Group-Primarily based Coverage Assignments Not Coated within the Earlier Model
In November 2021, I wrote an article explaining how you can generate an HTML report in regards to the Groups insurance policies assigned to person accounts. Life was easier then and group-based coverage assignments have been comparatively new. Displaying its age, the ill-fated and never-successful Groups superior communications license was the requirement required to construct and assign customized coverage packages to person accounts. Now Groups Premium is the mandatory license to help customized coverage packages. Nonetheless, organizations can assign the usual coverage packages with the bottom Groups license.
This clarification is a long-winded method of claiming that the report I wrote about in November 2021 solely stories direct coverage assignments. Any insurance policies assigned to customers by means of group membership are blissfully ignored, a reality highlighted in a LinkedIn dialogue that invoked my title.
It is a good instance of the chance inherent in pattern code: technical developments can render the instance much less beneficial over time. It’s irritating for readers to search out that an instance that appears to satisfy their wants doesn’t work. I can guarantee you that it’s equally irksome for individuals who create instance code after they uncover that point and expertise erodes the worth of their efforts.
Dealing with Three Varieties of Groups Coverage Assignments
One thing needed to be performed. Group-based administration of objects like insurance policies and licenses is an environment friendly method to make sure that person accounts with the identical position obtain a constant configuration. Fixing the report script would additionally handle different apparent flaws, like utilizing the Trade On-line PowerShell module to get the group title. I fired up Visible Studio Code and spent a few hours on a Saturday afternoon to determine one of the simplest ways of reporting the three sorts of coverage assignments that exist in Groups:
- Default: No different kind of coverage project exists for an account, so person exercise is ruled by the default coverage.
- Direct: An administrator assigns a particular coverage to an account
- Group: A person inherits a coverage from a coverage bundle assigned to their account.
Determine 1 exhibits a few of the insurance policies assigned to a Groups person. We will see that 24 totally different insurance policies can be found and that two of the 5 seen insurance policies are direct assignments whereas the opposite three are default assignments.
Reporting Groups Coverage Assignments
The Get-CsOnlineUser cmdlet retrieves coverage assignments together with a number of different details about Groups customers. The data returned by the cmdlet is adequate to take care of default and direct coverage assignments. If the property for a coverage is clean, it implies that the default coverage is used. If the title of a coverage is within the property, it’s a direct project. Within the extract proven under, there are three direct assignments and 5 cases the place the default coverage is used:
Get-CsOnlineUser -Identification '[email protected]' | fl Groups*Coverage* TeamsAppPermissionPolicy : Unrestricted App Entry TeamsAppSetupPolicy : App Coverage 2 TeamsAudioConferencingPolicy : TeamsCallHoldPolicy : TeamsCallParkPolicy : TeamsCallingPolicy : TeamsCarrierEmergencyCallRoutingPolicy : TeamsChannelsPolicy : PrivateTeamsPolicy (and many others.)
Curiously, the Get-CsOnlineUser cmdlet returns 44 Groups insurance policies. A few of the insurance policies that don’t present up within the Groups admin heart are disused. Others is likely to be used sooner or later.
The script described within the unique article reported default and direct assignments, so producing the report is solely a matter of operating down by means of every coverage to test if a direct project exists and if not, report it as a default project. A special strategy is required to take care of group-based assignments. Take this code part that stories the assembly coverage for a person:
# Assembly coverage
TeamsMeetingPolicy = $TenantDefaultString
$CurrentAssignment = $null
If ($Consumer.TeamsMeetingPolicy) {
$TeamsMeetingPolicy = $Consumer.TeamsMeetingPolicy.Title
} Else {
[array]$PolicyAssignments = Get-CsUserPolicyAssignment -Identification $Consumer.UserPrincipalName `
-PolicyType TeamsMeetingPolicy | Choose-Object -ExpandProperty PolicySource
If ($PolicyAssignments) {
$CurrentAssignment = $PolicyAssignments[0]
}
If ($CurrentAssignment) {
Swap ($CurrentAssignment.AssignmentType) {
"Direct" {
$TeamsMeetingPolicy = ("{0} (Direct)" -f $CurrentAssignment.PolicyName)
}
"Group" {
$GroupName = (Get-GroupNameByRef -GroupId $CurrentAssignment.Reference).DisplayName
$TeamsMeetingPolicy = ("{0} (Group: {1})" -f $CurrentAssignment.PolicyName, $GroupName)
}
}
}
First, the script units the variable that shops the title of the assigned coverage to a default worth. Subsequent, it checks if the Get-CsOnlineUser cmdlet returned a coverage title. In that case, the assembly coverage is a direct project, and the script doesn’t have to be probed additional. The following step runs the Get-CsUserPolicyAssignment cmdlet to test if any assignments exist. The cmdlet returns particulars of group and direct assignments. A Swap command checks the primary (most up-to-date) project and updates the variable storing the title of the assigned coverage with the coverage and a prefix. The direct project test is likely to be pointless as a result of Get-CsOnlineUser returns this data, however I included it simply in case.
If it’s a bunch project, the script calls a perform to run the Get-MgGroup cmdlet (from the Microsoft Graph PowerShell SDK) to return the show title of the group used for the project. When processing coverage assignments for all customers, it’s possible that the identical teams shall be met many instances. It could be wasteful to name Get-MgGroup every time, so the perform makes use of a hash desk to carry particulars of the teams it has already processed and solely calls Get-MgGroup if the group hasn’t been seen earlier than.
Determine 1 exhibits an instance of the report output.
The parents who reported the issue have examined the up to date script (obtainable from GitHub) and say that it really works. At the very least, it addresses the problem that they’d and supplies a greater overview of the coverage assignments for Groups customers inside a tenant. Little question the code may be improved, nevertheless it’s PowerShell in order that’s simply performed.
Effort Required to Get the Proper Outcomes
The draw back is that the amended script takes longer to run due to all the additional processing. The upside is that the report generated by the script is correct as a result of it contains group-based coverage assignments. This goes to show (as soon as once more) that attaining the suitable outcome takes effort. On this case, the hassle crammed a few hours on a moist Saturday and delivered a sensible resolution to an issue. That’s all the time good.
+ There are no comments
Add yours