Useful PowerShell Scripts for Managing Classes in Microsoft Teams

So, you have school data sync setup and all of your class teams have been generated in Microsoft Teams. Teachers are eager to start using it for extending the classroom or remote learning. Teachers then realise that students can do things that they were not aware of and request for some rights to be restricted.

Here is a list of useful PowerShell scripts to help you manage some of the most common issues that schools face.

• – Allow teachers to delete student messages
• – Stop students emailing the class group
• – Disable chat for students
• – Calling and Live Event Policies

Allow teachers to delete student messages

It’s surprising that this is not enabled as standard. Owners in class teams cannot delete member messages unless a custom message policy is set.

Create a messaging policy in the Teams Admin centre

Create a new messaging policy and select “Owners can delete sent messages”

Apply Custom Message Policy using PowerShell
 

This needs to be run as a global admin. The variables at the top of the script should be changed to the AAD (or synced AD) group that you want to apply the messaging policy to and the message policy name.

#Variables to change - add the AAD group and custom message policy name here
$ADSecurityGroupNameToApplyPolicyTo="All Teachers"
$customMessagePolicyName="CustomTeacherMessagingPolicy1"

# Install AzureAD PowerShell if you don't already have it - commented out below
# install-module azuread

#Import modules if you haven't already
Import-Module SkypeOnlineConnector
Import-Module AzureAD

#Connect to Skype and Azure AD
$userCredential = Get-Credential
$sfbSession = New-CsOnlineSession -Credential $userCredential
Import-PSSession $sfbSession
Connect-AzureAD -Credential $userCredential

$GroupUsers = Get-AzureADGroup -ALL $true -Filter "DisplayName eq '$ADSecurityGroupNameToApplyPolicyTo'" | Get-AzureADGroupMember -ALL $true | select mail
 
foreach ($GroupUser in $GroupUsers)
{
	$userEmail=$GroupUser.Mail
	write-host "Processing $userEmail"
	Grant-CsTeamsMessagingPolicy -PolicyName "$customMessagePolicyName" -Identity "$userEmail"
}

Stop students emailing the class group

Once a student receives a welcome message into a group, they may reply back to it or find it in the address list and start a large group email.

In the script below connect to Microsoft Exchange PowerShell. You should update the variables with an AD security group for students to apply the policy to. To ensure you only apply this to the relevant teams, use the wildcard search to filter them. In this example we are assuming teams have been named in a format of SchoolCode-AcademicYear-ClassName so we can set the wildcard to only apply this setting to Teams starting with SCH-2019.

######Replace the following variables if necessary##########
$studentADSecurityGroup ="All Students"   #AD Group for all students
$wildcardsearch="SCH-2019*"                #Wildcard for Teams display name - Search for Teams beginning with ....  
###########################################################

$MyCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $MyCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber
$groups = Get-UnifiedGroup -ResultSize 20000 -SortBy DisplayName -Identity "$wildcardsearch" | Select DisplayName,WhenCreated,Id
 
foreach ($group in $groups)
{
    $teamName = $group.DisplayName
    Write-Host "restricting group emails on $teamName for $studentADSecurityGroup"
    Set-UnifiedGroup -Identity "$teamName" -RejectMessagesFromSendersOrMembers "$studentADSecurityGroup"
}

Disable chat for students

Teams is a safe environment for students to chat, chats can be audited and monitored more closely than if they where to use WhatsApp or snapchat outside of the school systems. However, there are some situations where it might require turning off for safeguarding reasons.

Create message policy in Teams admin centre

Click “Add” to create a new message policy and turn off the chat setting.

Apply Custom Message Policy using PowerShell

This needs to be run as a global admin. The variables at the top of the script should be changed to the AAD (or synced AD) group that you want to apply the messaging policy to and the message policy name.

#Variables to change - add the AAD group and custom message policy name here
$ADSecurityGroupNameToApplyPolicyTo="All Students"
$customMessagePolicyName="CustomStudentMessagingPolicy1"

# Install AzureAD PowerShell if you don't already have it - commented out below
# install-module azuread

#Import modules if you haven't already
Import-Module SkypeOnlineConnector
Import-Module AzureAD

#Connect to Skype and Azure AD
$userCredential = Get-Credential
$sfbSession = New-CsOnlineSession -Credential $userCredential
Import-PSSession $sfbSession
Connect-AzureAD -Credential $userCredential

$GroupUsers = Get-AzureADGroup -ALL $true -Filter "DisplayName eq '$ADSecurityGroupNameToApplyPolicyTo'" | Get-AzureADGroupMember -ALL $true | select mail
 
foreach ($GroupUser in $GroupUsers)
{
	$userEmail=$GroupUser.Mail
	write-host "Processing $userEmail"
	Grant-CsTeamsMessagingPolicy -PolicyName "$customMessagePolicyName" -Identity "$userEmail"
}

Calling Policies

Calling policies can be used to configure what can and can’t be done by users when calling on Teams. An example of this might be for preventing students from calling on Teams.

Calling policies can be found under Voice as shown below:

These are the settings that can be applied:

This is how we apply a calling policy:

#Variables to change - add the AAD group and custom message policy name here
$ADSecurityGroupNameToApplyPolicyTo="All Students"
$customMessagePolicyName="CallingPolicyForStudents"

# Install AzureAD PowerShell if you don't already have it - commented out below
# install-module azuread

#Import modules if you haven't already
Import-Module SkypeOnlineConnector
Import-Module AzureAD

#Connect to Skype and Azure AD
$userCredential = Get-Credential
$sfbSession = New-CsOnlineSession -Credential $userCredential
Import-PSSession $sfbSession
Connect-AzureAD -Credential $userCredential

$GroupUsers = Get-AzureADGroup -ALL $true -Filter "DisplayName eq '$ADSecurityGroupNameToApplyPolicyTo'" | Get-AzureADGroupMember -ALL $true | select mail
 
foreach ($GroupUser in $GroupUsers)
{
	$userEmail=$GroupUser.Mail
	write-host "Processing $userEmail"
	Grant-CsTeamsCallingPolicy -Identity "$userEmail" -PolicyName "$customMessagePolicyName"
}

Live Event Policies

Live Event policies might be used restricting who can attend or record them live events.

Live event policies can be found under Meetings as shown below:

These are the options when setting up a Live Events policy.

This is how we apply a Live Event policy:

#Variables to change - add the AAD group and custom message policy name here
$ADSecurityGroupNameToApplyPolicyTo="All Students"
$customMessagePolicyName="LiveEventPolicyForStudents"

# Install AzureAD PowerShell if you don't already have it - commented out below
# install-module azuread

#Import modules if you haven't already
Import-Module SkypeOnlineConnector
Import-Module AzureAD

#Connect to Skype and Azure AD
$userCredential = Get-Credential
$sfbSession = New-CsOnlineSession -Credential $userCredential
Import-PSSession $sfbSession
Connect-AzureAD -Credential $userCredential

$GroupUsers = Get-AzureADGroup -ALL $true -Filter "DisplayName eq '$ADSecurityGroupNameToApplyPolicyTo'" | Get-AzureADGroupMember -ALL $true | select mail
 
foreach ($GroupUser in $GroupUsers)
{
	$userEmail=$GroupUser.Mail
	write-host "Processing $userEmail"
	Grant-CsTeamsMeetingBroadcastPolicy -Identity "$userEmail" -PolicyName "$customMessagePolicyName"
}

Update 11/11/2020: We have been informed that you may need to connect to Teams PowerShell to run these commands rather than Skype on some tenants (Connect-MicrosoftTeams).