Setting MS Teams Policies for Users using PowerShell


In my past two blogs I have shown you how to obtain all the users policies and output to a csv file, and how to create a new policy. In this blog post, I’m going to show you a couple of ways of setting users to new policies.

  • Change policy for an individual user
  • Change policy for a group of users
  • Change policies for group of users using a csv file

Change policy for an individual user

In this example I’m going to stick to just the messaging policy.

.\Set-IndivdualUserMessagingPolicy.ps1 -UserNameToSetPolicy:”Jeff.Hay@mytenant.onmicrosoft.com” -PolicyName:”NoGiphyOrStickersMessagePolicy”

param(
[Parameter(Mandatory)]
[string]
$UserNameToSetPolicy,
[Parameter(Mandatory)]
[string]
$PolicyName
)
Import-Module "C:\\Program Files\\Common Files\\Skype for Business Online\\Modules\\SkypeOnlineConnector\\SkypeOnlineConnector.psd1"
$Session = New-CsOnlineSession
Import-PSSession Session:$Session AllowClobber
if (-not $(Get-CsTeamsMessagingPolicy Identity:$PolicyName ErrorAction:SilentlyContinue)){
Write-warning "Unable to find Policy $PolicyName"
return
}
else{
Write-Information "Granting Message Policy $PolicyName for user $UserNameToSetPolicy"
Grant-CsTeamsMessagingPolicy PolicyName $PolicyName Identity $UserNameToSetPolicy
}
Remove-PSSession Session:$session
write-Information "Done"

It can take a while before the change is reflected in the Teams Administration.

Change policy for a group of users

There are a couple of ways you can do this. If you have your people data filled in correctly, such as Department, Office, City etc, you could assign all the people from one of these areas to a given policy. For example the following script grabs everyone from the sales department and assign them the sales policy for messaging:

Get-CsOnlineUser Filter {Department -eq 'sales'} | Grant-CsTeamsMessagingPolicy PolicyName "SalesPolicy"

Alternatively you could do it based on a AD Group, you first need to connect to grab the members of the given group, I would connect with AZ cli.

$GroupName = "SalesUsers"
$PolicyName = "SalesPolicy"
az login
az ad group member list group $GroupName query "[?userType == 'Member']" `
| ConvertFrom-Json `
| % { Grant-CsTeamsMessagingPolicy PolicyName $PolicyName Identity $_.userPrincipalName }

Change policies for a group of users using a csv file

In a previous blog post, I showed you how to obtain all the valid users from the tenant with their policies. We are going to use the csv it produces to change users policies.

The screen shot below shows my users with licenses, originally when I ran my script I only had DisplayName, UserPrincipalName and SipAddress showing, everything else was blank because my users were all in the global policies.

I have now filled in the CSV file with either SalesPolicy, HRPolicy, or NoGiphyOrStickersMessagePolicy. Left my account as global. These policy have already been created in my environment, help with doing that can be found in this blog post.

The following script requires your MS Teams Administrator username, and the path to the csv file. It loops through each item and then sets the polices for each user.

.\set-UserTeamPolicies.ps1 -UserName:admin@mytenant.onmicrosoft.com -Path:.\teamsuserpolicies.csv

param(
#Teams Administrator UserName
[Parameter(Mandatory)]
[string]
$Username,
#CSV File Path
[Parameter(Mandatory)]
[string]
$Path
)
$InformationPreference = 'Continue'
Write-Information MessageData "Obtaining Module, please connect when prompted…"
Import-Module "C:\\Program Files\\Common Files\\Skype for Business Online\\Modules\\SkypeOnlineConnector\\SkypeOnlineConnector.psd1"
$Session = New-CsOnlineSession UserName:$Username
Import-PSSession Session:$Session AllowClobber
@($(Import-csv Path:"$PSScriptRoot\$Path")).ForEach( {
$csv = $PSItem
$userPrincipalName = $csv.userPrincipalName
Write-Information MessageData:"Applying $($csv.DisplayName) Policies…"
#"TeamsMeetingPolicy",
Grant-CsTeamsMeetingPolicy PolicyName $($csv.TeamsMeetingPolicy) Identity $userPrincipalName
#"TeamsMessgingPolicy",
Grant-CsTeamsMessagingPolicy PolicyName $($csv.TeamsMessagingPolicy) Identity $userPrincipalName
#"TeamsMeetingBroadcastPolicy",
Grant-CsTeamsMeetingBroadcastPolicy PolicyName $($csv.TeamsMeetingBroadcastPolicy) Identity $userPrincipalName
#"TeamsAppPermissionPolicy",
Grant-CsTeamsAppPermissionPolicy PolicyName $($csv.TeamsAppPermissionPolicy) Identity $userPrincipalName
#"TeamsAppSetupPolicy",
Grant-CsTeamsAppSetupPolicy PolicyName $($csv.TeamsAppSetupPolicy) Identity $userPrincipalName
#"TeamsCallParkPolicy",
Grant-CsTeamsCallParkPolicy PolicyName $($csv.TeamsCallParkPolicy) Identity $userPrincipalName
#"TeamsCallingPolicy",
Grant-CsTeamsCallingPolicy PolicyName $($csv.TeamsCallingPolicy) Identity $userPrincipalName
#"CallerIDPolicy
Grant-CsCallingLineIdentity PolicyName $($csv.CallerIdPolicy) Identity $userPrincipalName
#"TeamsChannelsPolicy",
Grant-CsTeamsChannelsPolicy PolicyName $($csv.TeamsChannelsPolicy) Identity $userPrincipalName
#"TeamsEmergencyCallingPolicy",
Grant-CsTeamsEmergencyCallingPolicy PolicyName $($csv.TeamsEmergencyCallingPolicy) Identity $userPrincipalName
#"TeamsEmergencyCallRoutingPolicy",
Grant-CsTeamsEmergencyCallRoutingPolicy PolicyName $($csv.TeamsEmergencyCallRoutingPolicy) Identity $userPrincipalName
#"TenantDialPlan",
Grant-CsTenantDialPlan PolicyName $($csv.TenantDialPlan) Identity $userPrincipalName
#"TeamsUpgradePolicy"
Grant-CsTeamsUpgradePolicy PolicyName $($csv.TeamsUpgradePolicy) Identity $userPrincipalName
if ($Session.State -ne "Opened") {
Write-Warning "Session state closed, please reauthenticate"
Remove-PSSession Session:$Session
$Session = New-CsOnlineSession UserName:$Username
Import-PSSession Session:$Session AllowClobber
}
})
Write-Information "Complete"
Remove-PSSession Session:$Session

If you have a lot of users to update, the session might timeout. On line 52 – 57 there is a check to see if the session has timed out and then gets you to reauthenticate. If anyone else knows a better way to do this, please add a comment below, or get in touch.