Wednesday, November 29, 2017

Disable Self-Service Microsoft Teams Creation in Office 365

About Microsoft Teams governance, you probably need/want to prevent normal users from new Teams creation.

This can be achieved only with a PowerShell script because, right now, standard Office 365 UI do not give us this option.

Important: in order to be able to execute the script you need the Preview of AzureAD module for PowerShell. This is called "AzureADPreview".

If you already have installed production AzureAD module, you need to uninstall it and then install new preview version of the same module.

Uninstall-Module AzureAD
Install-Module AzureADPreview

Once you have this module correctly installed, all you need is to execute this script.
Change the $groupName variable to fit your environment.
This AzureAD Security Group will be the only that later can create Teams.
Keep in mind that also Global Admin members can create Microsoft Teams.

#Connect to AAD
$AzureAdCred = Get-Credential 
Connect-AzureAD -Credential $AzureAdCred

#Get reference to your AAD Group
$groupName = "UsersCanCreateTeams"
Get-AzureADGroup -SearchString $groupName 

#Disable Group Creation (on which a Team rely)
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False

#Enable your AAD Group to group Creation
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $groupName).objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

That's all.

Wednesday, August 3, 2016

Create Test SSL Certificate for IIS With PowerShell and Windows 2012 R2

In order to create an SSL Certificate for test purpose you can bind to a web site in IIS, you do not need anymore certutil or makecert.

Windows 2012 R2 PowerShell has a commandlet you can use for this purpose.

This simple command, for example, create a SSL Cert using 2048 key lenght and valid for 5 years.

New-SelfSignedCertificate -KeyLength 2048 -NotAfter (Get-Date).AddYears(5) -certstorelocation "cert:\localmachine\my" -dnsname youfqdnwebappname

This cert will be stored in "localmachine\my" and can be used in IIS binding.

You can find more info and parameters here:

https://technet.microsoft.com/en-US/library/hh848633.aspx

Pay attention that the same command on Windows 2012 (not R2 version) do not have the same parameters. For example you cannot use -NotAfter parameter. This means that you certificate will have a validity of only one year (that one is the default).