How to Set Up Group Naming Policy in Microsoft Entra ID

Have you ever been part of a group with a name so confusing that you wondered if it had a purpose at all? Names are powerful, just as your name distinguishes you in a crowded room. In the internet age, where collaboration and connectivity are vital, the way you name your groups in Microsoft 365 holds incredible significance. The naming policy you assign to your Microsoft 365 groups play a pivotal role in shaping their identity and functionality.

This issue becomes even more challenging with self-service group management in Entra ID, allowing users to create and manage security and Microsoft 365 groups. To address these concerns, Microsoft 365 offers a solution – group naming policy in Microsoft Entra ID.

In this blog post, we’ll explore what a group naming policy is and the significance of implementing it in your organization. The blog covers the following,

1. What is a group naming policy in Microsoft 365?
2. Group naming policy features in Microsoft 365
3. How to set up group naming policy in Microsoft Entra ID
4. Configure group naming policy using Azure AD PowerShell
5. Group naming policy experience across Microsoft 365 apps

The group naming policy is applied when creating or editing group names, specifically for Microsoft 365 groups in services like Outlook, Microsoft Teams, SharePoint, Planner, Viva Engage, etc. It is applied to both group names and group aliases. However, it is important to note that this policy doesn’t impact the naming of distribution groups in Exchange Online. With a group naming policy, you can

• Understand the group’s function, membership, location, or ownership based on organizational needs.
• Categorize groups in the global address list [GAL].
• Block offensive words from being used in group names and aliases.
• Block use of business terms, department names, and client/vendor/competitor names to Microsoft 365 groups.

IMPORTANT: If you have an existing Exchange group naming policy and set up a group naming policy in Microsoft Entra ID, the Microsoft Entra ID policy will be enforced in your organization. It’s crucial to note this interplay between policies.

To configure the group naming policy in Microsoft 365, users, including guests, require Microsoft Entra ID P1 or Microsoft Entra Basic EDU licenses. Admins creating the naming policy must also meet this licensing requirement. Additionally, setting up the group naming policy requires having one of the following roles: Global Administrator, Group Administrator, or Directory Writer.

In Microsoft Entra ID, you can implement group naming policies through two methods:

1. Prefix-suffix naming policy
2. Custom blocked words

Prefixes and suffixes serve diverse purposes in group naming policies. They are automatically added to group names upon creation.

Example: Japan_Group Name_QualityCheck, where “Japan” is the prefix, and “QualityCheck” is the suffix.

NOTE: Multiple instances of prefixes and suffixes can be defined, but only one instance of [GroupName] is allowed. Moreover, the total allowable number of characters for the group name is 63, including all prefixes and suffixes.

Fixed Strings and User Attributes in Prefixes and Suffixes:

Prefixes and suffixes can be fixed strings or user attributes. Fixed strings are enforced directly in the naming convention. Use fixed strings for quick scanning and differentiation of groups in the global address list and left navigation links of group workloads. For instance, employ common prefixes like ‘Grp_Name’ or ‘#Name’.”

User attributes aid in identifying the department, office, or geographical location for which a group is created. For example, if the PrefixSuffixNamingRequirement is set as “GRP”[GroupName] [Department] and the user’s department is Content, then the enforced group name would be “GRP GroupName Content.”

Special Characters in Prefixes and Suffixes:

Prefixes and suffixes can include special characters, supported in both group name and group alias. Unsupported characters in the group alias are still applied in the group name but removed from the alias. This may result in differences between the prefixes/suffixes applied to the group name and the group alias.

When users create groups with sensitive acronyms for quick identification, it poses security risks. In such cases, Microsoft’s custom blocked words feature comes in handy. This blocked word list, a comma-separated compilation of phrases, restricts sensitive terms in group names and aliases. This prevents risky acronyms and minimizes unintentional information disclosure.

When dealing with custom blocked words in Microsoft 365 group naming policy, it’s important to note a few key considerations:

• Substring searches are not performed, allowing users to use common words (e.g., “Class”) even if a similar term (e.g., “lass”) is blocked.
• If the group name exactly matches a custom blocked word, the creation of the group with that specific name will fail.
• Blocked words are not case-sensitive.
• Users receive an error if they attempt to enter a blocked word as part of the group name.
• Blocked words do not have any character restrictions.
• The blocked words list has an upper limit of 5000 phrases.

