Merge pull request #247356 from bhaimicrosoft/groups-troubleshooting

v-regandowner · web-flow · commit ffad9b43ad04 · 2023-08-07T11:11:41.000-04:00
Groups troubleshooting Document
diff --git a/articles/active-directory/enterprise-users/groups-restore-deleted.md b/articles/active-directory/enterprise-users/groups-restore-deleted.md
@@ -16,17 +16,17 @@ ms.collection: M365-identity-device-management
 ---
 # Restore a deleted Microsoft 365 group in Azure Active Directory
 
-When you delete a Microsoft 365 group in Azure Active Directory (Azure AD), part of Microsoft Entra, the deleted group is retained but not visible for 30 days from the deletion date. This behavior is so that the group and its contents can be restored if needed. This functionality is restricted exclusively to Microsoft 365 groups in Azure AD. It is not available for security groups and distribution groups. Please note that the 30-day group restoration period is not customizable.
+When you delete a Microsoft 365 group in Azure Active Directory (Azure AD), part of Microsoft Entra, the deleted group is retained but not visible for 30 days from the deletion date. This behavior is so that the group and its contents can be restored if needed. This functionality is restricted exclusively to Microsoft 365 groups in Azure AD. It isn't available for security groups and distribution groups. Please note that the 30-day group restoration period isn't customizable.
 
 > [!NOTE]
-> Don't use `Remove-MsolGroup` because it purges the group permanently. Always use `Remove-AzureADMSGroup` to delete a Microsoft 365 group.
+> Don't use `Remove-MsolGroup` because it purges the group permanently. Always use `Remove-MgBetaGroup` to delete a Microsoft 365 group.
 
 The permissions required to restore a group can be any of the following:
 
 Role | Permissions
 --------- | ---------
-Global administrator, Group administrator, Partner Tier2 support, and Intune administrator | Can restore any deleted Microsoft 365 group
-User administrator and Partner Tier1 support | Can restore any deleted Microsoft 365 group except those groups assigned to the Global Administrator role
+Global administrator, Group administrator, Partner Tier 2 support, and Intune administrator | Can restore any deleted Microsoft 365 group
+User administrator and Partner Tier 1 support | Can restore any deleted Microsoft 365 group except those groups assigned to the Global Administrator role
 User | Can restore any deleted Microsoft 365 group that they own
 
 ## View and manage the deleted Microsoft 365 groups that are available to restore
@@ -46,19 +46,21 @@ User | Can restore any deleted Microsoft 365 group that they own
 
 ## View the deleted Microsoft 365 groups that are available to restore using PowerShell
 
-The following cmdlets can be used to view the deleted groups to verify that the one or ones you're interested in have not yet been permanently purged. These cmdlets are part of the [Azure AD PowerShell module](https://www.powershellgallery.com/packages/AzureAD/). More information about this module can be found in the [Azure Active Directory PowerShell Version 2](/powershell/azure/active-directory/install-adv2) article.
+The following cmdlets can be used to view the deleted groups to verify that the one or ones you're interested in haven't yet been permanently purged. These cmdlets are part of the [Microsoft Graph PowerShell module](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true). More information about this module can be found in the [Microsoft Graph PowerShell overview](/powershell/microsoftgraph/overview?view=graph-powershell-1.0&preserve-view=true) article.
 
-1.  Run the following cmdlet to display all deleted Microsoft 365 groups in your Azure AD organization that are still available to restore.
+1.  Run the following cmdlet to display all deleted Microsoft 365 groups in your Azure AD organization that are still available to restore. Please install the [Graph](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true) beta version if it isn't already installed on the machine.
    
 
     ```powershell
-    Get-AzureADMSDeletedGroup
+    Install-Module Microsoft.Graph.Beta
+    Connect-MgGraph -Scopes "Group.ReadWrite.All"
+    Get-MgBetaDirectoryDeletedGroup
     ```
 
-2.  Alternately, if you know the objectID of a specific group (and you can get it from the cmdlet in step 1), run the following cmdlet to verify that the specific deleted group has not yet been permanently purged.
+2.  Alternately, if you know the objectID of a specific group (and you can get it from the cmdlet in step 1), run the following cmdlet to verify that the specific deleted group hasn't yet been permanently purged.
 
-    ```
-    Get-AzureADMSDeletedGroup –Id <objectId>
+    ```powershell
+    Get-MgBetaDirectoryDeletedGroup -DirectoryObjectId <objectId>
     ```
 
 ## How to restore your deleted Microsoft 365 group using 
@@ -68,20 +70,20 @@ Once you have verified that the group is still available to restore, restore the
 1. Run the following cmdlet to restore the group and its contents.
  
