From 481699a760bb6a23327889c6cf9bdad81a7e58ae Mon Sep 17 00:00:00 2001 From: Gautam Sheth Date: Wed, 3 May 2023 14:07:57 +0300 Subject: [PATCH 1/4] Feature: added parameters to prevent recording downloads in Tenant cmdlet --- CHANGELOG.md | 1 + documentation/Set-PnPTenant.md | 56 +++++++++++++++++++++++++++++++ src/Commands/Admin/SetTenant.cs | 59 ++++++++++++++++++++++++++++++++- 3 files changed, 115 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4fa130652..dc4cbf702 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Added `EnableAzureADB2BIntegration` to be returned by `Get-PnPTenant` [#3022](https://github.com/pnp/powershell/pull/3022) - Added `-SkipUrlValidation` to `Get-PnPSiteCollectionAppCatalog` which allows for skipping the URL validation when retrieving the site collection app catalog making it faster but potentially returning URLs that have been renamed [#2305](https://github.com/pnp/powershell/pull/3025) - Added `Get-PnPLargeListOperationStatus` cmdlet to retrieve the status of a large list operation. [#3033](https://github.com/pnp/powershell/pull/3033) +- Added `-BlockDownloadFileTypePolicy`, `-BlockDownloadFileTypeIds` and `-ExcludedBlockDownloadGroupIds` parameters to `Set-PnPTenant` cmdlet. ### Fixed diff --git a/documentation/Set-PnPTenant.md b/documentation/Set-PnPTenant.md index 3c5027ad1..669cc8378 100644 --- a/documentation/Set-PnPTenant.md +++ b/documentation/Set-PnPTenant.md @@ -119,6 +119,9 @@ Set-PnPTenant [-SpecialCharactersStateInFileFolderNames [-IBImplicitGroupBased ] [-ShowOpenInDesktopOptionForSyncedFiles ] [-ShowPeoplePickerGroupSuggestionsForIB ] + [-BlockDownloadFileTypePolicy ] + [-BlockDownloadFileTypeIds ] + [-ExcludedBlockDownloadGroupIds ] [-Force] [-Connection ] ``` @@ -1998,6 +2001,59 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -BlockDownloadFileTypePolicy + +You can block the download of Teams meeting recording files from SharePoint or OneDrive. This allows users to remain productive while addressing the risk of accidental data loss. Users have browser-only access to play the meeting recordings with no ability to download or sync files or access them through apps. + +This policy applies to new meeting recordings across the entire organization. You can exempt people who are members of specified security groups from the policy. This allows you to specify governance or compliance specialists who should have download access to meeting recordings. + +After the policy is turned on, any new Teams meeting recording files created by the Teams service and saved in SharePoint and OneDrive are blocked from download. + +Because this policy affects meeting recordings stored in OneDrive and SharePoint, you must be a SharePoint administrator to configure it. + +Note that this policy doesn't apply to manually uploaded meeting recording files. For more details, see [Block the download of Teams meeting recording files from SharePoint or OneDrive.](https://learn.microsoft.com/en-us/microsoftteams/block-download-meeting-recording) + +```yaml +Type: Boolean +Parameter Sets: (All) + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BlockDownloadFileTypeIds + +The File Type IDs which need to specified to prevent download. + +```yaml +Type: SPBlockDownloadFileTypeId[] +Parameter Sets: (All) + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedBlockDownloadGroupIds + +This parameter exempts users in the specified security groups from this policy so that they can download meeting recording files. + +```yaml +Type: GUID[] +Parameter Sets: (All) + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Force If provided, no confirmation will be requested and the action will be performed diff --git a/src/Commands/Admin/SetTenant.cs b/src/Commands/Admin/SetTenant.cs index d3e5b9080..b72c95571 100644 --- a/src/Commands/Admin/SetTenant.cs +++ b/src/Commands/Admin/SetTenant.cs @@ -6,6 +6,8 @@ using Microsoft.Online.SharePoint.TenantManagement; using System.Collections.Generic; using