PowerShell script sample - Create security groups for educators and students in your school

Use this PowerShell script to create the security groups that you need to manage Microsoft Teams policies in your school. The policy assignment to groups feature in Teams lets you assign a policy to a group of users, such as a security group. The policy assignment is propagated to members of the group according to precedence rules. As members are added to or removed from a group, their inherited policy assignments are updated accordingly.

This PowerShell script creates two security groups, one for staff and educators and another for students in your school, based on license type. You can then assign policies to the security groups that you created. For more information about using this script, see Assign policies to large sets of users in your school.

This script does the following:

  • Identifies staff and educators who are assigned a Faculty SKU, creates a security group, and then adds staff and educators to the group.
  • Identifies students who are assigned a Student SKU, creates a security group, and then adds the students to the group.
  • Updates the membership of each security group to add or remove staff, educators, and students based on whether they have a license.

You'll need to run this script regularly to keep the security groups fresh and up to date.

Important

It's important to understand precedence rules and group assignment ranking when assigning policies to groups. Make sure that you read and understand the concepts in What you need to know about policy assignment to groups.

Before you start

Download and install the Skype for Business Online PowerShell module, and then restart your computer if prompted.

To lean more, see Manage Skype for Business Online with Office 365 PowerShell and Teams PowerShell overview.

Sample script

<#
Script Name:
CreateOrUpdate_SecurityGroup_Per_LicenseType.ps1
Synopsis:
This script is designed to perform following operations:
1. Create a security group for faculty and student members based on the assigned license SKU and add the members accordingly.
2. Update the security group to add/remove teachers and students so that only users who have a valid teacher/student license are present in the group.
The output of the script is written in a log file present at location: C:\results\log.txt
Written By: 
Mihir Roy
Change Log:
Version 1.0, 10/08/2019 - First Draft
#>

#Figure out to determine if the user is using an existing group or creating a new one
param
(
    [string]$teachergroupname,
	[string]$teachergroupdesc,
	[string]$studentgroupname,
	[string]$studentgroupdesc,
	[Guid]$facultyid,
	[Guid]$studentid
)

[bool] $create = $false

if ([string]::IsNullOrEmpty($teachergroupname) -and [string]::IsNullOrEmpty($studentgroupname) -and [string]::IsNullOrEmpty($studentid) -and [string]::IsNullOrEmpty($facultyid)) {
	throw "Please enter valid groupnames to create groups for Teachers and Students. In order to update a group, please enter the teacher and/or student group id's."
}

#Connect to Azure AD
Write-Host "`n"
Write-Host -ForegroundColor Green "Please enter your Global Administrator Username and Password"
Write-Host "`n"
Connect-MsolService

[Guid] $teachergroupid = New-Guid
[Guid] $studentgroupid = New-Guid

if (![string]::IsNullOrEmpty($teachergroupname)) {
	New-MsolGroup -DisplayName $teachergroupname -Description $teachergroupdesc
	$Group = Get-MsolGroup -SearchString $teachergroupname
	$teachergroupid = $Group.ObjectId
	$create = $true
}

if (![string]::IsNullOrEmpty($studentgroupname)) {
	New-MsolGroup -DisplayName $studentgroupname -Description $studentgroupdesc
	$Group = Get-MsolGroup -SearchString $studentgroupname
	$studentgroupid = $Group.ObjectId
	$create = $true
}


#Build the Students Array
$StudentsArray = @()

#Build the Teachers Array
$TeachersArray = @()

#Build the Student Sku Array
$StudentSkus = @()
$AllSkus = Get-AzureADSubscribedSku
$StudentSkuIDs = ($AllSkus | ? {$_.skupartnumber -like "*student*"}).skuid
Write-Host -ForegroundColor Green "The Student Skus identified are listed below:"
Foreach ($Element in $StudentSkuIDs) {
$SkuPart = (Get-AzureADSubscribedSku | ? {$_.SkuID -eq $Element}).SkuPartNumber
Write-Host -ForegroundColor Green "Student SkuID ${Element} for License $SkuPart"
}
Write-Host "`n"

