AuthorMohamed Derhalli

Restrict Yammer Groups Creation

Yammer is an awesome tool to have company-wide communications. With open communities that people can join and interact with each other without having to work with each other on a daily basis. It’s a perfect network where people can reach out together, interact with the upper management, and share thoughts across the whole organization.

The bad thing about Yammer however, is by default it would allow everyone in the company to create Groups (newly named as Communities), and there’s no way by default for a Yammer admin to restrict the creation of these communities to be just for a subset of people. So how can we do it?

Knowing that the creation of Microsoft 365 groups creation can be restricted, so why not making Yammer follow the same policies as Microsoft 365?

Let’s have one step back and see the restriction on creating new Microsoft 365 groups. To restrict the creation of new groups in M365, you’d have follow steps mentioned in this article:

https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide

Basically, you’ll need to creation a group in Azure AD, and use Azure AD PowerShell module to restrict the creation of new groups to only this security group as the article describes:

$GroupName = "[AddSecurityGroupNameHere]"
$AllowGroupCreation = "False"

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation


if($GroupName){
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -Filter "DisplayName eq '$GroupName'").objectId
}

else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
}

This is exactly the same code mentioned in the article, just make sure to have the correct group name you created in M365 that contains people who are allowed to create groups (Make sure to add the required people as members, adding them as owners only won’t grant them permissions to create M365 groups)

Now that we managed to have a security group whose members are allowed to create M365 groups. We’ll need to let Yammer follow same rules as M365. For that, we’ll have to put Yammer in Native Mode for M365. So what’s the native mode for M365 in Yammer?

The native mode is a way for Yammer to follow same rules of M365, so the documents will be stored in SharePoint online. The creation of a new Yammer community (group) will result in the creation of a new M365 group, you can search for Yammer content in the M365 security and compliance center.

So how do we put Yammer in native mode for M365? First we’ll need to enforce O365 identity in Yammer, which basically tells Yammer to let users login with their O365 accounts (which makes sense since you’d want them to login to Yammer that way). You do this step by going to Yammer admin page, and on the left menu under “Content and Security” click on “Security Settings”. Make sure to have “Enforce Office 365 identity”:

Now after enforcing O365 identity, we’ll finally tell Yammer to follow same rules as M365, but putting it in native mode for M365, to do so go to “M365 Native Mode” from the left menu in the Yammer admin page. You’d have to generate the Alignment Report. This report will show any warnings in case some users won’t be able to exist in the network if it’s migrated to the new mode, or if some old groups are available that aren’t already connected to O365 groups.

Old groups will have O365 groups provisioned and connected to them. If you have any naming convention policies for M365 groups, they won’t be applied in this case for these existing Yammer groups.

After running the alignment report, you can download it, I opened it in vscode like this:

and the page will be updated to show you the results of the analysis:

At the very end of the page, you confirm that you want to proceed with the conversion, the reason for that is that this change won’t be rolled back, once you go Native Mode, that’s it.

Now users who aren’t allowed to add a community (group), won’t see this option in Yammer:

The new Yammer experience, without being able to add a new community

Managing Teams Private Channels With PowerShell

In the previous post we talked about the need to upgrade to TLS 1.2 to install PowerShell modules related to Office 365.

When using this method, specifically for Microsoft Teams, it will install a module where you won’t be able to execute commands related to private channels, such as the -MembershipType parameter when creating a new channel using the New-TeamChannel command.

To do this, we’ll need to install the Teams module from the PowerShell Test Gallery instead: https://www.poshtestgallery.com/

When going to that website, you’ll notice that the most known module there is the Microsoft Teams module, which as of now, had around 9,200 downloads in the last 6 weeks. To install this module, you would to remove the existing Teams Module if you already had it installed:

Uninstall-Module -Name MicrosoftTeams 

Then we’ll need to register the test gallery with PowerShell so we can use it later when we do installations, note the name of the gallery you choose to be used in PowerShell can be anything you like, for me I chose PSTG, short for PowerShell Test Gallery:

Register-PSRepository -Name PSTG-SourceLocation https://poshtestgallery.com -InstallationPolicy Trusted


Then we can install Teams module again:

Install-module -Name MicrosoftTeams -Repository PSTG -Force

Now you’re ready to go.