 
-   ```
-    Restore-AzureADMSDeletedDirectoryObject –Id <objectId>
+   ```powershell    
+    Restore-MgBetaDirectoryDeletedItem -DirectoryObjectId <objectId>
     ``` 
 
 2. Alternatively, the following cmdlet can be run to permanently remove the deleted group.
     
 
-    ```
-    Remove-AzureADMSDeletedDirectoryObject –Id <objectId>
+    ```powershell
+    Remove-MgBetaDirectoryDeletedItem -DirectoryObjectId <objectId>
     ```
 
 ## How do you know this worked?
 
-To verify that you’ve successfully restored a Microsoft 365 group, run the `Get-AzureADGroup –ObjectId <objectId>` cmdlet to display information about the group. After the restore request is completed:
+To verify that you’ve successfully restored a Microsoft 365 group, run the `Get-MgBetaGroup –GroupId <objectId>` cmdlet to display information about the group. After the restore request is completed:
 
 - The group appears in the Left navigation bar on Exchange
 - The plan for the group will appear in Planner
diff --git a/articles/active-directory/enterprise-users/groups-troubleshooting.md b/articles/active-directory/enterprise-users/groups-troubleshooting.md
@@ -21,19 +21,32 @@ This article contains troubleshooting information for groups in Azure Active Dir
 ## Troubleshooting group creation issues
 
 **I disabled security group creation in the Azure portal but groups can still be created via PowerShell**  
-The **User can create security groups in Azure portals** setting in the Azure portal controls whether or not non-admin users can create security groups in the Access panel or the Azure portal. It does not control security group creation via PowerShell.
+The **User can create security groups in Azure portals** setting in the Azure portal controls whether or not nonadmin users can create security groups in the Access panel or the Azure portal. It does not control security group creation via PowerShell.
 
-To disable group creation for non-admin users in PowerShell:
-1. Verify that non-admin users are allowed to create groups:
+To disable group creation for nonadmin users in PowerShell:
+1. Verify that nonadmin users are allowed to create groups:
 
    ```powershell
-   Get-MsolCompanyInformation | Format-List UsersPermissionToCreateGroupsEnabled
+   Get-MgBetaDirectorySetting | select -ExpandProperty values
    ```
 
-2. If it returns `UsersPermissionToCreateGroupsEnabled : True`, then non-admin users can create groups. To disable this feature:
+2. If it returns `EnableGroupCreation : True`, then nonadmin users can create groups. To disable this feature:
 
    ```powershell
-   Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False
+    Install-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
+    Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
+    $params = @{
+	TemplateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
+	Values = @(		
+		@{
+			Name = "EnableGroupCreation"
+			Value = "false"
+		}		
+	)
+    }
+    Connect-MgGraph -Scopes "Directory.ReadWrite.All"
+    New-MgBetaDirectorySetting -BodyParameter $params
+    
    ```
 
 **I received a max groups allowed error when trying to create a Dynamic Group in PowerShell**  
@@ -46,7 +59,7 @@ To create any new Dynamic groups, you'll first need to delete some existing Dyna
 **I configured a rule on a group but no memberships get updated in the group**  
 1. Verify the values for user or device attributes in the rule. Ensure there are users that satisfy the rule.
 For devices, check the device properties to ensure any synced attributes contain the expected values.  
-2. Check the membership processing status to confirm if it is complete. You can check the [membership processing status](groups-create-rule.md#check-processing-status-for-a-rule) and the last updated date on the **Overview** page for the group.
+2. Check the membership processing status to confirm if it's complete. You can check the [membership processing status](groups-create-rule.md#check-processing-status-for-a-rule) and the last updated date on the **Overview** page for the group.
 
 If everything looks good, please allow some time for the group to populate. Depending on the size of your Azure AD organization, the group may take up to 24 hours for populating for the first time or after a rule change.
 
@@ -57,15 +70,15 @@ This is expected behavior. Existing members of the group are removed when a rule
 Dedicated membership evaluation is done periodically in an asynchronous background process. How long the process takes is determined by the number of users in your directory and the size of the group created as a result of the rule. Typically, directories with small numbers of users will see the group membership changes in less than a few minutes. Directories with a large number of users can take 30 minutes or longer to populate.
 
 **How can I force the group to be processed now?**  
-Currently, there is no way to automatically trigger the group to be processed on demand. However, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end.
+Currently, there's no way to automatically trigger the group to be processed on demand. However, you can manually trigger the reprocessing by updating the membership rule to add a whitespace at the end.
 
 **I encountered a rule processing error**  
 The following table lists common dynamic membership rule errors and how to correct them.
 
 | Rule parser error | Error usage | Corrected usage |
 | --- | --- | --- |
 | Error: Attribute not supported. |(user.invalidProperty -eq "Value") |(user.department -eq "value")<br/><br/>Make sure the attribute is on the [supported properties list](groups-dynamic-membership.md#supported-properties). |
-| Error: Operator is not supported on attribute. |(user.accountEnabled -contains true) |(user.accountEnabled -eq true)<br/><br/>The operator used is not supported for the property type (in this example, -contains cannot be used on type boolean). Use the correct operators for the property type. |
+| Error: Operator isn't supported on attribute. |(user.accountEnabled -contains true) |(user.accountEnabled -eq true)<br/><br/>The operator used isn't supported for the property type (in this example, -contains can't be used on type boolean). Use the correct operators for the property type. |
 | Error: Query compilation error. | 1. (user.department -eq "Sales") (user.department -eq "Marketing")<br>2. (user.userPrincipalName -match "\*@domain.ext") | 1. Missing operator. Use -and or -or to join predicates<br>(user.department -eq "Sales") -or (user.department -eq "Marketing")<br>2. Error in regular expression used with -match<br>(user.userPrincipalName -match ".\*@domain.ext")<br>or alternatively: (user.userPrincipalName -match "@domain.ext$") |
 
 ## Next steps
