用于配置组设置的 Azure Active Directory cmdletAzure Active Directory cmdlets for configuring group settings

本文包含有关使用 Azure Active Directory (Azure AD) PowerShell cmdlet 创建和更新组的说明。This article contains instructions for using Azure Active Directory (Azure AD) PowerShell cmdlets to create and update groups. 此内容仅适用于 Microsoft 365 组(有时称为统一组)。This content applies only to Microsoft 365 groups (sometimes called unified groups).

重要

某些设置需要 Azure Active Directory Premium P1 许可证。Some settings require an Azure Active Directory Premium P1 license. 有关详细信息,请参阅模板设置表。For more information, see the Template settings table.

有关如何防止非管理员用户创建安全组的详细信息,请按照 Set-MSOLCompanySettings 中所述内容设置 Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $FalseFor more information on how to prevent non-administrator users from creating security groups, set Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False as described in Set-MSOLCompanySettings.

Microsoft 365 组设置使用 Settings 对象和 SettingsTemplate 对象配置。Microsoft 365 groups settings are configured using a Settings object and a SettingsTemplate object. 起初,目录中不会显示任何设置对象,因为目录配置为默认设置。Initially, you don't see any Settings objects in your directory, because your directory is configured with the default settings. 若要更改默认设置,必须使用设置模板创建新的设置对象。To change the default settings, you must create a new settings object using a settings template. 设置模板由 Microsoft 定义。Settings templates are defined by Microsoft. 有几个不同的设置模板。There are several different settings templates. 若要配置目录的 Microsoft 365 组设置,请使用名为“Group.Unified”的模板。To configure Microsoft 365 group settings for your directory, you use the template named "Group.Unified". 若要针对单个组配置 Microsoft 365 组设置,请使用名为“Group.Unified.Guest”的模板。To configure Microsoft 365 group settings on a single group, use the template named "Group.Unified.Guest". 此模板用于管理对 Microsoft 365 组的来宾访问权限。This template is used to manage guest access to an Microsoft 365 group.

这些 Cmdlet 属于 Azure Active Directory PowerShell V2 模块。The cmdlets are part of the Azure Active Directory PowerShell V2 module. 有关如何在计算机上下载和安装模块的说明,请参阅文章 Azure Active Directory PowerShell Version 2(Azure Active Directory PowerShell 版本 2)。For instructions how to download and install the module on your computer, see the article Azure Active Directory PowerShell Version 2. 可以从 PowerShell 库安装模块的版本 2 发行版。You can install the version 2 release of the module from the PowerShell gallery.

安装 PowerShell cmdletInstall PowerShell cmdlets

在运行 PowerShell 命令之前,请确保卸载任何旧版本的 Azure Active Directory PowerShell for Graph、Windows PowerShell 模块,并安装 Azure Active Directory PowerShell for Graph - 公共预览版(比 2.0.0.137 更新)Be sure to uninstall any older version of the Azure Active Directory PowerShell for Graph Module for Windows PowerShell and install Azure Active Directory PowerShell for Graph - Public Preview Release (later than 2.0.0.137) before you run the PowerShell commands.

  1. 以管理员身份打开 Windows PowerShell 应用。Open the Windows PowerShell app as an administrator.

  2. 卸载任何以前版本的 AzureADPreview。Uninstall any previous version of AzureADPreview.

    Uninstall-Module AzureADPreview
    Uninstall-Module azuread
    
  3. 安装最新版本的 AzureADPreview。Install the latest version of AzureADPreview.

    Install-Module AzureADPreview
    

在目录级别创建设置Create settings at the directory level

这些步骤在目录级别创建设置,这些设置适用于目录中的所有 Microsoft 365 组。These steps create settings at directory level, which apply to all Microsoft 365 groups in the directory. Get-AzureADDirectorySettingTemplate cmdlet 仅在 Azure AD PowerShell for Graph 预览模块中可用。The Get-AzureADDirectorySettingTemplate cmdlet is available only in the Azure AD PowerShell Preview module for Graph.

