Introducing the Microsoft 365 Admin Center


Tags:- , ,

Last year, at Inspire, we unveiled Microsoft 365, bringing together Office 365, Windows 10 and Enterprise Mobility + Security, to deliver a complete, intelligent and secure solution for the modern workplace. In October Microsoft 365 Business reached general availability, representing an integrated solution designed to simplify IT for small and medium-sized businesses.

We know that our customers, from small businesses to large enterprises, rely on the admin center for a broad set of activities. From an administration perspective, our vision for Microsoft 365 is to help simplify IT by unifying management across users, devices, apps and services. Today marks an important step in that vision as we are rolling out a new admin experience for all Microsoft 365 customers. This will be a single place for admins to get started with Microsoft 365 and discover the breadth of management capabilities and experiences available to them.

Integrated into this admin center is both the new Microsoft 365 Security & Compliance Center, dedicated to providing security and compliance specialists with integrated management capabilities across Office 365, Windows, and EMS, as well as Microsoft 365 Device Management, dedicated to providing integrated device management capabilities across Intune, Office, and Windows. The Security and Compliance Center will be available shortly, with Device Management to follow afterwards. Please look forward to additional details.

M365 screen.png

Over the coming months we will continue investing in more integrated, streamlined administration experiences across Microsoft 365 to help organizations become more productive and secure while optimizing their IT resources. We will also continue to improve the admin’s user experience, so admins can complete their tasks faster and easier and get more done with their day.

For Microsoft 365 customers, once this is rolled out to your tenant, you will automatically have the new admin experience. You can login as you usually do, or navigate to to try out the new admin experience.

Source :

Office 365 for iPad & iPhone – February 2018 release details


Tags:- , ,

On February 11th, 2018, Microsoft released an updated version of Office for iPad & iPhone to Office 365 subscribers – Version 2.10 in 35 languages. Our Office International team translated this release. Here are some of the new features included this month in Excel, PowerPoint and Word:

  • Manipulate and reuse content with ease: When using iOS 11, easily add or move content, or copy to others apps, by dragging and dropping text, images, and other objects.
  • Make your content more accessible: Take advantage of some new accessibility settings – Use large text to make documents, worksheets, and presentations easier to work with, and use the rotor to move across containers, tables, links, slides, sheets, and more when using VoiceOver.Settings.png

More information and help content on this release can be found here in 37 languages. If you ever have a suggestions (translation or otherwise) on how to make Office for iPad or iPhone better, then please start a conversation here and we will look into it.

The 35 languages we release Office for iPad & iPhone in are listed below:

  1. Arabic
  2. Catalan
  3. Chinese (simplified)
  4. Chinese (traditional)
  5. Croatian
  6. Czech
  7. Danish
  8. Dutch
  9. English UK
  10. English US
  11. Finnish
  12. French France
  13. German
  14. Greek
  15. Hebrew
  16. Hindi
  17. Hungarian
  18. Indonesian
  19. Italian
  20. Japanese
  21. Korean
  22. Malay
  23. Norwegian (Bokmål)
  24. Polish
  25. Portuguese
  26. Portuguese Brazilian
  27. Romanian
  28. Russian
  29. Slovak
  30. Spanish (Spain)
  31. Swedish
  32. Thai
  33. Turkish
  34. Ukrainian
  35. Vietnamese
Source :

Office International February Competition Summary and Winners


Tags:- , ,

We’d like to thank everyone who entered the competition, we appreciate your contributions and support for Teams! The competition ran from February 12 to February 23 and we were looking for language issues on localized versions of Teams. We’re happy to announce the top 3 contributors and winners of the $100 Amazon vouchers:

  • Kazuto Shibata
  • Mourad Louha
  • David Andersson

Congratulations, we appreciate your time and feedback!

Competition Report Summary:
Here is an overview of the number of bugs, languages, and contributors for this competition, we’re working on integrating these stats into the existing Power BI dashboard. We’re looking into all bugs reported and fixes have been made or are in progress for upcoming product updates where applicable.

competition report.png

Thanks again to everyone who entered!

Source :

Extend diagramming to IT with network diagrams in Visio Online


Tags:- , ,

When we announced the general availability of Visio Online at the Microsoft Ignite conference in Orlando, we mentioned that cloud-first technologies would be our No. 1 focus for future Visio investments. Since then, we’ve listened to your feedback and developed several new Visio Online capabilities that address your most-requested asks while upholding our commitment to cloud-first solutions. Starting today, Visio Online includes new templates and shapes for network diagrams, enhanced canvas capabilities, and the ability to print and export diagrams as a PDF.

