Using PowerShell to Locate Ownerless Office 365 Groups

Office 365 Groups

The Need for PowerShell for Office 365 Administration

Some Office 365 administrators break out in a cold sweat at the thought of having to write code. But PowerShell isn’t really code. Well, yes it is, but it’s more like a hacker’s dream in terms of its flexibility and ability to achieve impressive results with just a little effort, especially if you can find some sample code to use as a base. In a nutshell, properly used, PowerShell is an essential part of an administrator’s toolkit.

 

 

Group Owners

Users who are nominated as the owners of Office 365 Groups are charged with the administration of those groups. Owners can, for instance, add external guest users to the group or modify the properties of the group. Tenant administrators can perform group management too, but at the expense of doing other stuff. All-in-all, it’s best to devolve group administration to their owners.

However, it’s possible that some groups will eventually end up with no owners. For example, when the account of the only group owner is deleted from Office 365. Tenant administrators are unlikely to check that an account owns any groups (Office 365 Groups or email distribution groups) when they delete a user, so it’s easy to see how the problem might arise.

No Owners, No Management

Nothing really bad will happen if a group doesn’t have any owners. Members will still be able to access all the group resources. The only problem occurs when some group administration in needed, in which case the tenant administrator either does the work themselves or they find someone to act as the group owner.

Office 365 doesn’t include any feature to scan for and report on orphaned groups, so here’s a quick example that I grabbed from Chapter 9 of “Office 365 for IT Pros”. In this case, we scan the ownership information for each group (in the ManagedBy property) to check if it is empty. If so, we flag the error. It’s a quick and simple check using some inelegant but effective code. Some sample results are shown in Figure 1.

$BadGroups = 0
$GoodGroups = 0
$Groups = Get-UnifiedGroup
 ForEach ($G in $Groups) {
    If ($G.ManagedBy -Ne $Null) 
       {
       $GoodGroups = $GoodGroups + 1
       }
    Else
       {
       Write-Host "Warning! The" $G.DisplayName "has no owners"
       $BadGroups = $BadGroups + 1 
       }
  }
Write-Host $GoodGroups "groups are OK but" $BadGroups "groups lack owners"
Using PowerShell to find ownerless Office 365 Groups
Figure 1: Checking for groups with no owners (image credit: Tony Redmond)

Another Way to Attack the Problem

The nice thing about PowerShell is that there’s usually multiple ways to approach a problem. Here’s another example of how you might check for Office 365 Groups without an owner from Eric Zenz, who recently left Microsoft after making a substantial contribution to the development of groups. In this case, a check is performed against Azure Active Directory to determine whether the owner exists. It’s a valid way to crack the problem. I naturally prefer my method, if only because it’s faster.

$AllGroups = Get-UnifiedGroup
ForEach ($Group in $AllGroups){ #check all the groups
   Write-Host "Checking " $Group.DisplayName
   $i = 0
   ForEach ($Owner in $Group.ManagedBy){ #look for all users listed as owners
     $User = Get-User -Identity $Owner #test the existence of each owner
     If ($User -eq $Null) {
     Write-Host $Owner "does not exist!!!"
   }
   Else {
   # Write-Host $Owner "found in Azure Active Directory
   $i = $i + 1
   }
}
If ($i -eq 0) { Write-Host $Group.DisplayName "has no owners" } #if no owners were found/valid, warn
}

Tracking Group Changes with PowerShell

Another great example of using PowerShell to report on Office 365 Groups can be found in the script to report on added, updated, and deleted groups written by Paul Cunningham and Chris Brown. Instead of the hack-like code examples explained above, this script demonstrates how to set up error handling and reporting in an elegant and powerful way, so it’s a good addition to an administrator’s toolkit.

Professional Scripting

Of course, you never, ever, ever run PowerShell code that you download from the internet without first checking it thoroughly (check your script execution policy too). That doesn’t mean running scripts against your production tenant just to see what happens.

If you’re still uneasy about the prospect of writing PowerShell, Paul Cunningham has published an excellent walk-through of how to approach writing a script. Of course, my code is not as sophisticated as the kind of scripts Paul produces, but it’s always nice to aspire to write better code.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.