Skip to content

Create or modify a Azure AD Naming Policy for Office 365 Groups

Microsoft offers the capability to enforce a naming convention to Microsoft Office 365 Groups (a/k/a Unified Groups). What I like about that: You can enforce the naming convention and also blacklist some words. This might become handy to prevent someone creating a group called “HR”.

You can create and manage all the fancy features within your Azure Active Directory Admin Center!

Please note: You need to have a AzureAD Premium P1 (or Higher) License, or any license option that contains AzureAD Premium P1 or P2

But as always, I want an automated solution! And guess what: By surprise, this solution is based on PowerShell.

Here is my Scripted approach:

#requires -Version 3.0 -Modules AzureADPreview

<#
      .SYNOPSIS
      Create or modify a Azure AD Naming Policy for Office 365 Groups

      .DESCRIPTION
      Create or modify a Azure AD Naming Policy for Office 365 Groups, these groups (a/k/a Unified Groups) are the base for Microsoft Teams and other Microsoft 365 services.

      .PARAMETER BlockedWordsFile
      CSV with your blacklisted names, 5.000 word is the Office 365 maximum

      .PARAMETER ApplyDefaults
      Apply some basics and defaults

      .EXAMPLE
      PS C:\> .\Set-AzureADNamingPolicyForOffice365Groups.ps1

      Create or modify a Azure AD Naming Policy for Office 365 Groups

      .EXAMPLE
      PS C:\> .\Set-AzureADNamingPolicyForOffice365Groups.ps1 -Verbose

      Create or modify a Azure AD Naming Policy for Office 365 Groups

      .EXAMPLE
      PS C:\> .\Set-AzureADNamingPolicyForOffice365Groups.ps1 -ApplyDefaults

      Create or modify a Azure AD Naming Policy for Office 365 Groups and apply some basics and defaults

      .EXAMPLE
      PS C:\> .\Set-AzureADNamingPolicyForOffice365Groups.ps1 -ApplyDefaults -Verbose

      Create or modify a Azure AD Naming Policy for Office 365 Groups and apply some basics and defaults

      .NOTES
      Nothing fancy, just a modified version of the Microsoft script.

      Please review the setting and check if my values match your requirements.

      If you create the new Group "Development", the Name becomes:
      GRP_Development_Frankfurt

      This is based on my default naming convention: 'GRP_[GroupName]_[Office]' - Change it below to match your own naming convention!

      If you create the new Group "Payroll" it will fail! The Word "Payroll" is blacklisted!

      Please note: You need to have a AzureAD Premium P1 (or Higher) License, or any license option that contains AzureAD Premium P1 or P2

      .LINK
      https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/groups-naming-policy?view=o365-worldwide#how-to-set-up-the-naming-policy-in-azure-ad-powershell
#>
[CmdletBinding(ConfirmImpact = 'Low')]
param
(
   [Parameter(ValueFromPipeline,
   ValueFromPipelineByPropertyName)]
   [AllowNull()]
   [AllowEmptyString()]
   [Alias('File', 'Path')]
   [string]
   $BlockedWordsFile = '.\BlockedWords.csv',
   [Parameter(ValueFromPipeline,
   ValueFromPipelineByPropertyName)]
   [switch]
   $ApplyDefaults
)

begin
{
   # Remove the regular Module
   $paramRemoveModule = @{
      Name          = 'AzureAD'
      Force         = $true
      ErrorAction   = 'SilentlyContinue'
      WarningAction = 'SilentlyContinue'
   }
   $null = (Remove-Module @paramRemoveModule)

   # Do we have a CSV File?
   if (Test-Path -Path $BlockedWordsFile -ErrorAction SilentlyContinue)
   {
      # Fine, let us import the CSV File
      $paramImportCsv = @{
         Path        = $BlockedWordsFile
         Encoding    = 'UTF8'
         ErrorAction = 'Stop'
      }
      $BlockedWordsImport = (Import-Csv @paramImportCsv)

      # Transfer the values into the list
      [string]$BlockedWords = ($BlockedWordsImport.BlockedWords -join ', ')

      # Cleanup
      $BlockedWordsImport = $null
   }
   else
   {
      # No CSV, let us use some defaults
      [string]$BlockedWords = 'Payroll,CEO,HR,hochwald'
   }

   # Prefix and Suffix for the Unified Groups
   <#
         Valid suffix values are:
         [Company]
         [CountryOrRegion]
         [Department]
         [Office]
         [StateOrProvince]
         [Title]
   #>
   $PrefixSuffix = 'GRP_[GroupName]_[Office]'

   # Connect to your AzureAD tenant, if needed
   try
   {
      $null = (Get-AzureADDomain -ErrorAction Stop)
   }
   catch
   {
      $null = (Connect-AzureAD)
   }
}

process
{
   try
   {
      # Get the existing template
      $template = (Get-AzureADDirectorySettingTemplate -ErrorAction Stop | Where-Object -FilterScript {
            $_.displayname -eq 'group.unified'
      })

      # Modify the settings
      $settingsCopy = $template.CreateDirectorySetting()

      # Create a new setting
      $paramNewAzureADDirectorySetting = @{
         DirectorySetting = $settingsCopy
         ErrorAction      = 'Stop'
      }
      $null = (New-AzureADDirectorySetting @paramNewAzureADDirectorySetting)
   }
   catch
   {
      Write-Verbose -Message 'Looks like we have the Settings...'
   }
   finally
   {
      # Get the settings
      $settingsObjectID = (Get-AzureADDirectorySetting | Where-Object -Property Displayname -Value 'Group.Unified' -EQ | Select-Object -ExpandProperty id)
   }

   # Read the settings
   $settingsCopy = (Get-AzureADDirectorySetting -Id $settingsObjectID)

   # Modify the settings
   $settingsCopy['PrefixSuffixNamingRequirement'] = $PrefixSuffix
   $settingsCopy['CustomBlockedWordsList'] = $BlockedWords

   # Apply some basics and defaults
   if ($ApplyDefaults)
   {
      $settingsCopy['EnableMSStandardBlockedWords'] = $true
      $settingsCopy['AllowGuestsToBeGroupOwner'] = $false
      $settingsCopy['AllowGuestsToAccessGroups'] = $true
   }


   # Apply the settings
   $paramSetAzureADDirectorySetting = @{
      Id               = $settingsObjectID
      DirectorySetting = $settingsCopy
      ErrorAction      = 'Stop'
   }
   $null = (Set-AzureADDirectorySetting @paramSetAzureADDirectorySetting)
}

end
{
   # Get the Info
   $Info = (Get-AzureADDirectorySetting -Id $settingsObjectID | Select-Object -ExpandProperty Values)

   # Dump the Info
   $Info

   # Cleanup
   $Info = $null
}

If you like the code in a better format, there is a Gist for that!

The output is nothing Fancy:

Script Output
Script Output

Within Teams the process looks like this:

Published inPowerShell

Be First to Comment

    Leave a comment

    By posting a comment you consent that I store the submitted information as well as your anonymized IP address on my servers, under the terms of my Privacy Policy. Your email is never shared with anyone else.

    Required fields are marked *.