Visio Online is a web-based, diagramming tool designed for anyone to easily create, edit, and share diagrams online. That ease-of-use starts with dozens of premade templates that span a variety of industries and verticals—including IT. The newly released network diagram templates help IT quickly create network diagrams.

Build almost any kind of network diagram using premade templates and designed network shapes.Build almost any kind of network diagram using premade templates and designed network shapes.

Included in these templates is a comprehensive set of computer equipment and network shapes and stencils to help you create accurate diagrams that others on your team will quickly understand. Basic diagrams come with shapes for computers, monitors, networks, and peripherals, while detailed diagrams include shapes like network locations, servers, and many more. For now, this new content is only available in English users; local support for other languages is coming soon.

Choose from a variety of network shapes.Choose from a variety of network shapes.

Enhanced canvas capabilities

We’ve added two new Visio Online canvas capabilities, Dynamic Glue and Control Points, that make working with connectors and shapes easier. Using Dynamic Glue, you can pin your connectors to an entire shape instead of a single point. The resulting connectors will automatically switch connection points as you move the associated shapes. Visio Online determines the best start and end connection points, eliminating the need for you to adjust these each time you change a diagram’s layout.

Streamline shape and diagrams updates with Dynamic Glue.Streamline shape and diagrams updates with Dynamic Glue.Appearing as a yellow circle, a shape’s Control Point allows you to easily manipulate that shape to give it a new look. For example, you can adjust the perspective of a cylinder, reposition the tip of a cone, or move the beak of a callout. Control Points also work with connector text so you can quickly drag descriptive language to the most appropriate spot.

Easily modify shapes and text using familiar Control Points.Easily modify shapes and text using familiar Control Points.

Export your diagram as a PDF and print

You can now export your Visio Online diagram as a PDF for offline viewing or to more easily share with colleagues. We’ve also added the ability to print you diagram directly from within your browser.

Export or print your diagrams directly from within Visio Online.Export or print your diagrams directly from within Visio Online.We’re constantly looking for ways to improve Visio Online and invite you to send us your ideas through our UserVoice site. For questions about Visio Online and other features, please email us at Lastly, you can follow us on Facebook, YouTube, and Twitter for the latest Visio and Visio Online news.

Source :

Groups activity reporting for Yammer rolling out in Office 365 admin center


Tags:- , ,

We know that reporting is an important part in helping admins drive usage and provide insights on the different tools an organization uses. As part of this commitment, we are excited to announce that groups activity reporting for Yammer will be available in the Office 365 admin center in the coming weeks. 

This data provides an insightful dashboard for admins and community managers to see the health of different groups within your network based on posts, reads, and likes. With this information, you can: 

  • Use analytics to support use cases of Yammer in your organization 
  • Better identify success stories within different groups  
  • Engage active groups to feed campaigns around driving adoption of Yammer 

For further details on enhancements to reporting in the Office 365 admin center, please read our blog post from earlier this week here.

Yammer Group Activity Report (1).png

Source :

Introducing the Microsoft 365 Admin Center


Tags:- , ,

Last year, at Inspire, we unveiled Microsoft 365, bringing together Office 365, Windows 10 and Enterprise Mobility + Security, to deliver a complete, intelligent and secure solution for the modern workplace. In October Microsoft 365 Business reached general availability, representing an integrated solution designed to simplify IT for small and medium-sized businesses.


We know that our customers, from small businesses to large enterprises, rely on the admin center for a broad set of activities. From an administration perspective, our vision for Microsoft 365 is to help simplify IT by unifying management across users, devices, apps and services. Today marks an important step in that vision as we are rolling out a new admin experience for all Microsoft 365 customers. This will be a single place for admins to get started with Microsoft 365 and discover the breadth of management capabilities and experiences available to them.


Integrated into this admin center is both the new Microsoft 365 Security & Compliance Center, dedicated to providing security and compliance specialists with integrated management capabilities across Office 365, Windows, and EMS, as well as Microsoft 365 Device Management, dedicated to providing integrated device management capabilities across Intune, Office, and Windows. The Security and Compliance Center will be available shortly, with Device Management to follow afterwards. Please look forward to additional details.


M365 screen.png


Over the coming months we will continue investing in more integrated, streamlined administration experiences across Microsoft 365 to help organizations become more productive and secure while optimizing their IT resources. We will also continue to improve the admin’s user experience, so admins can complete their tasks faster and easier and get more done with their day.

Source :

Azure Information Protection Documentation Update for February 2018


Tags:- , ,

The Documentation for Azure Information Protection has been updated on the web and the latest content has a February 2018 (or later) date at the top of the article.