#Build the Teacher Sku Array
$TeacherSkus = @()
$AllSkus = Get-AzureADSubscribedSku
$TeacherSkuIDs = ($AllSkus | ? {$_.skupartnumber -like "*faculty*"}).skuid
Write-Host -ForegroundColor Green "The Teacher Skus identified are listed below:"
Foreach ($Element in $TeacherSkuIDs) {
$SkuPart = (Get-AzureADSubscribedSku | ? {$_.SkuID -eq $Element}).SkuPartNumber
Write-Host -ForegroundColor Green "Teacher SkuID ${Element} for License $SkuPart"
}
Write-Host "`n"

#Get All Users in AAD
Write-Host -ForegroundColor Green "Getting All Users in Azure Active Directory with an assigned license"
Write-Host "`n"
$AllUsers = Get-AzureADUser -All $true | ? {$_.AssignedLicenses -ne $null}

$teacherAdd = $create -and ($teachergroupid -ne $null)
$studentAdd = $create -and ($studentgroupid -ne $null)

#Start foreach loop for all users with student licenses
if ($teacherAdd -or $studentAdd) {
	Foreach ($User in $AllUsers) {
	$ObjectID = $User.ObjectID
	Write-host "`n"
	Write-Host -ForegroundColor Green "Getting Assigned Licenses for $DN"
	$GetUser = Get-AzureADUser -objectid $user.objectid
	$AssignedLicenses = ($GetUser | select -ExpandProperty assignedlicenses).skuid
	Write-Host -ForegroundColor Green "User Assigned License: " $User.Displayname "-" $AssignedLicenses "-" $User.ObjectId


	#Set Variables
	$UPN = $User.userprincipalname
	$DN = $User.Displayname
	$OBJ = $User.ObjectID
	$Age = $User.AgeGroup
	$Consent = $User.ConsentProvidedForMinor
	$Legal = $User.LegalAgeGroupClassification

		#Start foreach loop for all assigned skus
		Foreach ($License in $AssignedLicenses) {

			#Creating new PS Object for each Sku and adding to the array
			If ($TeacherSkuIDs -contains $License) {
				$TeacherObj = New-Object PSObject
				$TeacherObj | Add-Member NoteProperty -Name UserPrincipalName -Value $UPN
				$TeacherObj | Add-Member NoteProperty -Name DisplayName -Value $DN
				$TeacherObj | Add-Member NoteProperty -Name ObjectID -Value $OBJ
				$TeacherObj | Add-Member NoteProperty -Name SkuID -Value $License
				$TeacherObj | Add-Member NoteProperty -Name AgeGroup -Value $Age
				$TeacherObj | Add-Member NoteProperty -Name ConsentProvidedForMinor -Value $Consent
				$TeacherObj | Add-Member NoteProperty -Name LegalAgeGroupClassification -Value $Legal
				$TeachersArray += $TeacherObj
				if ($teachergroupid -ne $null) {
					Add-MsolGroupMember -GroupObjectId $teachergroupid -GroupMemberType User -GroupMemberObjectId $OBJ
				}
			}
						
			If ($StudentSkuIDs -contains $License) {
				$StudentObj = New-Object PSObject
				$StudentObj | Add-Member NoteProperty -Name UserPrincipalName -Value $UPN
				$StudentObj | Add-Member NoteProperty -Name DisplayName -Value $DN
				$StudentObj | Add-Member NoteProperty -Name ObjectID -Value $OBJ
				$StudentObj | Add-Member NoteProperty -Name SkuID -Value $License
				$StudentObj | Add-Member NoteProperty -Name AgeGroup -Value $Age
				$StudentObj | Add-Member NoteProperty -Name ConsentProvidedForMinor -Value $Consent
				$StudentObj | Add-Member NoteProperty -Name LegalAgeGroupClassification -Value $Legal
				$StudentsArray += $StudentObj
				if ($studentgroupid -ne $null) {
					Add-MsolGroupMember -GroupObjectId $studentgroupid -GroupMemberType User -GroupMemberObjectId $OBJ
				}
			}
		}
	}
}

