Tagged: PowerShell

Assign Teams policies by group

In this post I show how you can use (Azure) AD security groups or Microsoft 365 groups to assign Microsoft Teams Policies within the Teams Admin Center. This is handy to manage bulk or many different policy assignments via GUI. So, you don’t have to use and run your PowerShell scripts which might does the magic in larger environments with more versatile requirements regarding Microsoft Teams permissions.

Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/
Source: https://pixabay.com/de/illustrations/lernen-hinweis-schule-betreff-3245793/

Which policy is applied for a user?

Bascially, there are two types to assign a policy to a user: direct vs. indirect. Depending on how you assign a policy it is applied in a specific order as follows:

  1. directly assigned policy (no inheritance of a policy of from a group)
  2. no direct assigned policy (group policy with highest rank)
  3. no direct nor indirect assigned policy –> global (Org-wide default)

Quick start

In this section I list the steps you and things you need to do.

  1. Create Azure AD group/groups
  2. Add users to the group/groups
  3. Create custom policy/policies in Teams Admin Center, e.g. a custom meeting or messaging policy
  4. Assign the Azure AD group / groups to the custom policy/policies

Azure AD Group creation example

To assign policies to a group of users you need to create or have a group in Azure AD. Either a security or Microsoft 365 group. In this example, I prefer a security group because in this case I don’t want to have the Microsoft 365 group overhead for assigning permissions. Also, I create a static/assigned group and no dynamic group.

Screenshot – Azure AD \ Groups \ Create a group

Don’t forget to add users to the group.

Group policy assignment via Teams Admin Center

In different areas in the Teams Admin Center you can create and assign policies, e.g. for meetings. As you can see in the below depicted screenshot there is also a further sub-menu or -register where you can click on “Group policy assignment”. The following screenshots will walk you through the assignment process.

Screenshot – Teams Admin Center \ Meetings \ Meeting policies
Screenshot – Teams Admin Center \ Meetings \ Meeting policies \ Group policy assignment 1
Screenshot – Teams Admin Center \ Meetings \ Meeting policies \ Group policy assignment 2
Screenshot – Teams Admin Center \ Meetings \ Meeting policies \ Group policy assignment 3

That’s actually it.

But how to verify that the policies are assigned?
Well, Microsoft also provides a log showing the policy assignment status for the last 30 days.

Check policy assignment status for the last 30 days

  1. Teams admin center dashboard
  2. activity log
  3. view details
  4. view all policy assignment/s which you can also filter (not started, in progress, completed)

PowerShell code snippet for policy assignment (example)

#Example code snippet for Teams Batch Policy Assignment
#20200816 Erik Kleefeldt
#Required permissions: Teams service admin, a Teams communication admin, or Global Administrator
#Currently supported policy types (subject to change at any time): CallingLineIdentity, ExternalAccessPolicy, OnlineVoiceRoutingPolicy, TeamsAppSetupPolicy, TeamsAppPermissionPolicy, TeamsCallingPolicy, TeamsCallParkPolicy, TeamsChannelsPolicy, TeamsEducationAssignmentsAppPolicy, TeamsEmergencyCallingPolicy, TeamsMeetingBroadcastPolicy, TeamsEmergencyCallRoutingPolicy, TeamsMeetingPolicy, TeamsMessagingPolicy, TeamsUpdateManagementPolicy, TeamsUpgradePolicy, TeamsVerticalPackagePolicy, TeamsVideoInteropServicePolicy, TenantDialPlan
#Note: Policy assignments are updated if a user is added/removed
#Use at your own risk, this is just an example code snippet
#For further details/reference please see https://docs.microsoft.com/en-us/microsoftteams/assign-policies


#Install modules
Install-Module -Name AzureAD
Install-Module -Name MicrosoftTeams

#Connect services
Connect-MicrosoftTeams
Connect-AzureAD

#Get users
$AzureUsers = Get-AzureADUser

#Assign policy to a group    
    #Soft limit: 50 000 users per group
    Get-AzureADGroup -SearchString "SEC-EUDE*"
    New-CsGroupPolicyAssignment -GroupId <object id of AAD group> -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Rank 1

    #Check assignment for group/s
        Get-CsGroupPolicyAssignment -GroupId <object id of AAD group>
        #Get all groups with assigned Teams Meeting policies type
        Get-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy

    #Remove assignment to a group for a meeting policy
        Remove-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy -GroupId <object id of AAD group>

#Batch job
    #Limit: < 5000 users per batch
    #Assign meeting policy batch
    New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Identity $users.SipProxyAddress -OperationName "20200816-AssignStandardMeetingUserPolicy"
    #Check batch operation status
    Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | fl
    #Check batch operation status for users
    Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | Select -ExpandProperty UserState

#Disconnect services
Disconnect-MicrosoftTeams
Disconnect-AzureAD

Conclusion, opinion and summary

Assigning policies to AAD/AD user objects is a very common activity. It eases the daily business and AAD/AD user life cycle and permission management. This is something which should, actually must, be automated in every IT organization. It’s a no-brainer to automate permission assignements based on groups during the creation or change process of an AAD/AD user object. Now, that this is already available for some time in Teams you might want to use it, too, to enhance the grade of your AAD/AD user management process a little more.

In case you already implemented a Teams policy assignment process before the above methods were available, you might review your as-is and transition to the new methodes available. I assume the new methods are more sophisticated than using just combinations of AD groups, PowerShell scripts for direct Teams policy assignment/s.

Additional resources