Install
If you have a Powershell Version 3.0 or newer, just open a powersehll window and type
Install-Module -Name MicrosoftTeams
Usage .\sync_team_with_ad.ps1
This script synchronizes a Microsoft Team with a group of your local Active Directory. The synchronization only affects the Team, never the AD group.
Authentication
The script needs to connect to both the ActiveDirectory Domain and Microsoft teams. To avoid the Login-Dialogs to pop up during the execution of the script, these connections can be done in advance.
- Active Directory Please specify the domain either as 'uid@domain' or as 'domain\uid'
$credentials=(Get-Credential)- Microsoft Teams
$tenant= (Connect-MicrosoftTeams) From now on, you can use these parameters and dont have to authenticate everytime the script is run.
Please note, if you run the script without providing these two paremeters, you will get prompted for them. If you call the script as an include:
. .\sync_team_with_ad.ps1 [...]you will have both variables filled after the run. They can be used for following calls to the script.
Usage
The script has the following parameters
-
team, mandatory, the name of the Microsoft team, wildcards can be used. If more than one team is found, the script shows the matches and terminates. -
group, mandatory, the name of the Active Directory group, wildcards can be used. If more than one group is found, the script shows the matches and terminates. -
credentials, optional, the ActiveDirectory credentials, see above, if not specified and not logged on as an ActiveDirectory user, you will get prompted -
tenant, optional, the tenant for the MicrosoftTeams, see above, if not specified and not logged on as an ActiveDirectory user, you will get prompted -
verbose, optional, prints the changes that are taking place -
remove, optional, if specified, removes member from the team that are not found in the ActiveDirectory group -
dryrun, optional, does not actually change a team
Examples
- A call to change the Team
foobaraccording to the group found with the namefooadm*, as no authentication is given, the script asks for both AD and Microsoft Teams authentifcation but will save these in the variables mentioned above
. .\sync_team_with_ad.ps1 -team foobar -group fooadm* - A call to a dryrun with prexisting authentications
. .\sync_team_with_ad.ps1 -team foobar -group fooadm* -tenant $tenant -credentials $credentialsCron Usage
Preperation
This section is still under construction.
If the script should be run automatically, there has to be a way to save the authentication information. At least under Windows, there is a way to do that.
We need to create two objects to do that: one object to store the AD-credentials, and one object to store the Office365 credentials. To do that, we use the
export-clixml function, which will encrypt the sensitive information so that it can only be used by the calling user on the machine (see the documenation
on the Microsoft site).
Please note, that you should not use this on non-Window machines, as the encryption only works on Windows machines. Please note, you do not need to create
the AD credentials if you intend to run the script from a Domain machine.
$username="your.name@yourdomain"
$password=read-host "Enter password: " -AsSecureString
Enter password: : *************************
$mscredential = New-Object System.Management.Automation.PSCredential($username, $password)
$mscredential|export-clixml -path msteams_credential.xml
$adcredential = (Get-Credential)
$adcredential|export-clixml -path ad_credential.xmlNow that we have these two files, we can import them for further use:
$mscredential = import-clixml -path msteams_credential.xml
connect-microsoftteams -credential $mscredential
$adcredential = import-clixml -path ad_credential.xmlImplementation
Its best to log into a terminal server. Here you should create the teams credentials file in a place you can access as shown above. Then check if everything is working by calling the script manually:
.\sync_team_with_ad.ps1 -team FooBar -group fooadm -verbose -teamsfile pathtocred.xml -dryrun