Despite the fewer number of days in this month, we’re not short on doc updates to support new releases or requests for clarifications.  So this is the place to check for anything you might have missed. For example, these doc updates include:

  • New preview release of the Azure Information Protection client.
  • GA release of the Azure Information Protection scanner, with new configuration options.
  • The AADRM module for managing the Azure Rights Management service has moved to the PowerShell Gallery.
  • New admin role, Information Protection Administrator.
  • The protection service, Azure Rights Management, is now activated by default for new tenants.
  • The new Office 365 Message Encryption capabilities are enabled by default for new tenants.
  • Rollout of the new Exchange Online option, Encrypt-Only.

Help bot update: After announcing the introduction of the help bot for Azure Information Protection last month, we’ve had a good uptake on people turning to this resource for fast help. If your question isn’t answered, the bot gives you the option of searching the docs or opening a support case. But the bot is also learning with each question. If your question is scoped to Azure Information Protection, the help bot learns that this is a new question and it might be answered another day you ask it. Your questions help us understand what you need help with, so keep those legitimate questions coming even if they aren’t answered immediately. And take advantage of typing #feedback in the bot, to send us your free-form comments.

We listen to your feedback and try to incorporate it whenever possible. Let me know if you have feedback about the documentation and I also encourage you to head over to our Yammer site to see what others are discussing.

What’s new in the documentation for Azure Information Protection, February 2018

Requirements for Azure Information Protection

– Updated the Subscription for Azure Information Protection section with a tip for people looking to confirm whether their Office 365 plan or Exchange Online plan includes support for the new capabilities with Office 365 Message Encryption.

Frequently asked questions for Azure Information Protection

– New entries:

  • Do you need to be a global admin to configure Azure Information Protection, or can I delegate to oth…
  • What types of data can Azure Information Protection classify and protect?
  • Is Azure Information Protection suitable for my country?
  • How can Azure Information Protection help with GDPR?


Frequently asked questions about classification and labeling in Azure Information Protection

– New entry:

  • How do I prevent somebody from removing or changing a label?

Activating Azure Rights Management

– The main article that contains information about new tenants that have the protection service automatically activated for them. This change started to roll out to tenants towards the end of February and is expected to be complete by the beginning of March.  If your subscription was purchased during February, use the documented instructions to confirm the status. Other articles that previously stated you must manually activate the service are also updated for this change.

Preparing the environment for Azure Rights Management when you also have Active Directory Rights Man…

– New section specifically for customers with new tenants who must deactivate the Azure Rights Management service if they also have AD RMS. This article is linked to from the Azure portal and the Deployment planning checklist for Office 365.

Configuring usage rights for Azure Rights Management

– Updated the description for Save As, Export (common name) to clarify that this right is required to change or remove an Azure Information Protection label from a protected document or email. If you want to prevent people from changing an applied label, do not grant them this usage right. This article is also updated for a new section, Encrypt-Only for emails, which provides more information about this new option that is starting to roll out for Exchange Online.

Configuring super users for Azure Rights Management and discovery services or data recovery

– Updated to clarify that there is no timing dependency for when you enable or disable this feature, or when you add or remove super users.

Office 365: Configuration for clients and online services to use the Azure Rights Management service

– Updated the section for Exchange Online, with step-by-step instructions how to check if your tenant is already configured to use the new capabilities from Office 365 Message Encryption. This configuration is automatically rolling out to new tenants, so you might not have to do any configuration before you can use BYOK with Exchange Online, and send protected emails to personal email accounts such as Gmail.  The migration instructions are also updated for this change.

Configuring the Azure Information Protection policy

– Updated for a new section that explains the different admin roles you can use to edit the Azure Information protection policy. The policy instructions are also updated throughout for a minor change to the Azure hub menu.

How to create a new label for Azure Information Protection

– Updated to clarify the effect on a parent label when you create the first sublabel. If you want users in the same policy (global or scoped) to select a label that has the same settings as the parent label, create a new sublabel with the same settings.

How to configure a label for Rights Management protection

– Updated for the following:

  • The domain name option can now be used for domains that aren’t in Azure AD, which includes domains from social providers such as “” and “”.
  • Added clarifications to the Not configured and Remove Protection options, to explain that in the background, the associated protection settings are saved as an archived template.
  • For the Example configuration section, example 4 (Label for protected email that supports less restrictive permissions than Do Not Forward) is updated with a note that the new Encrypt-Only option is not available for label configuration.

How to configure a label for visual markings for Azure Information Protection

– New section, Setting different visual markings for Word, Excel, PowerPoint, and Outlook.  This new configuration is available only with the latest preview client.

