Manage Microsoft 365 Groups with PowerShell

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

This article provides the steps for doing common management tasks for Groups in Microsoft PowerShell. It also lists the PowerShell cmdlets for Groups. For info about managing SharePoint sites, see Manage SharePoint Online sites using PowerShell.

When users create or edit a group in Outlook, you can show them a link to your organization's usage guidelines. For example, if you require a specific prefix or suffix to be added to a group name.

Use the Azure Active Directory (Azure AD) PowerShell to point your users to your organization's usage guidelines for Microsoft 365 groups. Check out Azure Active Directory cmdlets for configuring group settings and follow the steps in the Create settings at the directory level to define the usage guideline hyperlink. Once you run the AAD cmdlet, users will see the link to your guidelines when they create or edit a group in Outlook.

Create a new group with usage guidelines link

Click Group usage guidelines to see your organizations Office 365 groups guidelines

Allow users to Send as the Microsoft 365 Group

If you want to enable your Microsoft 365 groups to "Send As", use the Add-RecipientPermission and Get-RecipientPermission cmdlets to configure this. Once you enable this setting, Microsoft 365 group users can use Outlook or Outlook on the web to send and reply to email as the Microsoft 365 group. Users can go to the group, create a new email, and change the "Send As" field to the group's email address.

(You can also do this in the Exchange Admin Center.)

Use the following script, replacing <GroupAlias> with the alias of the group that you want to update, and <UserAlias> with the alias of the user to whom you want to grant permissions. Connect to Exchange Online PowerShell to run this script.

$groupAlias = "<GroupAlias>"
$userAlias = "<UserAlias>"
$groupsRecipientDetails = Get-Recipient -RecipientTypeDetails groupmailbox -Identity $groupAlias

Add-RecipientPermission -Identity $groupsRecipientDetails.Name -Trustee $userAlias -AccessRights SendAs

Once the cmdlet is executed, users can go to Outlook or Outlook on the web to send as the group, by adding the group email address to the From field.

Create classifications for Microsoft 365 Groups in your organization

You can create sensitivity labels that the users in your organization can set when they create a Microsoft 365 Group. If you want to classify groups, we recommend using sensitivity labels instead of the previous groups classification feature. For information about using sensitivity labels, see Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites.

Important

If you are currently using classification labels, they will no longer be available to users who create groups once sensitivity labels are enabled.

You can still use the previous groups classification feature. You can create classifications that the users in your organization can set when they create an Microsoft 365 Group. For example, you can allow users to set "Standard", "Secret", and "Top Secret" on groups they create. Group classifications aren't set by default and you need to create it in order for your users to set it. Use Azure Active Directory PowerShell to point your users to your organization's usage guidelines for Microsoft 365 Groups.

Check out Azure Active Directory cmdlets for configuring group settings and follow the steps in the Create settings at the directory level to define the classification for Microsoft 365 Groups.

$setting["ClassificationList"] = "Low Impact, Medium Impact, High Impact"

In order to associate a description to each classification you can use the settings attribute ClassificationDescriptions to define.

$setting["ClassificationDescriptions"] ="Classification:Description,Classification:Description"

where Classification matches the strings in the ClassificationList.

Example:

$setting["ClassificationDescriptions"] = "Low Impact: General communication, Medium Impact: Company internal data , High Impact: Data that has regulatory requirements"

After you run the above Azure Active Directory cmdlet to set your classification, run the Set-UnifiedGroup cmdlet if you want to set the classification for a specific group.

Set-UnifiedGroup <LowImpactGroup@constoso.com> -Classification <LowImpact>

Or create a new group with a classification.

New-UnifiedGroup <HighImpactGroup@constoso.com> -Classification <HighImpact> -AccessType <Public>

Check out Using PowerShell with Exchange Online and Connect to Exchange Online PowerShell for more details on using Exchange Online PowerShell.