  1. 在 DirectorySettings cmdlet 中,必须指定要使用的 SettingsTemplate 的 ID。In the DirectorySettings cmdlets, you must specify the ID of the SettingsTemplate you want to use. 如果不知道此 ID,此 cmdlet 将返回所有设置模板的列表:If you do not know this ID, this cmdlet returns the list of all settings templates:

    Get-AzureADDirectorySettingTemplate
    
    

    此 cmdlet 调用返回可用的所有模板:This cmdlet call returns all templates that are available:

    Id                                   DisplayName         Description
    --                                   -----------         -----------
    62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified       ...
    08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Microsoft 365 group
    16933506-8a8d-4f0d-ad58-e1db05a5b929 Company.BuiltIn     Setting templates define the different settings that can be used for the associ...
    4bc7f740-180e-4586-adb6-38b2e9024e6b Application...
    898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy       Settings ...
    5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule       Settings ...
    
  2. 若要添加使用准则 URL,首先需获取定义使用准则 URL 值的 SettingsTemplate 对象,即 Group.Unified 模板:To add a usage guideline URL, first you need to get the SettingsTemplate object that defines the usage guideline URL value; that is, the Group.Unified template:

    $TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
    $Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
    
  3. 接下来,创建基于该模板的新设置对象:Next, create a new settings object based on that template:

    $Setting = $Template.CreateDirectorySetting()
    
  4. 然后更新使用准则值:Then update the usage guideline value:

    $Setting["UsageGuidelinesUrl"] = "https://guideline.example.com"
    
  5. 然后应用设置:Then apply the setting:

    New-AzureADDirectorySetting -DirectorySetting $Setting
    
  6. 可以使用以下命令读取值:You can read the values using:

    $Setting.Values
    

在目录级别更新设置Update settings at the directory level

若要在设置模板中更新 UsageGuideLinesUrl 的值,请从 Azure AD 读取当前设置,否则我们可能最终会覆盖 UsageGuideLinesUrl 以外的现有设置。To update the value for UsageGuideLinesUrl in the setting template, read the current settings from Azure AD, otherwise we could end up overwriting existing settings other than the UsageGuideLinesUrl.

  1. 从 Group.Unified SettingsTemplate 获取当前设置:Get the current settings from the Group.Unified SettingsTemplate:

    $Setting = Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"}
    
  2. 检查当前设置:Check the current settings:

    $Setting.Values
    

    输出:Output:

     Name                          Value
     ----                          -----
     EnableMIPLabels               false
     CustomBlockedWordsList
     EnableMSStandardBlockedWords  False
     ClassificationDescriptions
     DefaultClassification
     PrefixSuffixNamingRequirement
     AllowGuestsToBeGroupOwner     False
     AllowGuestsToAccessGroups     True
     GuestUsageGuidelinesUrl
     GroupCreationAllowedGroupId
     AllowToAddGuests              True
     UsageGuidelinesUrl            https://guideline.example.com
     ClassificationList
     EnableGroupCreation           True
    
  3. 若要删除 UsageGuideLinesUrl 的值,请将 URL 编辑为空字符串:To remove the value of UsageGuideLinesUrl, edit the URL to be an empty string:

    $Setting["UsageGuidelinesUrl"] = ""
    
  4. 将更新保存到目录:Save update to the directory:

    Set-AzureADDirectorySetting -Id $Setting.Id -DirectorySetting $Setting
    

模板设置Template settings

以下是 Group.Unified SettingsTemplate 中定义的设置。Here are the settings defined in the Group.Unified SettingsTemplate. 除非另有说明,否则这些功能都需要 Azure Active Directory Premium P1 许可证。Unless otherwise indicated, these features require an Azure Active Directory Premium P1 license.