How to configure conditions for automatic and recommended classification for Azure Information Prote…

– Updated with a useful link to help you define custom expressions: Perl Regular Expression Syntax from Boost.

Configuring and managing templates for Azure Information Protection

– Updated to reflect the recent change of location for the Protection templates, which used to be on the Azure Information Protection – Global policyblade, and is now located on the All – cross policy view blade.

Deploying the Azure Information Protection scanner to automatically classify and protect files

– Updated for the following:

  • The preview disclaimer is removed now that the scanner is generally available.
  • The prerequisites section is updated for information about the SQL roles and how to create the database manually, if needed. In addition, the separate download executable is listed until the current preview client becomes generally available.
  • Information about when the Azure Information Protection policy is refreshed is updated to clarify that when the scanner service starts. an updated policy is downloaded only if the local policy is older than one hour. If you are testing and need to update the policy more frequently than this one hour, delete the policy file and restart the service.
  • New section, How files are scanned by the Azure Information Protection scanner. This information steps through what happens to each file type in the data repository that you ask the scanner to inspect.

Installing the AADRM PowerShell module

– Previously titled “Installing Windows PowerShell for Azure Rights Management”, this article is updated with the new instructions how to install the module from the PowerShell Gallery. Previously, the only way to install the module was by installing the Azure Rights Management Administration Tool from the Microsoft Download Center. This tool will remain on the Download Center for a limited time. Note that the version on the PowerShell Gallery is a minor version later than the version in the tool, but there is no customer-impacting change. The minor change was to support publication on the PowerShell Gallery. The listed minimum version of PowerShell required is now version 3.0.

Azure Information Protection client: Version release history and support policy

– Updated for changes in the new preview version,

Admin Guide: Install the Azure Information Protection client for users

Updated the prerequisites section for information that the new preview client addresses the problem with the Azure Information Protection bar sometimes displaying outside Office apps.

Admin Guide: Custom configurations for the Azure Information Protection client

– New entry: Suppress the initial “Congratulations!” welcome page.

Admin Guide: File types supported by the Azure Information Protection client

– Updated the list of file types supported for classification only, for the full list of Office file types. In addition, the File sizes supported for protection section is updated with the information that the current preview client no longer has a 20 MB maximum for text-based files.

Admin Guide: Using PowerShell with the Azure Information Protection client

– New information in the section How to label files non-interactively for Azure Information Protection, which explains how to use the new Token parameter with Set-AIPAuthentication, for a completely non-interactive experience for an account. You will most likely use this parameter when you run the scanner in a production environment because it uses a service account, which might not be allowed to log in interactively.

User Guide: View and use files that have been protected by Rights Management

– Updated step 4 in the procedure with a change of behavior to Save As for the current preview client, which addresses a problem if you try to reprotect the saved file.

User Guide: Protection-only mode for the Azure Information Protection client

– Updated to include the new scenario that might be part of a controlled rollout of Azure Information Protection: “Your organization has a subscription for Azure Information Protection but you do not have any labels configured for you”.

PowerShell reference: Azure Information Protection

– This overview page for the PowerShell modules for Azure Information Protection no longer references the RMSProtection module now that this older module is out of support. Support for RMSProtection stopped February 10. Other references to this module are also removed from the documentation and any links automatically redirect to the equivalent cmdlet in the AzureInformationProtection module.


– Updated to identify the latest technical version of the module,


– The output from the example is updated to reflect the latest parameters that are typically returned.


– Updated the description for EnableInLegacyApps to clarify that this parameter has no effect for Outlook on the web that uses Exchange Online rather than Exchange on-premises. For this scenario, departmental templates (and protection settings in scoped policies for Azure Information Protection) are never displayed to users.


– Updated the list of cmdlets on the page to include all the cmdlets for the scanner, which were previously in preview.


– To reflect the latest preview client and the general availability version of the Azure Information Protection scanner, the output of this cmdlet in the example now includes Type. This parameter is set with Set-AIPScannerConfiguration, and determines whether the scanner inspects only new or modified files since the service started, or all files.



– Updated for the new Token parameter, to be used with the new preview client or the Azure Information Protection scanner. This parameter eliminates the initial sign-in prompt for Azure Information Protection.


– New cmdlet that installs with the current preview client or the Azure Information Protection.  This cmdlet lets you set configuration settings for each data repository, which includes a default label and whether to override an existing label.  In conjunction with this change, these parameters are no longer available in Set-AIPScannerConfiguration and the help for this cmdlet is updated accordingly.

