A year ago, Teams was a pretty brand new thing and many orgs had only just started trailing it, or hastily rushed it out due to the pandemic. The way to control what you could do inside Teams was mostly derived from a script that had to be ran on premise that set various commands against your user objects.
These commands also meant that you were applying settings directly to the user’s Azure AD object, which also meant that when you got around to doing this properly, any groups you create, or more advanced Dynamic Azure AD groups based on a users office, department or role you would then want to apply to a teams policy would not work.
“Direct Teams Policy Rights overrule Group and Global rights”
So, what I’m saying is, regardless of what group a user is added to, the direct assignments made at the time the user was given access to teams will override anything allocated by groups, unless the current policy is global. This gives us a problem, mostly because nowadays its really cool to grant a role to a user and have everything given to them based on that role.
??How do we fix this, especially if we are running a hybrid environment where all the groups for our teams users are created on premise? The first thing we need to do is go through all of the Global Policy settings within Teams and ensure they are good for all of your users to adhere to.
Any user without a policy will always fall back to the global policy
I think you know where I’m going with this. What we want to do is “nuke from orbit”, or null out all of the direct assignments made during the initial deployment so that they then can be controlled either though groups created on premise due to an attribute from a back end HR system, or groups created in Azure that are dynamic due to an on premise attribute synched up.
All the global settings within Teams are easily identifiable within the Teams Admin centre, this is assuming that you have the rights to access it. Ideally we want to ensure that all the groups labelled as “Global” provide a baseline for the userbase and the settings your org are happy with to apply to all users when they are given a license to use teams. Lets use the meeting policy as an example, as this gives access to a lot of rights, including recording capability which in some circumstances should be disabled and then granted and approved through a process by which your HR or legal team can approve, but let’s get back to the matter at hand.
First we set the General options such as meet now and scheduling, Outlook add-ins and private channels.
A few more options here that allow applications and programs to be shared within meetings such as whiteboard, notes and PowerPoint presentations.
Participants and guests, and how they can join meetings
Audio and video, notice how the cloud recording and transcription is turned off. Every tenant will be different, but having a good baseline instead of 100s of policies within what users can and cannot do in meetings seems to make sense to me.
This is just an example, but once a baseline has been established for Meetings, Live events (broadcast), Messaging and calling policies we can then apply this to all users and then elevate up their rights to apply recording, live events or calling though additional group based policy groups.
Nulling out Policies
Ok, lets recap:
1. Global policies created
2. Users not using them because they have directly assigned teams policies
3. Users with above policies applied are high in numbers and require automation to remove
So we now need to have a look at PowerShell to see if there’s a easy way of doing this, of course there is, every PowerShell script is different I don’t claim to be an expert, but this is what I came up with, feel free to take it away and improve!
First we need to come up with a way of grabbing the users that might or might not have a policy directly applied to them, we don’t really care about the users that don’t have a policy, so lets look at some generic groups in Azure AD, particularly those groups that might be used to assign M365 licenses, as they should contain all users that use Teams. If not we can use a dynamic group in Azure to get all users with Teams enabled.
Set up the variables and the export location for our group
We need to enable basic authentication to make using ISE much easier, then install and import the modules used within the script. Then we create a CSV file containing the information gathered on the relevant users.
Once we have the users, we need to modify the CSV file so its readable by our script by just leaving in the email address or the Sip Proxy address column, there will be around 50 columns or so, you might have better scripting than me, but I’m happy just removing the columns and saving the file, the next few lines of code forces the user to open up the CSV via excel and amend where needed.
Finally, “press enter to continue” to actually run the commands to “nuke” out those policies. I am using the New-CsBatchPolicyAssignmentOperation commands that essentially put all users from a list in to one batch group and sets the policy type to either nothing or a particular policy name. In my case I’m setting everything to $null!
I can the use “Get-CsBatchPolicyAssignmentOperation” to verify the status of the batch operation. The first column shows the Batch ID, the policy name, the status, the date/time and the number of users the batch hit.
Once the script has finished the userbase will have a default/global policy applied so now we can go off an apply Teams Policy Groups based on Azure AD Groups to better control what we want users to do in Teams.
A HR, Legal or DPO process that controls Teams recording rights sounds pretty good!
by Robbie Jackson