设置Setting 说明Description
  • EnableGroupCreationEnableGroupCreation
  • 键入:布尔Type: Boolean
  • 默认值:TrueDefault: True
一个标志,指明是否允许非管理员用户在目录中创建 Microsoft 365 组。The flag indicating whether Microsoft 365 group creation is allowed in the directory by non-admin users. 此设置不需要 Azure Active Directory Premium P1 许可证。This setting does not require an Azure Active Directory Premium P1 license.
  • GroupCreationAllowedGroupIdGroupCreationAllowedGroupId
  • 键入:StringType: String
  • 默认值:""Default: ""
安全组的 GUID,允许该组的成员创建 Microsoft 365 组,即使 EnableGroupCreation == false。GUID of the security group for which the members are allowed to create Microsoft 365 groups even when EnableGroupCreation == false.
  • UsageGuidelinesUrlUsageGuidelinesUrl
  • 键入:StringType: String
  • 默认值:""Default: ""
组使用准则链接。A link to the Group Usage Guidelines.
  • ClassificationDescriptionsClassificationDescriptions
  • 键入:StringType: String
  • 默认值:""Default: ""
以逗号分隔的分类说明列表。A comma-delimited list of classification descriptions. ClassificationDescriptions 的值仅以此格式有效:The value of ClassificationDescriptions is only valid in this format:
$setting["ClassificationDescriptions"] ="Classification:Description,Classification:Description"$setting["ClassificationDescriptions"] ="Classification:Description,Classification:Description"
其中,Classification 与 ClassificationList 中的条目匹配。where Classification matches an entry in the ClassificationList.
当 EnableMIPLabels == True 时,此设置不适用。This setting does not apply when EnableMIPLabels == True.
  • DefaultClassificationDefaultClassification
  • 键入:StringType: String
  • 默认值:""Default: ""
如果未指定,则为要用作组的默认分类的分类。The classification that is to be used as the default classification for a group if none was specified.
当 EnableMIPLabels == True 时,此设置不适用。This setting does not apply when EnableMIPLabels == True.
  • PrefixSuffixNamingRequirementPrefixSuffixNamingRequirement
  • 键入:StringType: String
  • 默认值:""Default: ""
最大长度为 64 个字符的字符串,用于定义为 Microsoft 365 组配置的命名约定。String of a maximum length of 64 characters that defines the naming convention configured for Microsoft 365 groups. 有关详细信息,请参阅对 Microsoft 365 组强制实施命名策略For more information, see Enforce a naming policy for Microsoft 365 groups.
  • CustomBlockedWordsListCustomBlockedWordsList
  • 键入:StringType: String
  • 默认值:""Default: ""
逗号分隔字符串,用于列出不允许用户在组名称或别名中使用的短语。Comma-separated string of phrases that users will not be permitted to use in group names or aliases. 有关详细信息,请参阅对 Microsoft 365 组强制实施命名策略For more information, see Enforce a naming policy for Microsoft 365 groups.
  • EnableMSStandardBlockedWordsEnableMSStandardBlockedWords
  • 键入:布尔Type: Boolean
  • 默认值:“False”Default: "False"
请勿使用Do not use
  • AllowGuestsToBeGroupOwnerAllowGuestsToBeGroupOwner
  • 键入:布尔Type: Boolean
  • 默认值:FalseDefault: False
一个布尔值,该值指示来宾用户是否可以作为组的所有者。Boolean indicating whether or not a guest user can be an owner of groups.
  • AllowGuestsToAccessGroupsAllowGuestsToAccessGroups
  • 键入:布尔Type: Boolean
  • 默认值:TrueDefault: True
一个布尔值,指示来宾用户是否可以访问 Microsoft 365 组的内容。Boolean indicating whether or not a guest user can have access to Microsoft 365 groups content. 此设置不需要 Azure Active Directory Premium P1 许可证。This setting does not require an Azure Active Directory Premium P1 license.
  • GuestUsageGuidelinesUrlGuestUsageGuidelinesUrl
  • 键入:StringType: String
  • 默认值:""Default: ""
指向来宾使用指南的链接的 URL。The url of a link to the guest usage guidelines.
  • AllowToAddGuestsAllowToAddGuests
  • 键入:布尔Type: Boolean
  • 默认值:TrueDefault: True
一个布尔值,该值指示是否允许将来宾添加到此目录。A boolean indicating whether or not is allowed to add guests to this directory.
如果 EnableMIPLabels 设置为 True 且某个来宾策略与分配给组的敏感性标签相关联,则此设置可能会被重写,变成只读。This setting may be overridden and become read-only if EnableMIPLabels is set to True and a guest policy is associated with the sensitivity label assigned to the group.
如果在组织级别将 AllowToAddGuests 设置设为 False,则会忽略组级别的任何 AllowToAddGuests 设置。If the AllowToAddGuests setting is set to False at the organization level, any AllowToAddGuests setting at the group level is ignored. 如果希望仅对几个组启用来宾访问,则必须在组织级别将 AllowToAddGuests 设为 true,然后针对特定组有选择地禁用它。If you want to enable guest access for only a few groups, you must set AllowToAddGuests to be true at the organization level, and then selectively disable it for specific groups.
  • ClassificationListClassificationList
  • 键入:StringType: String
  • 默认值:""Default: ""
一个逗号分隔列表,用于列出可以应用于 Microsoft 365 组的有效分类值。A comma-delimited list of valid classification values that can be applied to Microsoft 365 groups.
当 EnableMIPLabels == True 时,此设置不适用。This setting does not apply when EnableMIPLabels == True.
  • EnableMIPLabelsEnableMIPLabels
  • 键入:布尔Type: Boolean
  • 默认值:“False”Default: "False"
一个标记,表明在 Microsoft 365 合规中心发布的敏感性标签是否适用于 Microsoft 365 组。The flag indicating whether sensitivity labels published in Microsoft 365 Compliance Center can be applied to Microsoft 365 groups.