Source :

[MVP Blog] Provisioning an Office 365 group with an approval flow and Azure functions-part 3


Tags:- , ,

This article describes the workflow for the group provisioning process by using the Azure function from part two in combination with PowerApps, SharePoint Online and Flow to enable a good user experience. Technically, we already have the toolset with the ProvisionGroup function. Now let’s create the rest.

Create a list for requests

The workflow described in part one shall be started by a new entry in a SharePoint list or a PowerApp. So we need a custom list to collect all requests for a new Office 365 group in our company. This enables us to have a history for group request s coming in. Pick a SPO site (here it’s “O365security”)  and create a custom list “ProvisionGroup” as here. Actually, we only need a group name, but we added another text field for the “Purpose” of the group.


Of course, in real world, the list would be extended with Approval status and Success status, but in here we keep it simple. The idea is that when a new line is added to that list, the workflow shall start. The creator of the list item shall become owner of the group (as described in part two).

Create a new Flow

So, “Create a flow” asks for the trigger. In our sample, we use “Start approval when a new item is added”. Flow and LogicApps are a very powerful tools. Although there would be a ton of things to say about these instruments, in this article we just concentrate on performing our desired workflow.




The Microsoft Flow management site opens and wants confirmation for the Flow template. The current user is already added.




“Continue” opens the template for further modifications. As you can see, the flow is already created with the trigger “When a new item is created” and an approval email. We just need to enter the user account who shall receive the email. In our sample, that’s the Admin user who works in the IT department and acts as manager.



In real world, we would add an Office 365 function lookup for the manager of the “Created by Email” user and send the request to that user.

If yes, use the Azure function

Then, a “new action” must be added in the “If yes” part. We will call our Azure function from part two where we saved the endpoint URL. We will use that to call the HTTP function with a JSON body with the parameters.

Search for “http” and select “HTTP – HTTP” from the search result.


So, we simply need to fill out the HTTP request action with our data from the Azure function. It’s an HTTP POST operation and the URI is the one we copied from our PowerShell Azure function. As Body, we use the Request body from our Test pane:


We pass the group name and the owner’s UPN to the function. We don’t use any HTTP headers in this case, just a Body.


Now we need to replace the hardcoded values by the list item values. This can be done as follows:


Ensure that the syntax stays valid and that there are no unnecessary spaces left between the quotes.

And add another notification email to the creator of the request (it’s the “Created by Email” property)t: Add another action and search for “Office 365 send” as here:


And fill out the email form similar as before.


Done. Rename and create the flow (or update it if your already saved it).

Now we have created the basic functionality of our workflow.

Try it

Let’s see if the workflow does what we defined. Return to the SharePoint list and add a new item to the “ProvisionGroup” list.


See how the flow is started. The 2nd step is waiting for an approval. This will look as here.


Let’s open the manager’s Outlook (here it’s the Admin user) and approve the request:


“Approve and Submit”:


The email content changes to “Approved”.


Voila: The group provisioning takes usually only seconds and the user who initiated the group request will receive a notification email that the group has been created.


If you want to check the flow, you can see all requests as well:



…and the details (success, data and runtime) of each step: Which way did the flow go?




Here you can see that the process of calling the Azure function until it ended was 16 seconds while sending the emails takes up to one second.

Check it out

Returning to Outlook, you should see the newly created Office 365 group “IgniteDemo”.



The important part in here is, that the creator of the group is the owner and can now start to add members and content. Mission accomplished.

Create a PowerApp

As last step we can improve the user experience by using a PowerApp for the SharePoint Online list. This is just a click away: “PowerApps” and “Create an app”


“ProvisionGroupApp” is an appropriate name for the app. When clicking “Create”, a minute later, we get a ready to use PowerApp. We can run the app out-of-the-box.


The generated app has the Create-Update-Delete (CRUD) features as any SharePoint list (featured by the SPO Connector and the OData interface with a Swagger definition). So, we can create a new entry as “ConnectDemo” and add it to the list. After the postback, the new item shows up in the list and we can check the details.


Since we added a new record to the ProvisionGroup list in the PowerApp, the trigger must fire. When checking out the flow, we see that it did.


Again, we are waiting for approval. So let’s do that as before in Outlook…

After the approval, we see the new Office 365 group.


So, we have two ways for our users to start an Office 365 group provisioning approval workflow, whether it’s accessing the SharePoint list or using a PowerApp.

Consideration and costs

We have seen that such a scenario as “Provisioning an Office 365 group with an approval workflow” can be developed with existing Microsoft services by Power Users and Developers, depending on the complexity of the solution. This workflow acts as a sample to show the possibilities of creating self-service processes in your organization. Of course, there exist many third party solutions that can deliver similar workflows combined with more management options, deployment, and more features.