if ((!$teacherAdd) -and ($facultyid -ne $null)) {
	#Users to be Added in the Teacher Group that are not present
	$teacherGrpMembers = Get-MsolGroupMember -GroupObjectId $facultyid
	$teachersToAdd = ($AllUsers | ? {$_.ObjectId -ne $null}).objectid | Where {($teacherGrpMembers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
	Foreach ($id in $teachersToAdd) {
		$GetUser = Get-AzureADUser -objectid $id
		$AssignedLicenses = ($GetUser | select -ExpandProperty assignedlicenses).skuid
		Foreach ($License in $AssignedLicenses) {

			#Adding faculty members to the security group
			If ($TeacherSkuIDs -contains $License) {
				Add-MsolGroupMember -GroupObjectId $facultyid -GroupMemberType User -GroupMemberObjectId $id
			}
		}
	}
	
	#Users (Faculty) to be removed from the group that are not in tenant anymore
	$teachersToRemove = ($teacherGrpMembers | ? {$_.ObjectId -ne $null}).objectid | Where {($AllUsers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
	if ($teachersToRemove.Count > 0) {
		Foreach ($id in $teachersToRemove) {
			Remove-MsoLGroupMember -GroupObjectId $facultyid -GroupMemberType User -GroupmemberObjectId $id
		}
	}
}

if ((!$studentAdd) -and ($studentid -ne $null)) {
	#Users to be Added in the Student Group that are not present
	$studentGrpMembers = Get-MsolGroupMember -GroupObjectId $studentid
	$studentsToAdd = ($AllUsers | ? {$_.ObjectId -ne $null}).objectid | Where {($studentGrpMembers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
	Foreach ($id in $studentsToAdd) {
		$GetUser = Get-AzureADUser -objectid $id
		$AssignedLicenses = ($GetUser | select -ExpandProperty assignedlicenses).skuid
		Foreach ($License in $AssignedLicenses) {

			#Adding student members to the security group
			If ($StudentSkuIDs -contains $License) {
				Add-MsolGroupMember -GroupObjectId $studentid -GroupMemberType User -GroupMemberObjectId $id
			}
		}
	}
	
	#Users (Students) to be removed the group that are not in tenant anymore
	$studentsToRemove = ($studentGrpMembers | ? {$_.ObjectId -ne $null}).objectid | Where {($AllUsers | ? {$_.ObjectId -ne $null}).objectid -NotContains $_}
	if ($studentsToRemove.Count > 0) {
		Foreach ($id in $studentsToRemove) {
			Remove-MsolGroupMember -GroupObjectId $studentid -GroupMemberType User -GroupmemberObjectId $id
		}
	}
}

Start-Transcript -Path "C:\results\log.txt"
if ($facultyid -ne $null) {
	$TeacherGroup = Get-MsolGroupMember -GroupObjectId $facultyid
	Write-Host -ForegroundColor Green "Teacher Group Count:" $TeacherGroup.Count
	Write-Host -ForegroundColor Green "Teacher Group Id:" $facultyid
}
else {
	$TeacherGroup = Get-MsolGroupMember -GroupObjectId $teachergroupid
	Write-Host -ForegroundColor Green "Teacher Group Count:" $TeacherGroup.Count
	Write-Host -ForegroundColor Green "Teacher Group Id:" $teachergroupid
}

if ($studentid -ne $null) {
	$StudentGroup = Get-MsolGroupMember -GroupObjectId $studentid
	Write-Host -ForegroundColor Green "Student Group Count:" $StudentGroup.Count
	Write-Host -ForegroundColor Green "Student Group Id:" $studentid
}
else {
	$StudentGroup = Get-MsolGroupMember -GroupObjectId $studentgroupid
	Write-Host -ForegroundColor Green "Student Group Count:" $StudentGroup.Count
	Write-Host -ForegroundColor Green "Student Group Id:" $studentgroupid
}
Stop-Transcript

Assign policies to your users in Teams