NOTE: Certain admin roles, like Global Administrators and User Administrators, are exempted from the group naming policy across all workloads and endpoints. This allows them to create groups with their preferred names, even if they include blocked words.

The group naming policy in Azure AD provides enhanced control over the types of groups created within organizations. Now, let’s see how to configure the group naming policy in Microsoft Entra ID.

1. Sign in to the Microsoft 365 Entra admin center (formerly known as Azure Active Directory) with a minimum of Groups administrator privileges.
2. Navigate to the “Microsoft Entra ID” (formerly known as Identity) section.
3. Locate “Groups” and choose “All Groups”. Under “Settings,” click on the “Naming policy.”

Add Prefix-Suffix Naming Policy:

1. Navigate to the Group naming policy tab in the ‘Naming policy page’.
2. Add or view prefixes and suffixes for your group names using fixed strings or user attributes.
3. To remove a prefix or suffix, select the item, and choose “Delete.” You can delete multiple items simultaneously.
4. Save your group naming policy in Microsoft Entra ID by clicking the “Save” button.

Download Custom Blocked Words:

1. Navigate to the Naming Policy page and go to the Blocked Words tab.
2. Review the existing list of custom blocked words by selecting “Download.” You can also add new entries to the list but be mindful of the 5000-word limit. The case-insensitive nature of custom blocked words may fill up space rapidly.
3. Upload the updated list of custom blocked words by selecting the file icon, and then click “Save” to apply your changes.

NOTE: To delete a created group naming policy, use the ‘Delete policy’ option in the ‘Naming policy page.’ Confirming the deletion removes the policy, along with any prefix-suffix settings and custom blocked words.”

Although the user interface (UI) method simplifies processes, PowerShell proves invaluable for repetitive tasks. Let’s explore how to configure group naming policies using PowerShell.

1. Install AzureADPreview PowerShell module
2. View the current settings of naming policy
3. Set the group naming policy and assign the custom blocked words
4. Export or import custom blocked words
5. Remove the group naming policy

To configure Microsoft 365 group naming policies, we use the AzureADPreview module. Please note that this module is in preview and may not be fully supported.

1. Launch the Windows PowerShell application with administrator privileges.
2. Before proceeding, ensure to uninstall any previous versions of AzureADPreview or Azure AD. You can use the following cmdlets for uninstallation:
   
   PowerShell

   Uninstall-Module AzureADPreview (Or) Uninstall-Module AzureAD

   1 2 3

   Uninstall-Module AzureADPreview (Or) Uninstall-Module AzureAD

3. Now, install the latest version of AzureADPreview by executing the following cmdlet. You may receive a prompt about accessing an untrusted repository. Respond with ‘Y.’ The installation process may take a few minutes.
   
   PowerShell

   Install-Module AzureADPreview

   1	Install-Module AzureADPreview

4. Next, you’ll need to perform the following actions to import the module and establish a connection to Azure AD using the provided cmdlets:
   
   PowerShell

   Import-Module AzureADPreview Connect-AzureAD

   1 2	Import-Module AzureADPreview Connect-AzureAD

Once you execute the cmdlets, you will encounter a “Sign-in to your account” screen. Here, you should input your credentials and proceed with the login process.

1. Execute the provided cmdlet to retrieve the current group naming policy settings in your organization.
   
   PowerShell

   $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id $Setting.Values

   1 2	$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id $Setting.Values

1. Now that all the necessary preparations have been made, set up a group naming policy in Microsoft 365 using the provided cmdlet. Include group name prefixes and suffixes, ensuring [GroupName] is part of the setting for proper functionality.
   
   PowerShell

   $Setting["PrefixSuffixNamingRequirement"] =“GRP_[GroupName]_[Department]"

   1	$Setting["PrefixSuffixNamingRequirement"] =“GRP_[GroupName]_[Department]"

2. Use the provided cmdlet to configure custom blocked words for restriction. The provided example demonstrates how you can add your preferred custom words. $Setting[“CustomBlockedWordsList”]=“Payroll,CEO,HR”
   
   PowerShell

   $Setting["CustomBlockedWordsList"]="Payroll,CEO,HR"

   1	$Setting["CustomBlockedWordsList"]="Payroll,CEO,HR"

3. Save the updated group naming policy to take effect by executing the “Set-AzureADDirectorySetting” PowerShell cmdlet.
   
   PowerShell

   Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

   1	Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

1. To export a list of blocked words, utilize the following PowerShell script:
   
   PowerShell

   $Words = (Get-AzureADDirectorySetting).Values | Where-Object -Property Name -Value CustomBlockedWordsList -EQ Add-Content "c:\work\currentblockedwordslist.txt" -Value $words.value.Split(",").Replace("`"","")

