Managing Security Groups (ADDS, Office365, Teams & Licensing)

Hi there

In this post I’d like to show you how we can automate ADDS synced security groups membership in order to have an additional security group used to assign permissions on Teams (Who can create office 365 groups and team on Teams – check here).

Domain has 03 security groups

E1-collab-lic: all users assigned for E1 licenses (with Teams)

E3-collab-lic: all users assigned for E3 licenses (with Teams)

O365_Teams_Mgmt: all users from E1-collab and E3-collab that will have access to create Office 365 Groups and Teams on Teams. – check article to set this group its proper permission.

Prepare our sandbox environment

  1. Install a fresh VM (2 cpu, 4 gb ram, 40 GB OS disk)
  2. Install a Domain Controller domain: thebeier.local
  3. Give it internet access
  4. Install Azure AD connect latest version – from here.
  5. Create the an OU, Security Groups and users for this LAB using the powershell below.
    #create OU, group, users , add users to e1, e3 licenses
    New-ADOrganizationalUnit -Name "Groups" -Path "DC=thebeier,DC=local"
    New-ADGroup -Name "O365_Teams_Mgmt" -SamAccountName O365_Teams_Mgmt -GroupCategory Security -GroupScope Global -DisplayName "Allow users to manage teams" -Path "OU=Groups,DC=thebeier,DC=local" -Description "Members of this group are Teams' team and channel Administrators"
    New-ADGroup -Name "E1-Collab-lic" -SamAccountName E1-Collab-lic -GroupCategory Security -GroupScope Global -DisplayName "Assign E1-Collab licenses" -Path "OU=Groups,DC=thebeier,DC=local" -Description "E1-Collab"
    New-ADGroup -Name "E3-Collab-lic" -SamAccountName E3-Collab-lic -GroupCategory Security -GroupScope Global -DisplayName "Assign E3-Collab licenses" -Path "OU=Groups,DC=thebeier,DC=local" -Description "E3-Collab"
    New-ADUser -Name user04 -SamAccountName user04 -DisplayName user04 -path "OU=Groups,DC=thebeier,DC=local" -Description "E3-Collab"
    New-ADUser -Name user05 -SamAccountName user05 -DisplayName user05 -path "OU=Groups,DC=thebeier,DC=local" -Description "E1-Collab"
    add-ADGroupMember -Identity E3-Collab-lic -Members user04
    add-ADGroupMember -Identity E1-Collab-lic -Members user05
  6. Open dsa.msc ADUC – Active directory users and computer to check your AD structure
    1. check OU
    2. check Groups
    3. check Users’ group membership

Retrieving users members from E1-collab and E3-collab and adding them to O365_Teams_Mgmt security group.

#Add-ADGroupMember -Identity "O365_Teams_Mgmt" -Member $_

$users = Get-ADGroupMember -Identity E1-Collab-lic
$users.samaccountname | foreach {
write-host -ForegroundColor Yellow "adding user $_ to Group"
Add-ADGroupMember -Identity "O365_Team_Mgmt" -Members $_

$users = Get-ADGroupMember -Identity E3-Collab-lic
$users.samaccountname | foreach {
write-host -ForegroundColor Yellow "adding user $_ to Group"
Add-ADGroupMember -Identity "O365_Teams_Mgmt" -Members $_

$users = Get-ADGroupMember -Identity O365_Team_Mgmt

TIP! – What If?
If a user is removed from E1-collab-lic or E3-collab-lic groups this user should be removed from O365_Teams_Mgmt group as well. – download here.

For more script check my Github repo.


Thiago Beier