Our goal was to show a solution that existing Microsoft services can be used as well.

When being asked about the costs for this solution: Well, this is all within the Office 365 licenses, just Azure function are billed extra, pls. see Azure Functions pricing. To give you a short insight here: “Azure Functions consumption plan is billed based on resource consumption and executions. Consumption plan pricing includes a monthly free grant of 1 million requests and 400,000 GB-s of resource consumption per month.”. As long we stay under one million requests (we call the Azure function 1 million times for group provisioning per month and it does not consume more than 400GB-s) the service is free (otherwise it costs $0.000016/GB-s – that’s affordable, or?). Smile

Imagine the complexity that happens behind the scenes: Various products and services can be used to create a standardized workflow with loose coupling. The workflow starts in an app, writes data to a list, what acts as trigger and an approval workflow is started. If approved, the new Office 365 group is created in AAD, a SharePoint site is triggered to been provisioned, the email address is created in Exchange Online, members and permissions are added and so forth. Not bad, or?

We hope, this article series inspires you to have a look into the Microsoft Office 365 and Azure services and for using such processes within your organization!

Source :

[MVP Blog] Provisioning an Office 365 group with an approval flow and Azure functions-part 2


Tags:- , ,

In part one, we saw how the Microsoft Graph API enables programmatic access to Office 365 groups. Now it’s time to let Azure Functions help us with the desired workflow.

For the following steps, an Azure subscription and a Global Admin in the target Office 365 tenant is required.

The plan

We want our provision group function to be able to create a new Office 365 group without any user interaction. So, we need an app with the permission to accomplish the operations in our Office 365 tenant, in the same way as did for the administrator account in part 1. The key is, to create such an application first and to use that access data in our code. The workflow will execute our function, pass the parameters, and the function will do the work. So, these are the necessary steps.

Create a new App

Open the Azure portal (in the target Office 365 tenant) with a Global Admin and click on the the “Azure Active Directory” service. Go to “App registrations”. In here, click “New application registration”.




…and fill out the new app “provisiongroupfunction” as Web app/API with a fake Sign-on URL as https://localhost:40000 (we won’t need that) as follows:


After the app was created, go to “Keys”.


Add a new key “clientSecret”, make it valid for 1 year and click “Save”. Keys can be generated for 1 year, 2 years or without any expiration date. If you chose an expiration (which is usually a good idea), you need to renew the key from time to time.


Now the key is generated. You will not get any access to that key later, so save the key value, best to your OneNote, Notepad or similar tool.


We also need the “Application ID” property: 516b…


And of course, we need to set the permissions: Go to “Required Permissions”, select the “Microsoft Graph” and select “Application Permissions” for “Read and write all groups”. “Save” the app permissions.



Select more permissions depending on the desired features of the function if needed. We’re done with the app, but…

Get the tenant ID

..we need the “Tenant ID” as well. You get that in the “Properties” of the AAD with the “Directory-ID” property as shown here.


The Directory-ID d302… needs to go to our note. Now we’re done with the AAD. So we have this data collected:

string tenantId = "d302f5cf-00b3-44af-aff1-2cf91673813d";
string clientId = "516b6d70-05e4-43a7-bab1-6fa2060b04fa";
string clientSecret = "IQBz/fSblC...";

Create the Azure function as a container

The idea is to use server-less technology to provision an Office 365 group. No worries, we won’t need Visual Studio, Visual Studio Code (which BTW are great tools and highly recommended for larger code projects…) or any similar environment. We can perform all necessary steps online directly in the Azure Portal.

So, let’s create the new Azure function and fill it out… We are working with loose coupled architecture, so we can use any Azure subscription which must not be associated with the Office 365 tenant. This approach allows to build “black boxes” and to tie them together as needed easily. In our case, we let the function run in another Azure subscription.




Of course, Azure functions are a wide topic with many details, but this article concentrates on the solution. To learn more about Azure functions, see here and the videos on channel9.

Use a programing language – PowerShell is good enough

In Azure functions, there are several programing languages supported. We could use C#, F#, Javascript or … PowerShell. So, let’s keep it simple and use PowerShell, so that IT-Admins who are familiar with PowerShell can easily follow and understand this sample. (In my GitHub repository, you find the solution in C# and in PowerShell) , So, we create a new Azure function of type “HttpTrigger – PowerShell” as here.


The function name shall be “ProvisionGroup”. Let’s create that with the default authorization level “Function” – we don’t want to use a user authorization in our scenario.