   1 2	$Words = (Get-AzureADDirectorySetting).Values | Where-Object -Property Name -Value CustomBlockedWordsList -EQ Add-Content "c:\work\currentblockedwordslist.txt" -Value $words.value.Split(",").Replace("`"","")

   • In this example, we’ve exported a list of blocked words to the “customblockedwords.txt” file. Ensure to mention the file of your convenience in the script before running it.
2. Utilize this PowerShell script to import a variety of blocked words.
   
   PowerShell

   $BlockedWords = Get-Content "C:\work\currentblockedwordslist.txt" $BlockedWords = [string]::join(",", $BlockedWords) $Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"} if ($Settings.Count -eq 0) {$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"} $Settings = $Template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $Settings $Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}} $Settings["CustomBlockedWordsList"] = $BlockedWords Set-AzureADDirectorySetting -Id $Settings.Id -DirectorySetting $Settings

   1 2 3 4 5 6 7 8 9 10

   $BlockedWords = Get-Content "C:\work\currentblockedwordslist.txt" $BlockedWords = [string]::join(",", $BlockedWords) $Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"} if ($Settings.Count -eq 0) {$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"} $Settings = $Template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $Settings $Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}} $Settings["CustomBlockedWordsList"] = $BlockedWords Set-AzureADDirectorySetting -Id $Settings.Id -DirectorySetting $Settings

Remove the group naming policy in Microsoft 365 through Azure AD PowerShell with the following steps.

1. Clear group name prefixes and suffixes.
   
   PowerShell

   $Setting["PrefixSuffixNamingRequirement"] =""

   1	$Setting["PrefixSuffixNamingRequirement"] =""

2. Empty the list of custom blocked words.
   
   PowerShell

   $Setting["CustomBlockedWordsList"]=""

   1	$Setting["CustomBlockedWordsList"]=""

3. Save the updated group naming policy settings.
   
   PowerShell

   Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

   1	Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Ensuring seamless Microsoft 365 group management goes beyond just establishing naming conventions. While we’ve explored methods for naming conventions, monitoring these groups using PowerShell poses a challenge due to the considerable time investment it demands. That’s where AdminDroid Microsoft 365 Reporter steps in —a time-saving solution that neatly organizes groups, provides insightful reports, and makes group management a breeze.

AdminDroid’s Azure AD reporting tool provides a detailed view of all group activities within your organization. Particularly, the Microsoft 365 group reports offered by the tool encompasses a wide array of data, including group members, nested groups, security groups, distribution groups, mail-enabled groups, cloud groups, synced groups, etc., for free! By providing a holistic visualization of your organizational group dynamics, AdminDroid facilitates effective monitoring of Microsoft 365 group usage and enhances overall group management.

In addition, AdminDroid’s Free Azure AD auditing tool simplifies the audit of group metrics such as group owner changes, hidden memberships, usage trends, group operations, etc., with ease. Plus, with its 120+ Free Azure AD reports, AdminDroid facilitates efficient Azure AD management.

AdminDroid is an essential all-in-one solution for Microsoft 365 reporting and auditing. With 1800+ dedicated reports and 30+ smart dashboards, it covers key services like Exchange Online, SharePoint Online, OneDrive, MS Teams, Viva Engage, Power BI, and Stream. Plus, savor AdminDroid’s features: real-time alerting, advanced scheduling, granular access delegation, and fine-tuning filters for seamless Microsoft 365 administration.

Don’t miss out! Hit the download button now and seize a 15-day free trial. Witness firsthand how AdminDroid can transform and simplify your Microsoft 365 management.

In summary, establishing a group naming policy in Microsoft Entra ID is essential for efficient Microsoft 365 group management. This blog details how to set up a group naming policy in Microsoft Entra ID, aiding admins in aligning group names with organizational standards. Additionally, if you want to set the group naming policy automatically, you can use the “automate” capability of Microsoft365DSC, which saves you time and effort.

Furthermore, implementing a group naming policy and group expiration policy is crucial for maintaining order within Microsoft 365. Also, keep a vigilant eye on your groups by utilizing the prebuilt PowerShell script to export Microsoft 365 group report. Feel free to reach out in the comments section for any further questions or clarifications.