Teams Real Simple with Pictures: Group Policy Assignment

This blog is part of a series on Teams. For more articles, check back often

Written: 27/09/2020 | Updated: N/A

Ignite is over! It went by so damn fast! And getting to the end of the week it was – admittedly – really tempting to do a blog regarding all of the new functionality which is incoming into Microsoft Teams. However, since there are loads of these blogs at the moment, and since I’ll be covering them as they come into play anyway, I thought I would focus in on a nice add which I saw has surfaced recently in the TAC called Group Policy Assignment. Group Policy Assignment allows you to manage Teams policies at scale, applying custom policies to many users based upon membership of a group. This could be the underlying Microsoft 365 group of a Team, this could be a security group, it could even be a distribution group. Now, when you consider it could be any kind of group then this becomes quite powerful. You could, for example, use policies alongside dynamic group membership. Or you could apply policies for specific roles or hierarchies. And the beauty of all this is that you no longer have to do it all by assigning multiple policies directly to specific users or in batches. Simply by adding a user, for example, to a specific security group they can have all their policies assigned in one go. By using Powershell, you could add hundreds of users to the same security group and all of their policies – from messaging to meetings – would be assigned and ready to go in a matter of minutes

Group policies can be used alongside, or as an alternative to Policy Packages. Note from the outset that group policy assignment refers to custom policies, not the global org-wide defaults which are applied when Teams is first deployed, and which users fall back on if custom policies – including ones assigned by groups, are removed

This blog will cover

  • Setting up a Security Group
  • Setting up and assigning a Policy to a Group
  • Understanding policy precedence
  • Useful PowerShell commands

WHAT POLICIES ARE COVERED IN THE TEAMS ADMIN CENTRE

The following policies are covered within the Teams Admin Centre as of the time of writing

  • Teams Calling Policy
  • Teams Call Park Policy
  • Teams Policy
  • Teams Live Events Policy
  • Teams Meeting Policy
  • Teams Messaging Policy

All other policies, such as Caller ID, App Permissions and App Setup need to be configured by Powershell

WHY WOULD WE DO IT?

  • Manage policies at scale
  • To save considerable time from direct assignment of policies

PREREQUISITES

1.) Teams administrator or global administrator role for Teams Admin Centre access, to create and assign policies. Global or user administrator roles to create security groups

2.) Powershell module if assigning through Powershell

HOW – SETTING UP A SECURITY GROUP

The security group will be the group of users we want to apply a policy to en masse. In the future, once we have assigned our policies to the security group and can simply add any further users to the security group. As said above, group policy assignment can also be for Microsoft 365 groups and distribution groups, however I want to illustrate the case which will likely be the one more widely used which is security groups. Since users are typically in multiple teams and can change frequently, I would imagine that most organisations would apply policies based on security groups and defined roles. This example will set up a security group based on the role of Teams Administrators for my organisation.

1.) Login into https://login.microsoftonline.com and select admin from the left app rail or from all apps

2.) Select Groups then Active Groups

3.) Select Add a Group

4.) Select Security Group then Next

5.) Set a Name and Description (here defined as Teams Administrator Policies) and then select Next

6.) Review and select Create Group. Close once complete

7.) Assign and owner and members to the security group

Our security is now setup and ready to go

HOW – SETTING UP AND ASSIGNING A POLICY TO A GROUP

Having now set up our security group for our Teams Administrators, we will go and apply policies to the security group. We can either choose a custom policy if one already exists. If one does not exist then we would need to create one. In this example, I will create a new messaging policy for my Teams Administrators and assign it to the group. To note, you cannot choose global org wide policies to assign to a group as these are the defaults should users not already have a custom policy and users fall back to the global org-wide default if a custom policy (whether direct assigned or group assigned) is removed

1.) Return to the Microsoft 365 Admin Centre and select Teams

2.) Select Messaging Policies and then Add

3.) Set the elements of the messaging policy and then Save

4.) The policy I want is now created. Select Group Policy Assignment

5.) Select Add Group

6.) Select the Security Group, the Rank and the Policy and then select Apply

The Rank means that if the same user is in multiple security groups with messaging policies assigned, the rank with the highest number (highest meaning 1) is going to win out. It is therefore important to consider this in terms of policy precedence within your organisation and group policies ranking from less restrictive or more permissive (higher rank) to more restrictive or less permissive (lower rank)

7.) The policy has now been applied to the group and to the users within the security group

8.) Rinse and repeat for other applicable policies such as the meetings and calling policies. Currently, some policies can only be assigned to groups through Powershell including App Permissions, App Setup and Caller ID however these are likely to surface in the TAC over time

UNDERSTANDING POLICY PRECEDENCE

Policy precedence is understanding what policy applies to the user given that they could have been directly assigned policies or are part of a security group or multiple security groups that are assigned a policy in the same category. In short, which policy wins out

You can see this by going to the details of a user’s policy within the Teams Admin Centre

Here are the rules

1.) A custom policy which is directly assigned to the user, in a batch or via a policy package takes precedence over everything else. A custom policy or policy package can overwrite a policy which is assigned to a group

2.) A group policy comes next which takes precedence over the default group wide org policy, but does not take precedence over a custom policy which has been directly set on the user or a policy package. If the user is in multiple security groups, or Microsoft 365 groups, or distribution groups which have policies assigned to them in the same policy category, then the highest ranked would win.

3.) The global org wide default policy is preceded by everything else

USEFUL POWERSHELL COMMANDS

The key powershell cmdlet for group policy assignment in Teams is New-CsGroupPolicyAssignment

Group policy assignment is currently limited to the following policy types

CallingLineIdentity (Caller ID policies)
OnlineVoiceRoutingPolicy (Voice Routing policies)
TeamsAppSetupPolicy (App Setup policies)
TeamsCallingPolicy (Calling policies)
TeamsCallParkPolicy (Call park policies)
TeamsChannelsPolicy
TeamsComplianceRecordingPolicy
TenantDialPlan
TeamsEducationAssignmentsAppPolicy
TeamsMeetingBroadcastPolicy (Live Events policies)
TeamsMeetingPolicy (Meeting policies)
TeamsMessagingPolicy (Messaging policies)
TeamsUpdateManagementPolicy

New Group Policy Assignment with Object ID

New-CsGroupPolicyAssignment -GroupId d8ebfa45-0f28-4d2d-9bcc-b158a49e2d17 -PolicyType TeamsMeetingPolicy -PolicyName AllOn -Rank 1

New Group Policy Assignment with Email/SIP

New-CsGroupPolicyAssignment -GroupId salesdepartment@contoso.com -PolicyType TeamsMeetingPolicy -PolicyName Kiosk -Rank 1

Get Group Policy Assignment

Get-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy

Remove Group Policy Assignment

Remove-CsGroupPolicyAssignment -GroupId e050ce51-54bc-45b7-b3e6-c00343d31274 -PolicyType TeamsMeetingPolicy

Set Group Policy Assignment (Coming soon)

Set-CsGroupPolicyAssignment -GroupId 566b8d39-5c5c-4aaa-bc07-4f36278a1b38 -PolicyType TeamsMeetingPolicy -Rank 1

Our job here is done. I hope you enjoyed spending some time reading up on group policy assignment and that it helps you to manage the policies applied to your users in Microsoft Teams