…and we get the new function with some default code from a template. When clicking “Run”, the function shows the basic concept with an HTTP POST operation, a JSON input and a text output as here:



Develop the function and configure it

The function needs to perform several operations. Keep in mind that Azure functions run in a sandbox, to be more specific, in an App service in a Virtual machine. You can use default functionality, but you need to take care if you need to integrate other libraries or modules that by default are not installed in the Windows environment. We don’t have any dependencies in our sample. Currently, PowerShell version 4.0 is available.

Ok, we also need to store the app data somewhere. Instead of having these values in the code, it’s more elegant (and safe) to save these as App Settings. In here, we need to add keys for the TenantID. the AppID and the AppSecret as here. The values must be inserted from the app we created above.




Now we’re good to code…

The PowerShell code

Get the code from my GitHub repository Officde365scripts at (directly here)  and paste it into the code window.




The functions reads two parameters from the HTTP body: groupname and upngroupname is the name of the new group and since this is also the email address of the group, this must be compliant. upn is the login name of the group owner who shall be responsible for the group.

Then, it calls the Initialize-Authorization PowerShell function to authenticate with the app values from our AppSettings. If this works, we get an AccessToken that is stored in the global variable $script:APIHeader. This is the key we need to add to each Graph API operation. It must be sent in the HTTP header with the Bearer key name. So, this header is fully generated by the Initialize-Authorization function and can be added for each call.

Now back to the literal functionality. We need to do four operations:

  1. Create the group and get back the GroupID
  2. Get the UserID of the UPN passed as parameter
  3. Add the UserID as owner of the group with the GroupID
  4. Add the UserID as member of the group with the GroupID

Each request is sent as a HTTP POST operation with the PowerShell command $result = Invoke-RestMethod -Method Post and a JSON body as described in part 1. If the HTTP result of the operation is OK or Created, we know that the operation was successful and continue. In all cases, the function itself returns HTTP OK for not stopping the Flow (which will be described in part 3).

Test it

Add the parameters in the “Test” request body textbox.


Now click “Run”.


The group will now be created and the user will become owner of the new group. Check the mailbox of the owner. The new group will show up in the groups list as here.



So, if this function works, we get the address of the function.

Get the function endpoint

As last step in this part, we need to save the function URL to use it in the workflow. You get it with the” Get function URL” link as here:




Off to the flow…

After we created and tested the Azure function, we can finish this workflow in part 3.

Source :

[MVP Blog] Provisioning an Office 365 group with an approval flow and Azure functions-part 1


Tags:- , ,

Office 365 groups span over various Office 365 services and provide a great way for collaborating. By default, every user can create an Office 365 group. While self-service is a good thing and many businesses adopted into that direction, some companies still prefer the controlled approach.

In real world environments, organizations usually want to restrict the group provisioning so that IT can control the wild growth of groups. This article series shows how to create an Office 365 group with an attached approval process with SharePoint Online, Flow and Azure functions. See how this works here!

This is part 1 of a 3 part series. This article series was written by Martina Grom and Toni Pohl.

For showing all the technics behind that requirement we developed a demo scenario showing all necessary steps. You need to have a SharePoint Administrator, a Flow license and an Azure subscription and some basic knowledge about web technologies. There are some steps required, but the process is simple. Follow these steps to get your solution up and running.

The scenario

The following graphics delivers the planned steps for the approval workflow. The blue steps require a user interaction, the orange ones are automatic processes. Green and red show an accept or deny decision.



If a user requests to create an Office 365 group (which can be requested f.e. in a PowerApp or in a SharePoint list) and it gets accepted, the function provisions the group and the initiator gets a notification email. In this sample, we start with the base part that does the work: provisioning the Office 365 group, first as a demo, then in part two the code follows.

First, see how group operations work with Microsoft Graph Explorer

Open, sign in and accept the consent for the Microsoft Graph App.




Now, try to access the Microsoft groups with a GET request of this URL:

If you get an error as here, your account (even if it’s the global administrator) does not have the necessary permissions.


The error says “Authorization_RequestDenied”, and “Insufficient privileges to complete the operation.”

You need to modify the permissions. Open the link in the red message box (or on the left below your account). In the Modify Permissions dialog, click “access to your entire organization” and confirm the “Modify Permissions” button. Alternatively, you can add the required permissions “Read and write all groups” manually.


Then, sign in again (which happens automatically that you get redirected to the login page again). Now, you get a new consent with all possible permissions. Accept the new consent for your organization.


Another box informs about the newly granted permissions, and yes, it can take some minutes before the consent takes effect, but mostly it works instantly.


We’re done with the permissions for our administrator user.

