Using the Office 365 Groups Naming Policy

GroupsNamingHero

Office 365 Groups with Compliant Names

Exchange has had a distribution group naming policy since Exchange 2010. The policy is defined in settings in the Exchange organization configuration and is still available today in both on-premises and cloud versions. Applying a naming policy allows organizations to ensure that groups use consistent names as well as blocking users from including objectionable words in group names.

When Office 365 Groups came along in 2014, no naming controls were available. Groups occupy an increasingly important position inside Office 365 as more and more applications use Groups as a membership and identity service, so it is somewhat puzzling that Microsoft took so long to come forward with a naming policy.

Part of the reason was the need to create a new mechanism that applied to all Office 365 applications. The temptation might exist to use the distribution groups policy as that would mean a single consistent policy applied to both distribution groups and Office 365 Groups. However, Exchange configuration settings are good for Exchange, but not for applications like Stream and Power BI that create groups but know nothing about Exchange.

The solution is to use settings in the Azure Active Directory policy for Groups. All Office 365 applications can access the policy to retrieve the naming controls. The naming policy is now in preview and will be released when Microsoft considers it to be ready.

[Update February 21: Microsoft has released the policy to public preview. It is named Azure AD Naming Policy for Office 365 Groups, which I assume links the policy to the need for Azure AD Premium Licenses.In this case, the “feature will require Azure AD Premium licenses for all users that are members of Office 365 groups in the tenant.“]

Naming is a Premium Feature

Like many of the settings held in the Azure Active Directory policy for Groups, Microsoft views the naming policy as a premium feature. In their support article about licensing, Microsoft says “periodically we will generate usage reports that tell you which users are missing a license.” No details are available when checks will happen to generate the usage reports.

Creating a Group Naming Policy

The steps to implement a group naming policy are simple.

[PS] C:\> Connect-AzureAD
  • If a policy does not yet exist for the tenant, create the Azure Active Directory policy for Groups.
[PS] C:\> $Policy = Get-AzureADDirectorySettingTemplate | ? {$_.DisplayName -eq "Group.Unified"}
[PS] C:\> $Settings = $Policy.CreateDirectorySetting()
[PS] C:\> New-AzureADDirectorySetting -DirectorySetting $Settings
  • Populate the settings for the group naming policy. In this example, we set a prefix of “O365Grp-“ and define some words that we do not want to see used in group names. See the support documentation for more detail about how to use attributes from Azure Active Directory to form display names. It is best to choose a prefix that is not too long and to favor simplicity over complexity in how you use Azure Active Directory attributes to construct a name. If you use a multi-lingual environment, make sure to select a prefix that works in all languages. Also, make sure that the scheme you select keeps display names to 256 characters or less.
[PS] C:\> $Settings = Get-AzureADDirectorySetting | ? {$_.DisplayName -eq "Group.Unified"}
[PS] C:\> $Settings[“PrefixSuffixNamingRequirement”] = "O365Grp-[GroupName]"
[PS] C:\> $Settings[“CustomBlockedWordsList”] = "Sexy,Stupid,Giggles,Funny,CFO,CEO,Shit,Payroll"
[PS] C:\> Set-AzureADDirectorySetting -Id $Settings.Id -DirectorySetting $Settings

Clients differ in the way that they pick up policy settings and Office 365 needs to update multiple servers with the new policy, but after an hour or so the new settings should be active for the tenant.

The Effect of a Naming Policy

Once a naming policy is in effect, clients apply the policy when users create new groups or edit the display name of an existing group. The exception is for tenant administrators, who are exempt from the policy no matter what client they use. The assumption is that administrators can make their own mind up what display name to give to a group. See the support documentation for information about the administrator roles that are exempt from the naming policy.

Microsoft has updated many of the clients that support Office 365 Groups to support the naming policy. The detail of how a client supports the policy varies. In general, web-based clients like OWA and Teams include a preview of the group name after application of the policy together with warnings when a user types in a blocked word for a group name. Microsoft documentation refers to the preview as “the naming policy decorated name,” which seems a tad over the top.

Other clients, like Outlook desktop and the Outlook mobile clients, enforce the policy without giving visual clues as users input names. Instead, these clients flag errors when they check the policy before trying to create or edit a group.

Figure 1 shows how OWA previews the display name after application of the naming policy (we can see that the O36Grp- prefix is present) and flags the presence of a blocked word. During the preview, I noticed that clients did not pick up every instance of a blocked word and allowed group names with these words. Microsoft knows the root cause and will update to fix before they release the naming policy.

Group Naming OWA
Figure 1: OWA signals errors in a group name (image credit: Tony Redmond)

Figure 2 shows how Teams previews the name for a new group. The experience is consistent.

Teams Naming POlicy
Figure 2: Teams preview the display name for a new team (image credit: Tony Redmond)

Retrofitting a Naming Policy to Old Groups

Office 365 does not apply the naming policy to groups that exist before its implementation. If you want to bring those groups into line with the policy, you must update the display name for older groups. PowerShell is exactly the right tool for a job like this, so here’s an example of code to find and update groups with non-compliant names. In this case, the code only handles prefixes and it is an exercise for the reader to update it to deal with suffixes. Make sure that you connect PowerShell to both Azure Active Directory and Exchange Online before you run the code.

$Policy = Get-AzureADDirectorySetting | ? {$_.DisplayName -eq "Group.Unified"}
$NamingPolicy = $Policy["PrefixSuffixNamingRequirement"]
If (!($NamingPolicy))
   { Write-Host "No naming policy defined..."
     EXIT }
   Else
   { Write-Host "Office 365 Groups naming policy is" $NamingPolicy }
# Find the Prefix
$Prefix = $NamingPolicy.SubString(0,($NamingPolicy).IndexOf("[Group"))
$PrefixMatch = "*" + $Prefix + "*"
# Find Office 365 Groups that don't match the naming policy
$Groups = (Get-UnifiedGroup | ? {$_.DisplayName -NotLike $PrefixMatch})
If ($Groups.Count -gt 0)
   { $Prompt = "You have " + $Groups.Count + " groups to update. Proceed? [Y/N]"
     $Answer = Read-host -Prompt $Prompt 
     If ($Answer.ToUpper() -ne "Y")
        {
         Write-Host "Exiting..." 
         EXIT }
     }
# Update Groups
Write-Host "Updating Groups..."
ForEach ($G in $Groups)
   {$NewDisplayName = $Prefix + $G.DisplayName
    Write-Host $G.DisplayName "updated to" $NewDisplayName
    #Set-UnifiedGroup -Identity $G.Alias -DisplayName $NewDisplayName
   }

Is a Policy Worth the Bother?

Even if you have Azure Active Directory premium licenses, the question is whether enough business value is gained from a naming policy to make it worthwhile. Some organizations like to have all groups follow a consistent naming standard while others do not consider this important. Instead, these tenants focus on the actual name of the group and make the priority that the name conveys a clear meaning about the group’s purpose.

Wherever you fall on the spectrum, if you decide to go ahead with a group naming policy, you should communicate what is happening to users. The content of groups does not change; the only thing that does is the name. If that is important to you, then the naming policy is of interest. If not, it is just an interesting exercise in name generation.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.