示例:在目录级别为组配置来宾策略Example: Configure Guest policy for groups at the directory level

  1. 获取所有设置模板:Get all the setting templates:

    Get-AzureADDirectorySettingTemplate
    
  2. 若要在目录级别为组设置来宾策略,需要 Group.Unified 模板To set guest policy for groups at the directory level, you need Group.Unified template

    $Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value "62375ab9-6b52-47ed-826b-58e47e0e304b" -EQ
    
  3. 接下来,创建基于该模板的新设置对象:Next, create a new settings object based on that template:

    $Setting = $template.CreateDirectorySetting()
    
  4. 然后,更新 AllowToAddGuests 设置Then update AllowToAddGuests setting

    $Setting["AllowToAddGuests"] = $False
    
  5. 然后应用设置:Then apply the setting:

    Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
    
  6. 可以使用以下命令读取值:You can read the values using:

    $Setting.Values
    

在目录级别读取设置Read settings at the directory level

如果知道要检索的设置的名称,可以使用以下 cmdlet 检索当前的设置值。If you know the name of the setting you want to retrieve, you can use the below cmdlet to retrieve the current settings value. 在此示例中,我们要检索名为“UsageGuidelinesUrl”的设置的值。In this example, we're retrieving the value for a setting named "UsageGuidelinesUrl."

(Get-AzureADDirectorySetting).Values | Where-Object -Property Name -Value UsageGuidelinesUrl -EQ

这些步骤在目录级别读取设置,这些设置适用于目录中的所有 Office 组。These steps read settings at directory level, which apply to all Office groups in the directory.

  1. 读取所有现有的目录设置:Read all existing directory settings:

    Get-AzureADDirectorySetting -All $True
    

    此 cmdlet 返回所有目录设置的列表:This cmdlet returns a list of all directory settings:

    Id                                   DisplayName   TemplateId                           Values
    --                                   -----------   ----------                           ------
    c391b57d-5783-4c53-9236-cefb5c6ef323 Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {class SettingValue {...
    
