Anonymous guest sharing in Teams part two.

Posted on December 31, 2017 by Magnus Sandtorv

In this article I will show you how to allow anonymous sharing of folders and documents from Teams created by School Data Sync. This article will only cover the actual SharePoint permissions, for more information about sharing please read my initial post Anonymous guest sharing in Teams.

From the Docs we can learn that School Data Sync (SDS) is a free service in Office 365 for Education that reads the school and roster data from a school’s Student Information System (SIS). It creates Office 365 Groups for Exchange Online and SharePoint Online, class teams for Microsoft Teams and OneNote Class notebooks among other things.

Large schools and districts can save a lot of time using School Data Sync to automate the creation of teams, user accounts, teams membership, licensing etc. Just imagine creating class teams and adding memberships in a district with thousands of students and teachers, then imagine repeating that during every summer break… SDS can be a complex tool, luckily Microsoft also offer free one-to-one deployment support.

As I explained in the first part of this two part part series, default SharingCapability of the underlying SharePoint site is ExternalUserSharingOnly, not ExternalUserAndGuestSharing which is what is needed for anonymous sharing (sharing with users without an Azure AD account).

As previously shown we can easily change the SharingCapability of a single site, but to change in bulk all those created with School Data Sync, based on data from your Student Information System, we need to create a simple PowerShell script.

First up we need to save our admin credentials to a variable and connect to SharePoint Online PowerShell:


$Cred = Get-Credential

Connect-SPOService -Url https://tenantname-admin.sharepoint.com -Credential $Cred

Now we need to find all the SharePoint sites belonging to teams created by School Data Sync, first lets capture all sites in a variable:


$sites = Get-SPOSite -Limit All

School Data Sync will create teams based on what Microsoft refer to as Sections. A section could be a class, course or some other type of logical group in your SIS, and it will allways have a unique identifier that will be part of the URL of the underlying Sharepoint site. It would typically look like this:

https://tenantname.sharepoint.com/sites/Section_131408225065301513

At this point we have a variable containing all SharePoint sites, lets separate out those belonging to a team created by School Data Sync by filtering on the URL with a pipe to Where-Object:


$SDSSites = $sites | ? {$_.Url -like "https://tenantname.sharepoint.com/sites/Section_*" }

You can easily establish the total amount of SharePoint sites created by School Data Sync using the Count method.


$SDSSites.Count

Now that we have a variable containing the relevant SharePoint site objects, let’s summarize this whole excercise into a script to allow anonymous sharing in bulk:

# store admin credentials in a variable
$Cred = Get-Credential

# Connect to SharePoint Online PowerShell
Connect-SPOService -Url https://tenantname-admin.sharepoint.com -Credential $Cred

# store all SharePoint sites in a variable
$sites = Get-SPOSite -Limit All

# extract SharePoint sites created by SDS
$SDSSites = $sites | ? {$_.Url -like "https://tenantname.sharepoint.com/sites/Section_*" }

# set SharingCapability to ExternalUserAndGuestSharing

foreach($site in $SDSSites){

Set-SPOSite -Identity $site.Url -SharingCapability ExternalUserAndGuestSharing

}

Set-SPOSite is quite slow, depending on how many teams were created by SDS, this script can take hours to finish. Consider adding a progress counter using Write-Progress if $SDSSites.Count returns more than 100 sites.

When the script is finished you should be able to share anonymously from all teams created by SDS. Remember to repeat the process whenever new teams are added via your SIS (typically during winter and/or summer break).

Teams reports and the reports reader role

Posted on December 17, 2017 by Magnus Sandtorv

Recently the long awaited reports for Microsoft Teams surfaced in the admin center. As of the time this post is written there are two reports available; user activity and device usage.

As an administrator you will find the reports in the left hand menu.

On the usage page a Teams activity card is now available to give you a quick glance.

In the upleft corner of this page you can choose to Select a report, and you will find the new additions in the bottom.

Choosing either of these will lead you to a page with nice graphs showing the amount of messages, chats, calls etc. for the last 7, 30, 90 or 180 days, or if users are connecting with clients for Windows, Mac, iOS, android etc.

If you need to drill down further there is a detail pane below, and an Export button if you would like a CSV for further sorting and processing.

Reports reader role

These reports are great, but only available to administrators by default. Recognizing the need for non-admins to access reports Microsoft recently announced the reports reader role.

A global administrator can assign any user the Reports reader role, and they will get a new admin tile in the Office 365 home and apps page.

While a report reader at this time also can view users, groups, resources etc. in the admin portal, they are not able to perform any changes.

So what are you waiting for? Enable your stakeholders the possibility to gain actionable insight, in order drive usage and increase communication and collaboration.

You can read more about the reports and what’s coming in the Microsoft Tech Community.

Manage Teams on the go (like a boss…)

Posted on December 16, 2017 by Magnus Sandtorv

As an Office 365 admin you might get a request while out of the office or otherwise not in front of a computer. Continuing on the example from the education sector, a teacher might be home sick and the substitute teacher needs access to the class team.

There are several ways to add an owner to a team as an Office 365 admin, like the Office 365 Admin center, the Azure AD Portal or as usual PowerShell.

While on the go some of these options are just as viable with an appropriate device, you also have the option of using the native Office 365 Admin app or the Azure Cloud Shell.

The easy way out would be to download the Office 365 Admin app.

Log on, choose Groups in the left side menu and search for the relevant group. Click the group in the list and choose Edit owners in the right column menu.