Once these settings are enabled, the group owner will be able to choose a classification from the drop down menu in Outlook on the Web and Outlook, and save it from the Edit group page.

Choose Microsoft 365 Group classification

Hide Microsoft 365 Groups from the global address list.

You can specify whether a Microsoft 365 Group appears in the global address list (GAL) and other lists in your organization. For example, if you have a legal department group that you don't want to show up in the address list, you can stop that group from appearing in the GAL. Run the Set-Unified Group cmdlet to hide the group from the address list like this:

Set-UnifiedGroup -Identity "Legal Department" -HiddenFromAddressListsEnabled $true

Allow only internal users to send message to Microsoft 365 Groups

If you don't want users from other organizations to send emails to a Microsoft 365 Group, you can change the settings for that group. It will allow only internal users to send an email to your group. If an external user tries to send a message to that group, it will be rejected.

Run the Set-UnifiedGroup cmdlet to update this setting, like this:

Set-UnifiedGroup -Identity "Internal senders only" -RequireSenderAuthenticationEnabled $true

Add MailTips to Microsoft 365 Groups

Whenever a sender tries to send an email to a Microsoft 365 Group, a MailTip can be shown to them.

Run the Set-Unified Group cmdlet to add a mailTip to the group:

Set-UnifiedGroup -Identity "MailTip Group" -MailTip "This group has a MailTip"

Along with MailTip, you can also set MailTipTranslations, which specifies additional languages for the MailTip. Suppose you want to have the Spanish translation, then run the following command:

Set-UnifiedGroup -Identity "MailaTip Group" -MailTip "This group has a MailTip" -MailTipTranslations "@{Add="ES:Esta caja no se supervisa."

Change the display name of the Microsoft 365 Group

The display name specifies the name of the Microsoft 365 Group. You can see this name in your exchange admin center or Microsoft 365 admin center. You can edit the display name of the group or assign a display name to an existing Microsoft 365 Group by running the Set-UnifiedGroup command:

Set-UnifiedGroup -Identity "mygroup@contoso.com" -DisplayName "My new group"

Change the default setting of Microsoft 365 Groups for Outlook to Public or Private

Microsoft 365 Groups in Outlook are created as Private by default. If your organization wants Microsoft 365 Groups to be created as Public by default (or back to Private), use this PowerShell cmdlet syntax:

Set-OrganizationConfig -DefaultGroupAccessType Public

To set to Private:

Set-OrganizationConfig -DefaultGroupAccessType Private

To verify the setting:

Get-OrganizationConfig | ft DefaultGroupAccessType

To learn more, see Set-OrganizationConfig and Get-OrganizationConfig.

Microsoft 365 Groups cmdlets

The following cmdlets can be used with Microsoft 365 Groups.

Cmdlet name Description
Get-UnifiedGroup
Use this cmdlet to look up existing Microsoft 365 Groups, and to view properties of the group object
Set-UnifiedGroup
Update the properties of a specific Microsoft 365 Group
New-UnifiedGroup
Create a new Microsoft 365 Group. This cmdlet provides a minimal set of parameters. To set values for extended properties, use Set-UnifiedGroup after creating the new group
Remove-UnifiedGroup
Delete an existing Microsoft 365 Group
Get-UnifiedGroupLinks
Retrieve membership and owner information for a Microsoft 365 Group
Add-UnifiedGroupLinks
Add members, owners, and subscribers to an existing Microsoft 365 Group
Remove-UnifiedGroupLinks
Remove owners and members from an existing Microsoft 365 Group
Get-UserPhoto
Used to view information about the user photo associated with an account. User photos are stored in Active Directory
Set-UserPhoto
Used to associate a user photo with an account. User photos are stored in Active Directory
Remove-UserPhoto
Remove the photo for an Microsoft 365 Group

Upgrade distribution lists to Microsoft 365 Groups

Manage who can create Microsoft 365 Groups

Manage guest access to Microsoft 365 Groups

Change static group membership to dynamic in