,
etc…)
Prerequisites Azure AD Version 1.1.117.0 or later (currently preview)
Managing Group Creation through Azure ADSteps to setup1. Retrieve the Object ID for the group that contains the authorized users
Use Azure AD portal to get Object ID Get-MsolGroup cmdlet to discover GUID via PowerShell
2. Use PowerShell to update the Azure AD policy Pass the GUID of your authorized user group to GroupCreationAllowedGroupId
Connect-MsolService$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}$setting = $template.CreateSettingsObject()$setting[“EnableGroupCreation”] = “false”$setting[“GroupCreationAllowedGroupId”] = “7edd1d0b-557d-43e6-b583-4f3e0198c167”New-MsolSettings –SettingsObject $setting
3. Confirm using PowerShell and test creating a groupGet-MsolAllSettings | ForEach Values
Group Guest AccessYou can now grant external users access to Office 365 Groups
Does not comply with tenant blacklist/whitelist
Enabled by default Overall Group guest access is
managed at the tenant level Guests cannot view IRM protected
files Guests needs to access via browser Guests cannot:
Be an owner View the GAL View Group members or contact
cards Access Planner Be blocked by specific user
Feature Guest user allowed?Create a group NoAdd/remove group members NoDelete a group NoJoin a group Yes, by invitationStart a conversation YesReply to a conversation YesSearch for a conversation Yes@mention a person in the group NoPin/Favorite a group NoDelete a conversation Yes"Like" messages NoManage meetings NoView group calendar NoModify calendar events NoAdd a group calendar to a personal calendar
No
View and edit group files Yes, if enabled by tenant adminAccess the group OneNote notebook Yes, via link from group memberBrowse groups No
Group Guest Access
Group owners can invite external people to be guest users
Group members can request an invitation for an external person
Group Guest Access Admin ControlsGuest addition to organization• Allow invitation to guests users in the
organization• Office 365 Portal – Settings & Privacy > Sharing
Guest addition to groups• Allow adding of guests to any group within the
organization. • Office 365 Portal – Services & Add-Ins > Office 365
groups• Allow adding of guests to a specific group in the
organization (only available in Power Shell)
Guest access to group resources• Allow guests to access to any Office 365 group
resources• Office 365 Portal – Services & Add-Ins > Office 365
groups
Group Guest Access PowershellSteps to block for tenant1. Ensure that sharing is allowed in the SharePoint Admin Center / O365
Admin Center2. Use PowerShell to update the Azure AD policy (if settings object exists)
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}$settings = Get-MsolSettings -SettingId $settings.ObjectId$Value = $GroupSettings.GetSettingsValue()$Value["AllowToAddGuests"] = "False"$Value["AllowGuestsToAccessGroups"] = "True"Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $Value
3. Set AllowGuestsToAccessGroups to False to instantly disable all external users from accessing groups
Group Guest Access PowershellSteps to block external access for a specific group1. Ensure that sharing is allowed in the SharePoint Admin Center / O365 Admin Center2. Use PowerShell to update the Azure AD policy for the group (if no group settings
exist)$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “GROUP DISPLAY NAME”} $groupsettings = Get-MsolAllSettings -TargetObjectId $group.ObjectId$template = Get-MsolSettingTemplate -TemplateId 08d542b9-071f-4e16-94b0-74abb372e3d9$setting = $template.CreateSettingsObject()$settingsnew = New-MsolSettings -SettingsObject $setting -TargetObjectId $group.ObjectId$settings = Get-MsolAllSettings -TargetObjectId $group.ObjectId$value = $GroupSettings.GetSettingsValue()$value["AllowToAddGuests"] = "False"Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value -TargetObjectId $group.ObjectId
3. Run a check to see if it worked(Get-MsolAllSettings -TargetObjectId $group.ObjectId).GetSettingsValue() | foreach values
Configuring multi-domain support
Example Main domain is contoso.com Default accepted domain is service.contoso.com (where groups get created by
default) You have a sub-domain called students.contoso.com and groups.contoso.com
Configured with Exchange Address Policy (EAP) via Exchange Powershell
Option 1:All Office 365 Groups built under groups.contoso.com domain
New-EmailAddressPolicy -Name Groups -IncludeUnifiedGroupRecipients `-EnabledEmailAddressTemplates "SMTP:@groups.contoso.com" -Priority 1
Configuring multi-domain support - ContinuedOption 2:
Control what sub-domains Office 365 groups are created in by attribute
Set users which have their Department attribute set to Students to create groups by default in the students.contoso.com domain
New-EmailAddressPolicy -Name StudentsGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates `"SMTP:@students.contoso.com” ManagedByFilter {Department -eq 'Students'} -Priority 1
All other users will create groups in the groups.contoso.com domainNew-EmailAddressPolicy -Name OtherGroups -IncludeUnifiedGroupRecipients -EnabledEmailAddressTemplates `
"SMTP:@groups.contoso.com” -Priority 2
Only admins can perform this Use the –RecipientFilter for available properties to filter on (company,
city, office, etc…) If you remove domain you need to update EAPs Max limit of 100 EAPs per organization
What about governance?
Security and Compliance
eDiscovery through Exchange and SharePoint
Data loss prevention
Preservation policies
Audit log and Content search
Management tidbits Establish governance plan for groups
Establish AAD group creation policies
Monitor SharePoint Online Storage to ensure group sites not overtaking total storage
Establish a process to have groups admin support easily available for users
Run reports to try to track groups sprawl
Use UsageGuidelinesUrl and ClassificationList
Migrate multiple distribution lists to Office 365 groups – Link – (also via GUI)
A few technical optionsRemove groups email from GAL (global address list)
Accept/Reject certain users from sending emails to groups
Set-UnifiedGroup –Identity $groupAlias –HiddenFromAddressListsEnabled $true
$groupAlias = “TestGAL”
–RejectMessagesFromSendersOrMembers or -AcceptMessagesOnlyFromSendersOrMembers
Set-UnifiedGroup –Identity $groupAlias –RejectMesssagesFromSendersOrMembers [email protected]
$groupAlias = “TestHide”
Hide group members unless you are a member of the private group
$groupAlias = “TestSend”
Set-unifiedgroup –Identity $groupAlias –HiddenGroupMembershipEnabled:$true
Demo!
External access Groups SharePoint sites expanding Group classification Group usage guidelines URL Groups iPad app Privacy type conversion Dynamic membership (requires Azure AD premium) eDiscovery and Litigation available Ability to change privacy type of created Group Azure AD creation restriction Upgrade a DL to a Group via GUI Groups usage reporting As of 12/5/2016
What’s new in Office 365 Groups
What’s upcoming?Launched
Rolling out
As of 12/5/2016http://fasttrack.microsoft.com/roadmap
In Development
• xxxx
Help Contribute & Stay Informed!
O365 Groups UserVoicehttps://office365.uservoice.com/forums/286611-office-365-groups
Microsoft Tech Communityhttps://techcommunity.microsoft.com
Office 365 Roadmaphttps://fasttrack.microsoft.com/roadmap
Office Blogshttps://blogs.office.com/
Office 365 Admin Center – Message Centerhttps://portal.office.com/AdminPortal
Office 365 for IT Proshttp://exchangeserverpro.com/ebooks/office-365-for-it-pros
Questions?Email: [email protected] Twitter: @dmadelung
Website: drewmadelung.com
Scripts: http://bit.ly/DrewO365GroupScripts
Slides: http://bit.ly/DrewSlides
Office 365 GroupsFrom the ground up
SPTechConSan Francisco 2016