Modern Management - Part Twelve - Synchronising AD Groups with Office 365 Groups

Traditionally, File Share and permission are configured based on AD groups. So now we have our data in Teams there is currently one hurdle, managing members of any Teams created and keeping them up to date.

Microsoft provide the option of switching the Office 365 Group from Assigned to Dynamic and then users user attributes to identify users (Overview of dynamic membership for teams - https://docs.microsoft.com/en-us/microsoftteams/dynamic-memberships). But in relaity this seems like a pain and let's face, how many clients have you seen with AD and attributes 100% correct?

So lets take a look at how I'm going to get around this. Well, we already have our On-Premise AD Security Group that is synchronised with Office 365, so why don't we just use that? You can't, you can only add users into Office 365 Groups.

So I'm going to user PowerShell to read members of a AD Synchronised Security Group, find the members and then add them to an Office 365 group. And while we're there lets remove anyone who has been taken out of the group.

This is based on a post by Office365itpros.com, but their script didn't actually work due to a few syntax errors but I've fixed that in the amended script below.

Lets take our Source Group = SEC_SourceGroup

And our Office 365 Group = O365_Group01





# Connect to Office 365
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential

# Connect to EOL
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
 
# Set your Groups
$O365Group = (Get-UnifiedGroup -Identity "O365_Group01")
$SecurityGroup = (Get-AzureADGroup -SearchString "SEC_SourceGroup")

# Find the members of the Security groups
$SecurityGroupMembers = (Get-AzureADGroupMember -ObjectId $SecurityGroup.ObjectId | Select UserPrincipalName, Usertype)
ForEach ($i in $SecurityGroupMembers) {
If ($i.UserType -eq "Member") {

# Add the members to the Office 365 Group and remove anyone who is not in the Security Group
Add-UnifiedGroupLinks -Identity $O365Group.Alias -LinkType Members -Links $i.UserPrincipalName }
}
 
$GroupMembers = (Get-UnifiedGroupLinks -Identity $O365Group.Alias -LinkType Member)
ForEach ($i in $GroupMembers) {
$Member = (Get-Mailbox -Identity $i.Name)
If ($SecurityGroupMembers -Match $Member.UserPrincipalName)
{Write-Host $Member.DisplayName "is in security group" }
Else
{ Write-Host "Removing" $Member.DisplayName "from Office 365 group because they are not in the security group" -ForeGroundColor Red
Remove-UnifiedGroupLinks -Identity $O365Group.Alias -Links $Member.Alias -LinkType Member -Confirm:$False}
}

# Provide a Summary
Write-Host "Current Membership of" $O365Group.DisplayName
Get-UnifiedGroupLinks -Identity $O365Group.Alias -LinkType Member
 



To take it a step further, you could always automate this using the scripts I blogged about in PS - Disable OWA for O365 users via Scheduled Task






Comments