Update December 2017: All App permissions

Since we got some feedback on the required permissions for the app, see the following screenshots for all activated permissions of that app:

For AAD, the following app permissions were used:


For Graph, these permissions have been set.



We hope, this clarifies the permissions.

Acessing groups through the Microsoft Graph API

Ok, now we should be able to use the API for Office 365 groups. For our demo, we are using Microsoft Graph API version 1.0 (which is the current version). The next attempt against works as expected: We get all groups of the tenant – which is one single existing Office 365 group in our sample.


Since the API represents an OData interface, we can use expressions as filtering, paging and more. Here we reduce the output to the relevant properties with $select as parameter:$select=displayName,description,groupname,groupTypes,


For a list of more OData options, see Use query parameters to customize responses and Supported queries, filters, and paging options | Graph API concepts.

Create a new Office 365 group with the Microsoft Graph API

We can create a new Office 365 group with a POST operation and the necessary data as follows. First, we simply copy the JSON output from above and adapt it as needed. We create a new group “My Demo 1” with some description and the necessary properties as here:

"displayName": "My Demo 1",
"description": "This is a demo group",
"groupTypes": ["Unified"],
"mailEnabled": true,
"mailNickname": "mydemo1",
"securityEnabled": false

An Office 365 group is defined by the group type “Unified”. This JSON-description must be pasted into the “Request Body”. So, let’ s execute this operation against with a POST as here:


You should get a HTTP status code 201 (which means Ok, the request has been fulfilled and has resulted in one or more new resources being created.) and the runtime of the operation and some output.

To see, what properties can be used for a POST operation and what properties are read only check out the list at group resource type.

Set the owner of a group

When we create a new group with the Global Administrator with Graph Explorer, that user is automatically owner of the new group which is fine. If we do it (in part 2) with an app, there is no owner set. This means, that the user who requested the new group will not be able to access or to manage it. So, it’s essential, that we are able to set the owner of a group programmatically as well.

The good story is that we are able to do this with the Microsoft Graph API. See how this works. Basically, we need to get the User Id of the owner first. We can get it by asking for the user by his UPN:


In our sample, the User ID is be2cab0f…

Also, we need the Group ID. To get a quick list of all groups, use this GET query:$select=displayName,id

…and copy the Group ID from the output as we did before with the User ID. Here it’s 79744859…

Now we can add that User Id to the list of owners. Create a POST operation in Graph Explorer wit the address of the desired group as follows:$ref

The Request body needs to contain the JSON data of our new owner (the user’s address endpoint):

{"": ""}

This sets the owner of the new group to a specific user. We also need to add the owner as a member of the group. This is exactly the same method (the same JSON body with the same user), just the endpoint is members instead of owners:$ref

The owner now can fully manage the group container object.

Create a new Office 365 group with PowerShell

Of course, we can use PowerShell as well. First, we connect to Exchange Online.

Connect-MsolService -Credential $cred
$session = New-PSSession -ConfigurationName Microsoft.Exchange `
-ConnectionUri `
-Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber

To see a list of all existing Office 365 groups, use Get-UnifiedGroup.

Now we can create a new group as described in… . There are a bunch of possible options, but this basic syntax is sufficient for the new group:

New-UnifiedGroup -DisplayName "My Demo 2" -Alias "mydemo2" `
-PrimarySmtpAddress "" `
-Owner ""

The group gets provisioned in the same way as before with the Microsoft Graph API.

Check it in Outlook

Open and discover the modern groups. “My Demo 1” should show up in the list of Office 365 groups.




It worked! The mail nickname is the email address with the primary domain defined in that Office 365 tenant. The email address can be changed later with PowerShell. To do that, see the details at Why we moved away from Exchange distribution groups to Office 365 groups and “Setting custom email addresses for the Office 365 group”.



Get an Office 365 group with Microsoft Graph

To access one specific group, we can filter that easily: To identify one group, the ID is added to the request. So you can get the ID from the Graph Explorer Request above.


So, in our case that’s an operation as here:

…and we get just this group.


Delete an Office 365 group

Now, deleting that specific group is easy. The HTTP operation is changed to DELETE.

When the query is executed, it delivers HTTP status code 204 (The server has successfully fulfilled the request and that there is no additional content to send in the response payload body).


The group has been deleted and should no longer be present in Outlook.



Deleted Office 365 groups are (nowadays) soft deleted. This means, you can undelete a group with the Active Directory Module and the PowerShell Cmdlet
Restore-AzureADMSDeletedDirectoryObject -Id <objectId>
as described in Restore a deleted Office 365 Group.

Source :