  2. 读取特定组的所有设置:Read all settings for a specific group:

    Get-AzureADObjectSetting -TargetObjectId ab6a3887-776a-4db7-9da4-ea2b0d63c504 -TargetType Groups
    
  3. 使用设置 ID GUID 读取特定目录设置对象的所有目录设置值:Read all directory settings values of a specific directory settings object, using Settings ID GUID:

    (Get-AzureADDirectorySetting -Id c391b57d-5783-4c53-9236-cefb5c6ef323).values
    

    此 cmdlet 返回此特定组的此设置对象中的名称和值:This cmdlet returns the names and values in this settings object for this specific group:

    Name                          Value
    ----                          -----
    ClassificationDescriptions
    DefaultClassification
    PrefixSuffixNamingRequirement
    CustomBlockedWordsList        
    AllowGuestsToBeGroupOwner     False 
    AllowGuestsToAccessGroups     True
    GuestUsageGuidelinesUrl
    GroupCreationAllowedGroupId
    AllowToAddGuests              True
    UsageGuidelinesUrl            https://guideline.example.com
    ClassificationList
    EnableGroupCreation           True
    

在目录级别删除设置Remove settings at the directory level

这些步骤在目录级别删除设置,这些设置适用于目录中的所有 Office 组。This step removes settings at directory level, which apply to all Office groups in the directory.

Remove-AzureADDirectorySetting -Id c391b57d-5783-4c53-9236-cefb5c6ef323c

创建特定组的设置Create settings for a specific group

  1. 搜索名为“Groups.Unified.Guest”的设置模板Search for the settings template named "Groups.Unified.Guest"

    Get-AzureADDirectorySettingTemplate
    
    Id                                   DisplayName            Description
    --                                   -----------            -----------
    62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified          ...
    08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest    Settings for a specific Microsoft 365 group
    4bc7f740-180e-4586-adb6-38b2e9024e6b Application            ...
    898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy Settings ...
    5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule Settings ...
    
  2. 检索 Groups.Unified.Guest 模板的模板对象:Retrieve the template object for the Groups.Unified.Guest template:

    $Template1 = Get-AzureADDirectorySettingTemplate | where -Property Id -Value "08d542b9-071f-4e16-94b0-74abb372e3d9" -EQ
    
  3. 从模板创建新的设置对象:Create a new settings object from the template:

    $SettingCopy = $Template1.CreateDirectorySetting()
    
  4. 将设置设为所需的值:Set the setting to the required value:

    $SettingCopy["AllowToAddGuests"]=$False
    
  5. 获取要对其应用此设置的组的 ID:Get the ID of the group you want to apply this setting to:

    $groupID= (Get-AzureADGroup -SearchString "YourGroupName").ObjectId
    
  6. 在目录中为所需组创建新设置:Create the new setting for the required group in the directory:

    New-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -DirectorySetting $SettingCopy
    
  7. 若要验证设置,请运行以下命令:To verify the settings, run this command:

    Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values
    

更新特定组的设置Update settings for a specific group

  1. 获取要更新其设置的组的 ID:Get the ID of the group whose setting you want to update:
    $groupID= (Get-AzureADGroup -SearchString "YourGroupName").ObjectId
    
  2. 检索组的设置:Retrieve the setting of the group:
    $Setting = Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups
    
  3. 根据需要更新组的设置,例如:Update the setting of the group as you need, e.g.
    $Setting["AllowToAddGuests"] = $True
    
  4. 然后,获取此特定组的设置的 ID:Then get the ID of the setting for this specific group:
    Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups
    
    将会获得如下所示的响应:You will get a response similar to this:
    Id                                   DisplayName            TemplateId                             Values
    --                                   -----------            -----------                            ----------
    2dbee4ca-c3b6-4f0d-9610-d15569639e1a Group.Unified.Guest    08d542b9-071f-4e16-94b0-74abb372e3d9   {class SettingValue {...
    
  5. 然后,可以设置此设置的新值:Then you can set the new value for this setting:
    Set-AzureADObjectSetting -TargetType Groups -TargetObjectId $groupID -Id 2dbee4ca-c3b6-4f0d-9610-d15569639e1a -DirectorySetting $Setting
    
  6. 可以读取此设置的值,确保已将其正确更新:You can read the value of the setting to make sure it has been updated correctly:
    Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values
    

Cmdlet 语法参考Cmdlet syntax reference

如需更多 Azure Active Directory PowerShell 文档,可参阅 Azure Active Directory CmdletYou can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.

其他阅读材料Additional reading