Common issues you might face:

1- If you get an error that the MicrosoftTeams module is already in use and you can’t remove it, just restart the PowerShell session.

2- If you get an error with something like:


The specified uri ‘https://www.poshtestgallery.com’ for parameter ‘SourceLocation’ is an invalid web uri. Please ensure that it meets the Web Uri Requirements.


Then it’s the same case as the previous post, where you need to set the PowerShell session to run on TLS 1.2, so commands will be like:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 

Register-PSRepository -Name PSTG -SourceLocation https://poshtestgallery.com -InstallationPolicy Trusted

April-2020 TLS Upgrade Needed for PowerShellGet

When trying to install any PowerShell module to work with Microsoft 365 (such as AzureAD v1, AzureAD v2, Teams, Exchange Online, SharePoint), I got the following issue:

WARNING: Source Location ‘https://www.powershellgallery.com/api/v2/package/PackageManagement/1.4.7’ is not valid. PackageManagement\Install-Package : Package ‘PackageManagement’ failed to download. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21 + … $null = PackageManagement\Install-Package @PSBoundParameters + ~~~~ + CategoryInfo : ResourceUnavailable: (C:\Users\mderha…anagement.nupkg:String) [Install-Package], Exception + FullyQualifiedErrorId : PackageFailedInstallOrDownload,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

The reason is that the PowerShell gallery has deprecated the support for TLS 1.0 and 1.1 in April 2020. So an upgrade needs to take place for the PowerShellGet module to support TLS 1.2 (or later version).

RESOLUTION

The following commands needs to be executed to update PowershellGet.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12  
Install-Module PowerShellGet -RequiredVersion 2.2.4 -SkipPublisherCheck 

Now you can install other modules for Teams, Azure, etc 

  • AzureAD v2:  Install-Module -Name AzureAD 
  • AzureAD v1:  Install-Module –Name MSOnline 
  • Teams:  Install-Module -Name MicrosoftTeams 
  • SharePoint:  Install-Module  Microsoft.Online.SharePoint.PowerShell 
  • Exchange Online: Install-Module -Name ExchangeOnlineManagement
  • Skype for business: https://www.microsoft.com/en-us/download/details.aspx?id=39366 

Here’s the list of modules related to Microsoft for reference:

To update a module:

Install-Module Microsoft.Online.SharePoint.PowerShell -force


AzureAD v1 still has richer commands, but AzureAD v2 will be the recommended one later. You can have both installed at the same time.

Azure Owner or Co-Admin?

When working with Microsoft Azure, sometimes you’re the only person who’s managing resources and adding new ones in that environment, and sometimes that’s not the case.

So when you want to provide another person an administration access to your Azure subscription, you will notice you have 2 options:

  • Role Assignment
  • Co-Admin

In role assignment, you have many roles to choose from, one of them is the Owner role. That might be confusing since you already have the Co-Admin rights, but here’s the thing: It all comes down to how you manage resources in Azure.

There’s an old way of managing resources (the classic deployment way), and there’s the new way of managing resources (Azure Resource Manager). So if you know that the admin you’re adding to Azure WILL NEED to use PowerShell to manage resources in the classic deployment method, then you’ll need to add the user as a Co-Admin as it is required when dealing with Azure using PowerShell and utilizing the Classic Deployment model. The module that’s used to manage Azure using Classic Deployments is the “Azure” module, which is installed using:

Install-Module Azure

The Resource Manager Model uses the Az PowerShell module, which is installed using:

Install-Module Az

Note that if the user wants to manage classic resource using the Azure Portal and not utilizing PowerShell, then you can add the user as an Owner using the Role Assignments, as the Co-Admin is only needed when you want to use PowerShell.

