In this post I show how you can use (Azure) AD security groups or Microsoft 365 groups to assign Microsoft Teams Policies within the Teams Admin Center. This is handy to manage bulk or many different policy assignments via GUI. So, you don’t have to use and run your PowerShell scripts which might does the magic in larger environments with more versatile requirements regarding Microsoft Teams permissions.
Which policy is applied for a user?
Bascially, there are two types to assign a policy to a user: direct vs. indirect. Depending on how you assign a policy it is applied in a specific order as follows:
- directly assigned policy (no inheritance of a policy of from a group)
- no direct assigned policy (group policy with highest rank)
- no direct nor indirect assigned policy –> global (Org-wide default)
Quick start
In this section I list the steps you and things you need to do.
- Create Azure AD group/groups
- Add users to the group/groups
- Create custom policy/policies in Teams Admin Center, e.g. a custom meeting or messaging policy
- Assign the Azure AD group / groups to the custom policy/policies
Azure AD Group creation example
To assign policies to a group of users you need to create or have a group in Azure AD. Either a security or Microsoft 365 group. In this example, I prefer a security group because in this case I don’t want to have the Microsoft 365 group overhead for assigning permissions. Also, I create a static/assigned group and no dynamic group.
Don’t forget to add users to the group.
Group policy assignment via Teams Admin Center
In different areas in the Teams Admin Center you can create and assign policies, e.g. for meetings. As you can see in the below depicted screenshot there is also a further sub-menu or -register where you can click on “Group policy assignment”. The following screenshots will walk you through the assignment process.
That’s actually it.
But how to verify that the policies are assigned?
Well, Microsoft also provides a log showing the policy assignment status for the last 30 days.
Check policy assignment status for the last 30 days
- Teams admin center dashboard
- activity log
- view details
- view all policy assignment/s which you can also filter (not started, in progress, completed)
PowerShell code snippet for policy assignment (example)
#Example code snippet for Teams Batch Policy Assignment
#20200816 Erik Kleefeldt
#Required permissions: Teams service admin, a Teams communication admin, or Global Administrator
#Currently supported policy types (subject to change at any time): CallingLineIdentity, ExternalAccessPolicy, OnlineVoiceRoutingPolicy, TeamsAppSetupPolicy, TeamsAppPermissionPolicy, TeamsCallingPolicy, TeamsCallParkPolicy, TeamsChannelsPolicy, TeamsEducationAssignmentsAppPolicy, TeamsEmergencyCallingPolicy, TeamsMeetingBroadcastPolicy, TeamsEmergencyCallRoutingPolicy, TeamsMeetingPolicy, TeamsMessagingPolicy, TeamsUpdateManagementPolicy, TeamsUpgradePolicy, TeamsVerticalPackagePolicy, TeamsVideoInteropServicePolicy, TenantDialPlan
#Note: Policy assignments are updated if a user is added/removed
#Use at your own risk, this is just an example code snippet
#For further details/reference please see https://docs.microsoft.com/en-us/microsoftteams/assign-policies
#Install modules
Install-Module -Name AzureAD
Install-Module -Name MicrosoftTeams
#Connect services
Connect-MicrosoftTeams
Connect-AzureAD
#Get users
$AzureUsers = Get-AzureADUser
#Assign policy to a group
#Soft limit: 50 000 users per group
Get-AzureADGroup -SearchString "SEC-EUDE*"
New-CsGroupPolicyAssignment -GroupId <object id of AAD group> -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Rank 1
#Check assignment for group/s
Get-CsGroupPolicyAssignment -GroupId <object id of AAD group>
#Get all groups with assigned Teams Meeting policies type
Get-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy
#Remove assignment to a group for a meeting policy
Remove-CsGroupPolicyAssignment -PolicyType TeamsMeetingPolicy -GroupId <object id of AAD group>
#Batch job
#Limit: < 5000 users per batch
#Assign meeting policy batch
New-CsBatchPolicyAssignmentOperation -PolicyType TeamsMeetingPolicy -PolicyName "Meeting-StandardUser" -Identity $users.SipProxyAddress -OperationName "20200816-AssignStandardMeetingUserPolicy"
#Check batch operation status
Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | fl
#Check batch operation status for users
Get-CsBatchPolicyAssignmentOperation -OperationId <ID shown after New-CsBatchPolicyAssignmentOperation is executed> | Select -ExpandProperty UserState
#Disconnect services
Disconnect-MicrosoftTeams
Disconnect-AzureAD
Conclusion, opinion and summary
In case you already implemented a Teams policy assignment process before the above methods were available, you might review your as-is and transition to the new methodes available. I assume the new methods are more sophisticated than using just combinations of AD groups, PowerShell scripts for direct Teams policy assignment/s.
Additional resources
- Assign policies to your users in Microsoft Teams
- Assign a policy to a batch of users [in Teams Admin Center]
- View your policy assignments in the Activity log
- Microsoft Teams User Voice – Assign policy to groups [feature request]
For more Azure news check out our resource centre
About the Author:
I’m solution architect @abtis focusing on delivering communication and collaboration services. My goal is to enable companies and their users for a modern and digital workplace. To do so I focus on Microsoft Teams and (still) Skype for Business (Server) depending on the requirements. I’ve been working in several areas and topics in IT for more than 12 years by now.
Reference:
Kleefeldt,E. (2020). Assign Teams policies by group. Available at: https://erik365.blog/2020/08/16/assign-teams-policies-by-group/ [Accessed: 25th November 2020].