On iOS the box on the right will surface and when you click Add owners you will be able to search for a user to add.

The rest of the process is quite self explanatory so let’s move on to the fun part of this post…

Azure Cloud Shell

As before mentioned you can accomplish the same using PowerShell in Azure Cloud Shell.

First up you need to download the Microsoft Azure app. Login with an appropriate admin account and launch the Cloud Shell.

The first time you use the Cloud Shell you need to let it provision a storage account. Choose a suitable Azure subscription and wait a few seconds until it is ready. You will see under resources that there has been provisioned both a resource group in your region and a storage account.

Unfortunately it seems you cannot use the Azure subscription provisioned with Office 365 for access to Azure AD, you will instead need to setup a regular subscription.

The Cloud Shell will launch Bash by default, make sure you change it to PowerShell in the upleft corner.

The Shell should connect to your tenant automatically and you will end up with a prompt like this:

While you could use the Azure AD PowerShell cmdlets, I prefer doing this the Microsoft Teams way.

When you add a user as a member or owner to a team using Microsoft Teams, it’s available to the user instantly. When you add a user to the associated group in the Office 365 Admin portal, Azure AD Portal or with the Azure AD cmdlets, it can take hours until the changes are synced. While this unfortunately is the case also using the new Microsoft Teams PowerShell module version 0.9.1 [… The Teams application may need to be open for up to an hour before changes are reflected…], I believe this will change in a future version, so we might as well get used to doing this the Microsoft Teams way.

The Microsoft Teams PowerShell module is not installed by default in the Cloud Shell.

To install it we can simply run:

Install-Module MicrosoftTeams -force
Import-Module MicrosoftTeams

Check that the cmdlets are loaded with:

Get-Command -Module MicrosoftTeams

After we log on to the Microsoft Teams service we should be all set to add our teacher to the class team. For that we need credentials which we will save to a variable.

$creds = Get-Credentials
Connect-MicrosoftTeams -Credential $creds

To add a user to a team we need the users UserPrincipalName, which most commonly is their email address. We also need the GroupId of the team, which is where these beta cmdlets show their weakness. As of version 0.9.1 the Get-Team cmdlet is user centric.

“Gets all the teams the user is part of. The user must be you – you can only get information on yourself.” MS Docs

To be honest this doesn’t make much sense to me, and you should expect it to change in a later update.

Lacking a way to get the appropriate GroupId we must turn to the AzureAD cmdlets after all. Let’s first connect to the service and then store the class team’s group object in a variable.

Connect-AzureAD -Credential $creds
$group = Get-AzureADGroup -SearchString "Math 101"

We are now ready to add the substitute teacher to the class team, and promote her to Owner (teacher):

Add-TeamUser -GroupId $group.ObjectId -User miss.teacher@domain.com
Add-TeamUser -GroupId $group.ObjectId -User miss.teacher@domain.com -Role Owner

OK, I admit it’s neither the fastest nor the easiest way to add members to a team, but it opens up for scripting and automation which can reduce errors and ensure compliance. And it’s PowerShell, in the cloud, on a mobile device. Pretty cool right?

Anonymous guest sharing in Teams

Posted on October 3, 2017 by Magnus Sandtorv

To kick-start this blog I would like to show you how to share folders or documents, like the weekly schedule, homework etc., with anonymous guests like parents.

For the sake of clarity, these are not guests invited to the actual team, but rather anyone receiving or accessing the link, by email, a text message or from a webpage.

Unfortunately for our use case, when a team is created, the underlying SharePoint site has a default SharingCapability of ExternalUserSharingOnly. We can find the SharingCapability by logging onto Sharepoint Online with PowerShell, as an admin user with the appropriate permissions:

Connect-SPOService
Get-SPOSite -Identity siteurl | select SharingCapability

SharingCapability : ExternalUserSharingOnly

We can see in the docs that ExternalUserSharingOnly allows external user sharing (share by email), but not guest link sharing.

What we need is ExternalUserAndGuestSharing, where both external user sharing, and guest link sharing are enabled; Let’s see how we can acomplish that using powershell.

First, we need to establish the site url. There are several ways to get the URL, but as an end user we can find it by navigating to the team’s general channel and the files tab, then choose open in SharePoint. A browser window will open with a long URL, where you will need to extract everything including what comes immediately after /sites/. The rest of the URL can safely be ignored.

The URL should look like this: https://tenantname.sharepoint.com/sites/teamname
(teamname at the end of the URL is not the displayname, but what is called mailnickname in Azure AD)

Let’s store the URL in a variable for later use:

$siteurl = https://tenantname.sharepoint.com/sites/teamname

The same information is accessible with Exchange Online powershell, you can easily while logged on get a list of Groups and their SharePointSiteUrl with the following command:

Get-UnifiedGroup | select DisplayName, Alias, SharePointSiteURL

Then all we need to do is change the SharingCapability property:

Set-SPOSite -Identity $siteurl -SharingCapability ExternalUserAndGuestSharing

To be sure let’s check the SharingCapability one last time:

Get-SPOSite -identity $siteurl | select SharingCapability

SharingCapability : ExternalUserAndGuestSharing

Now you can choose a folder or document whithin the team’s SharePoint site and share with Anyone. In this setting you would most likely also want to disallow editing. Once you hit Apply you can copy the link and distribute it as you choose. Happy sharing!

Stay tuned for more on this, in a later article I will show you how to do this in bulk for teams generated by School Data Sync, and maybe all SharePoint sites belonging to Class, PLC or Staff teams.