Outlook 2013, Skype meetings button is gone after installing Teams

After installing MS teams on a machine that has Outlook 2013. You might not be able to send Skype meetings invitations through outlook. So when you try to schedule a meeting, you’d see something like this:

There’s no option to send a Skype meeting. It might be OK for users who use O365 only, but for companies who are still transitioning from SharePoint on prem to SharePoint online, that might be an issue.

To solve this, go File and click Options, then click Add-Ins. You’ll notice that Skype Meeting Add-In for Microsoft Office 2013 is deactivated. At the bottom of this page where it says Manage COM Add-Ins, click Go:

Check the Skype Meeting checkbox, and hit OK. Now you’re good to go!

As can be noticed, both Skype for business meetings and Teams meetings are added to Office as Add-Ins, which can be activate/deactivated when needed.

Creating training sessions & videos with MS Stream and OBS

[docxpresso file=”https://sharepoint-thoughts.com/wp-content/uploads/2019/05/Creating-training-video-with-OBS.odt”]

Creating communication sites using Fiddler

[docxpresso file=”https://sharepoint-thoughts.com/wp-content/uploads/2019/04/Creating-communication-sites-using-Fiddler.odt” comments=”true”]

Exception calling “SaveAsTemplate” with SharePoint 2019

I was trying to use PowerShell with a modern site (Communication site in my case) to save a list/library as a template and getting this error:

Having the UnauthorizedAccessException can be little confusing, so what’s the catch?

To solve this, we’ll use PowerShell, code looks like this:

Microsoft introduced prevented custom scripts from running by default in SharePoint online, and now with the introduction of modern sites in SharePoint 2019, they’re prevented by default in modern sites in SharePoint 2019. With custom scripts feature enabled, saving the site as a template and saving lists/libs as a template won’t be possible, hence you get the UnauthorizedAccess error. When custom scripts is active, the DenyPermissionsMask propert of the site collection will be: “AddAndCustomizePages” .. in order to allow custom scripts, it has to be “EmptyMask”.

You’ll need to run this command:

$site.DenyPermissionsMask = [Microsoft.SharePoint.SPBasePermissions]::EmptyMask

Now you can save the list/lib as a template.

ODFB & “Office Home & Business 2016” Issue!

I’ve been working with a client on an issue they had. A user had upgraded his Office suite to Office Home & Business 2016, after the upgrade, something with OneDrive For Business didn’t seem right. Documents stopped syncing, and stuff weren’t working as expected.

When checking OneDrive For Business, it was gone off the computer, so by following this KB article, you need to download OneDrive for business again and do the installation. You do this by following the points in the article, and having the .txt file in place for installation. Everything would seem to work fine, but you may encounter that it would stay for too long with no result. What you might want to do is change the .txt file, so replace the attribute Level=”None” to Level=”Full”. This way, if the command encounters any issue, it would really show that exact error or warnings.

For me what happened, is it shown incompatibility with what I was trying to install, and the system type. The default value in the .txt file for system type is “32” as shown in the “OfficeClientEdition” attribute, whereas the user was using 64-bit system. So change this value to “64” and you should be good to go.

 

Hide Upload Button + CSS Tip!

At times, you want to hide something that’s rendered by default in SharePoint, for example some of the ribbon’s controls rendered right away with the page. I’ve seen some people going with the way of hiding the whole “New” group in a document library in order to prevent user from using the upload or new folder options.

For the new folder, everyone knows it can be easily disabled from the library’s settings, but for the Upload button in the ribbon, you can use pure CSS to do so, but you will need to find the right selector, and use it right. We all know how to use developer tools to pick the right css classes, so as can be seen below:

UploadDoc

So you might be tempted to do something like this:

#Ribbon.Documents.New.AddDocument-Large{ display: none; }

And.. that won’t work, you might be tempted as well to add !important to the end to force it to apply, but again.. it won’t work. It’s because CSS considers the dot character as part of the css itself to identify a class, and it won’t understand it’s part of the ID. In this case, you need to use escaping characters in CSS which is the backslash!

So your code should look like this:

#Ribbon\.Documents\.New\.AddDocument-Large{
display: none;
}

Now you should end up with something similar to this:

Upload3

Hope this will quickly help someone out there!