Contact Us      General Enquiries: +44 (0) 1273 834 000   Support / Service Desk: +44 (0) 113 360 9696

PAV IT

  • About Us
    • Careers
    • Our Green Credentials
    • Privacy Policy
  • IT Certainty
    • Legal and Accountancy
    • Manufacturing Sector
    • Retail Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
    • News
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance
CONTACT SALESsupport
  • Home
  • Our latest Blogs
  • Blog
  • Microsoft Teams Policies and Simplification in Hybrid
May 28, 2022

Microsoft Teams Policies and Simplification in Hybrid

Tuesday, 25 May 2021 / Published in Blog, Microsoft

Microsoft Teams Policies and Simplification in Hybrid

Microsoft Team and Filtering Users

A year ago, Teams was a pretty brand new thing and many orgs had only just started trailing it, or hastily rushed it out due to the pandemic. The way to control what you could do inside Teams was mostly derived from a script that had to be ran on premise that set various commands against your user objects.
These commands also meant that you were applying settings directly to the user’s Azure AD object, which also meant that when you got around to doing this properly, any groups you create, or more advanced Dynamic Azure AD groups based on a users office, department or role you would then want to apply to a teams policy would not work.

“Direct Teams Policy Rights overrule Group and Global rights”

So, what I’m saying is, regardless of what group a user is added to, the direct assignments made at the time the user was given access to teams will override anything allocated by groups, unless the current policy is global. This gives us a problem, mostly because nowadays its really cool to grant a role to a user and have everything given to them based on that role.

??How do we fix this, especially if we are running a hybrid environment where all the groups for our teams users are created on premise? The first thing we need to do is go through all of the Global Policy settings within Teams and ensure they are good for all of your users to adhere to.

Any user without a policy will always fall back to the global policy

I think you know where I’m going with this. What we want to do is “nuke from orbit”, or null out all of the direct assignments made during the initial deployment so that they then can be controlled either though groups created on premise due to an attribute from a back end HR system, or groups created in Azure that are dynamic due to an on premise attribute synched up.

All the global settings within Teams are easily identifiable within the Teams Admin centre, this is assuming that you have the rights to access it. Ideally we want to ensure that all the groups labelled as “Global” provide a baseline for the userbase and the settings your org are happy with to apply to all users when they are given a license to use teams. Lets use the meeting policy as an example, as this gives access to a lot of rights, including recording capability which in some circumstances should be disabled and then granted and approved through a process by which your HR or legal team can approve, but let’s get back to the matter at hand.

First we set the General options such as meet now and scheduling, Outlook add-ins and private channels.

A few more options here that allow applications and programs to be shared within meetings such as whiteboard, notes and PowerPoint presentations.

Participants and guests, and how they can join meetings

Audio and video, notice how the cloud recording and transcription is turned off. Every tenant will be different, but having a good baseline instead of 100s of policies within what users can and cannot do in meetings seems to make sense to me.

This is just an example, but once a baseline has been established for Meetings, Live events (broadcast), Messaging and calling policies we can then apply this to all users and then elevate up their rights to apply recording, live events or calling though additional group based policy groups.

Nulling out Policies
Ok, lets recap:
1. Global policies created
2. Users not using them because they have directly assigned teams policies
3. Users with above policies applied are high in numbers and require automation to remove

So we now need to have a look at PowerShell to see if there’s a easy way of doing this, of course there is, every PowerShell script is different I don’t claim to be an expert, but this is what I came up with, feel free to take it away and improve!

First we need to come up with a way of grabbing the users that might or might not have a policy directly applied to them, we don’t really care about the users that don’t have a policy, so lets look at some generic groups in Azure AD, particularly those groups that might be used to assign M365 licenses, as they should contain all users that use Teams. If not we can use a dynamic group in Azure to get all users with Teams enabled.

Set up the variables and the export location for our group

We need to enable basic authentication to make using ISE much easier, then install and import the modules used within the script. Then we create a CSV file containing the information gathered on the relevant users.

 

 

 

 

 

 

 

 

Once we have the users, we need to modify the CSV file so its readable by our script by just leaving in the email address or the Sip Proxy address column, there will be around 50 columns or so, you might have better scripting than me, but I’m happy just removing the columns and saving the file, the next few lines of code forces the user to open up the CSV via excel and amend where needed.

Finally, “press enter to continue” to actually run the commands to “nuke” out those policies. I am using the New-CsBatchPolicyAssignmentOperation commands that essentially put all users from a list in to one batch group and sets the policy type to either nothing or a particular policy name. In my case I’m setting everything to $null!

I can the use “Get-CsBatchPolicyAssignmentOperation” to verify the status of the batch operation. The first column shows the Batch ID, the policy name, the status, the date/time and the number of users the batch hit.

Once the script has finished the userbase will have a default/global policy applied so now we can go off an apply Teams Policy Groups based on Azure AD Groups to better control what we want users to do in Teams.

A HR, Legal or DPO process that controls Teams recording rights sounds pretty good!

by Robbie Jackson

What you can read next

Pavilion summer newsletter
IT’s About Time…for our Summer Newsletter
4 Essential Requirements To Protect Against Brand Exploits
4 Essential Requirements To Protect Against Brand Exploits
blog_header_Understanding_the_Evolving_Security
Understanding the Evolving Security Threats to a Remote Workforce

Recent Posts

  • Sophos Event Blog Header

    Better cyber protection doesn’t have to cost you more

    Most campaigns that vendors / resellers run is ...
  • Cyber Insurance Blog

    Cyber insurance: there’s bad news and there’s good news

    The threat environment is more challenging than...
  • Evolving Cyberattacks header

    How Common Types of Cyberattacks are Evolving

    Cyberattacks are ever changing. Read about cybe...
  • Watchguard MFA Header

    Protecting User Identity and Securing Business Trust with Multi-Factor Authentication

    THE EVOLUTION OF AUTHENTICATION – HOW WE GOT HE...
  • CRN Nomination 2022 Header

    CRN Best Company to Work For Nomination 2022

    Why is your company such a great place to work?...

Categories

  • Applications
  • Blog
  • Cisco
  • Commvault
  • Events
  • Legal
  • Manufacturing
  • Microsoft
  • Mimecast
  • Networking
  • News
  • Newsletters
  • Other News
  • Retail
  • Sophos
  • Watchguard

pavilion logo small

A leading IT infrastructure solution and support provider that has been delivering flexible and modular solutions and consultancy to businesses across the UK since 1988.

GET IN TOUCH

  • General Enquiries: +44 (0)1273 834 000
  • Support Desk: +44 (0)1273 834 433
  • Email: info@pav.co.uk
  • PAV I.T. Services
  • The Old Corn Mill, Bullhouse Mill
  • Lee Lane, Millhouse Green
  • Sheffield S36 9NN
  • View on Google Maps
  • About Us
    • Careers
    • Our Green Credentials
    • Privacy Policy
  • IT Certainty
    • Legal and Accountancy
    • Manufacturing Sector
    • Retail Sector
    • Case Studies
    • Customer Testimonials
  • Services
    • Backup and Disaster Recovery
    • IT Support Monitoring
    • Project Delivery
    • Cloud Services
    • Application Packaging
    • Pavilion Service Credits
  • News & Events
    • BLOG
    • Events
    • Newsletters
    • News
  • Technology Solutions
    • Communication and Collaboration
    • Modern Workspaces
    • Data and Governance

Pav IT © 2022 All rights reserved.

  • GET SOCIAL
TOP