Azure AD Group Naming Policy (Preview)
Microsoft have recently announced the public preview of a new feature to impose a naming policy on Azure groups in Azure AD.
This will be a much welcomed feature due to the creation of groups being transitioned from the Administrator to the User over the past few years, leading to
group duplication, ambiguous names and on the whole a bit of a mess!
So lets have a look at configuring a demo naming policy for our Azure AD groups…
Configure the Policy:
Firstly as the feature is currently in preview we need to install the latest version of the AzureADPreview module, to use the Linux like “Install-Module” feature you will need PowerShell 5.0 or later.
Once connected to Azure AD we can view any existing group settings by running Get-AzureADDirectorySetting,
However I have no defined group settings in my directory yet so I need to create them using a template.
To view the template for Group settings (Group.Unified refers to Azure AD Groups) run the following commands
$GroupNamepolicy = Get-AzureADDirectorySettingTemplate | ? -Property DisplayName -EQ "Group.Unified" $GroupNamepolicy.Values
You will now see the new value “PrefixSuffixNamingRequirement” available
Run the following commands to create the new directory settings using the template
$MyGroupSettings = $GroupNamepolicy.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $MyGroupSettings
So now we have a new policy in place lets create some settings…
My demo lab group name requirements are as follows:
- No temp/tmp groups
- All Groups are prefixed with Grp_
- All groups are suffixed with _Az
- Department of group creator required
- No HR or Directors included in group names
Use the commands below to set a naming/suffix requirement and a blocked words list:
$MyGroupSettings["PrefixSuffixNamingRequirement"] = "Grp_[GroupName]_[Department]_Az" $MyGroupSettings["CustomBlockedWordsList"] = "tmp,temp,temporary,hr,directors" Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $MyGroupSettings
As this applies to Office 365 groups used by all applications the interface will look slightly different for each one,
Here is the interface for Planner when creating a new group when trying to add “tmp” into the name,
The department “Marketing” has been populated from the directory.
removing “tmp” and using a more descriptive name i.e. “ProjectPlanning” allows us to create the group successfully.
This is a great new feature allowing organisations to regain a little control over group nomenclature but it will require tweaking throughout the lifecycle to get things right for each environment.
- The permission to create new groups can be locked down to specific groups
- Unfortunately this policy is currently Org wide (would be nice to be able to apply different policies to different groups)
- Lists of blocked words can be imported
- More [attributes] are available in the [“PrefixSuffixRequirement”]
- This policy will not retrospectively change any existing group names