Microsoft.SharePoint.Client.Sharing; +using Microsoft.SharePoint.Client.Administration; +using System.Linq; namespace PnP.PowerShell.Commands.Admin { @@ -349,6 +351,17 @@ public class SetTenant : PnPAdminCmdlet [Parameter(Mandatory = false)] public int? OneDriveRequestFilesLinkExpirationInDays { get; set; } + [Parameter(Mandatory = false)] + public bool? BlockDownloadFileTypePolicy { get; set; } + + [Parameter(Mandatory = false)] + [ValidateNotNull] + public SPBlockDownloadFileTypeId[] BlockDownloadFileTypeIds { get; set; } + + [Parameter(Mandatory = false)] + [ValidateNotNull] + public Guid[] ExcludedBlockDownloadGroupIds { get; set; } + [Parameter(Mandatory = false)] public SwitchParameter Force; @@ -1058,7 +1071,7 @@ protected override void ExecuteCmdlet() { Tenant.EnableRestrictedAccessControl = EnableRestrictedAccessControl.Value; modified = true; - } + } if (SyncAadB2BManagementPolicy.HasValue) { @@ -1209,6 +1222,50 @@ protected override void ExecuteCmdlet() modified = true; } + if (BlockDownloadFileTypePolicy.HasValue) + { + if (!BlockDownloadFileTypePolicy.Value) + { + Tenant.SetBlockDownloadFileTypePolicyData(BlockDownloadFileTypePolicy.Value, new SPBlockDownloadFileTypeId[0], new Guid[0]); + modified = true; + } + else + { + if (BlockDownloadFileTypeIds == null || BlockDownloadFileTypeIds.Length == 0) + { + throw new InvalidOperationException("Please specify the File Type Ids that you want to block for download."); + } + if (BlockDownloadFileTypeIds.Contains(SPBlockDownloadFileTypeId.TeamsMeetingRecording)) + { + WriteWarning("Please note that this policy only prevents download of Teams Meeting Recording files saved in SharePoint Online by the Teams service. Only new meeting recordings saved after this policy is set will be impacted."); + } + BlockDownloadFileTypeIds = BlockDownloadFileTypeIds.Distinct().ToArray(); + if (ExcludedBlockDownloadGroupIds != null && ExcludedBlockDownloadGroupIds.Length != 0) + { + if (ExcludedBlockDownloadGroupIds.Length > 10) + { + throw new InvalidOperationException("You can only specify 10 IDs in the Block Download File Type Policy Invalid Exclusion List"); + } + Tenant.SetBlockDownloadFileTypePolicyData(BlockDownloadFileTypePolicy.Value, BlockDownloadFileTypeIds, ExcludedBlockDownloadGroupIds); + } + else + { + Tenant.SetBlockDownloadFileTypePolicyData(BlockDownloadFileTypePolicy.Value, BlockDownloadFileTypeIds, new Guid[0]); + } + modified = true; + } + + } + else if (ExcludedBlockDownloadGroupIds != null) + { + if (ExcludedBlockDownloadGroupIds.Length > 10) + { + throw new InvalidOperationException("You can only specify 10 IDs in the Block Download File Type Policy Invalid Exclusion List"); + } + Tenant.SetBlockDownloadFileTypePolicyExclusionList(ExcludedBlockDownloadGroupIds); + modified = true; + } + if (modified) { AdminContext.ExecuteQueryRetry(); From 23b51a6397366e093a89e748703887280d8960a9 Mon Sep 17 00:00:00 2001 From: Gautam Sheth Date: Wed, 3 May 2023 14:09:33 +0300 Subject: [PATCH 2/4] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc4cbf702..ca3b8dce1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Added `EnableAzureADB2BIntegration` to be returned by `Get-PnPTenant` [#3022](https://github.com/pnp/powershell/pull/3022) - Added `-SkipUrlValidation` to `Get-PnPSiteCollectionAppCatalog` which allows for skipping the URL validation when retrieving the site collection app catalog making it faster but potentially returning URLs that have been renamed [#2305](https://github.com/pnp/powershell/pull/3025) - Added `Get-PnPLargeListOperationStatus` cmdlet to retrieve the status of a large list operation. [#3033](https://github.com/pnp/powershell/pull/3033) -- Added `-BlockDownloadFileTypePolicy`, `-BlockDownloadFileTypeIds` and `-ExcludedBlockDownloadGroupIds` parameters to `Set-PnPTenant` cmdlet. +- Added `-BlockDownloadFileTypePolicy`, `-BlockDownloadFileTypeIds` and `-ExcludedBlockDownloadGroupIds` parameters to `Set-PnPTenant` cmdlet. [#3081](https://github.com/pnp/powershell/pull/3081) ### Fixed From 774ed715e83c69fc8af5d3d58eadee488506cb55 Mon Sep 17 00:00:00 2001 From: Koen Zomers Date: Tue, 23 May 2023 13:11:28 +0200 Subject: [PATCH 3/4] Merging code --- documentation/Set-PnPTenant.md | 6 +++--- src/Commands/Admin/SetTenant.cs | 22 ++++++++++++++++++++-- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/documentation/Set-PnPTenant.md b/documentation/Set-PnPTenant.md index 669cc8378..8e1225b5f 100644 --- a/documentation/Set-PnPTenant.md +++ b/documentation/Set-PnPTenant.md @@ -880,7 +880,7 @@ True (default) - The Shared with Everyone folder is created. False - No folder is created when the site and OneDrive for Business document library is created. The default behavior of the Shared with Everyone folder changed in August 2015. -For additional information about the change, see Provision the Shared with Everyone folder in OneDrive for Business (https://support.office.com/en-us/article/Provision-the-Shared-with-Everyone-folder-in-OneDrive-for-Business-6bb02c91-fd0b-42ba-9457-3921cb6dc5b2?ui=en-US&rs=en-US&ad=US) +For additional information about the change, see Provision the Shared with Everyone folder in OneDrive for Business (https://support.office.com/article/Provision-the-Shared-with-Everyone-folder-in-OneDrive-for-Business-6bb02c91-fd0b-42ba-9457-3921cb6dc5b2) ```yaml Type: Boolean @@ -1754,7 +1754,7 @@ In this case, Whiteboard provides temporary viewing and collaboration on the whi If you have external sharing enabled for OneDrive for Business, no further action is required. -If you restrict external sharing for OneDrive for Business, you can keep it restricted, and just enable this new setting in order for external and shared device accounts to work. For more information, see [Manage sharing for Microsoft Whiteboard](https://learn.microsoft.com/en-us/microsoft-365/whiteboard/manage-sharing-organizations). +If you restrict external sharing for OneDrive for Business, you can keep it restricted, and just enable this new setting in order for external and shared device accounts to work. For more information, see [Manage sharing for Microsoft Whiteboard](https://learn.microsoft.com/microsoft-365/whiteboard/manage-sharing-organizations). ```yaml Type: SharingState @@ -2011,7 +2011,7 @@ After the policy is turned on, any new Teams meeting recording files created by Because this policy affects meeting recordings stored in OneDrive and SharePoint, you must be a SharePoint administrator to configure it. -Note that this policy doesn't apply to manually uploaded meeting recording files. For more details, see [Block the download of Teams meeting recording files from SharePoint or OneDrive.](https://learn.microsoft.com/en-us/microsoftteams/block-download-meeting-recording) +Note that this policy doesn't apply to manually uploaded meeting recording files. For more details, see [Block the download of Teams meeting recording files from SharePoint or OneDrive.](https://learn.microsoft.com/microsoftteams/block-download-meeting-recording) ```yaml Type: Boolean diff --git a/src/Commands/Admin/SetTenant.cs b/src/Commands/Admin/SetTenant.cs index b72c95571..4f122cb11 100644 --- a/src/Commands/Admin/SetTenant.cs +++ b/src/Commands/Admin/SetTenant.cs @@ -351,6 +351,12 @@ public class SetTenant : PnPAdminCmdlet [Parameter(Mandatory = false)] public int? OneDriveRequestFilesLinkExpirationInDays { get; set; } + [Parameter(Mandatory = false)] + public string ArchiveRedirectUrl { get; set; } + + [Parameter(Mandatory = false)] + public bool? BlockSendLabelMismatchEmail { get; set; } + [Parameter(Mandatory = false)] public bool? BlockDownloadFileTypePolicy { get; set; } @@ -363,7 +369,7 @@ public class SetTenant : PnPAdminCmdlet public Guid[] ExcludedBlockDownloadGroupIds { get; set; } [Parameter(Mandatory = false)] - public SwitchParameter Force; + public SwitchParameter Force; protected override void ExecuteCmdlet() { @@ -1222,6 +1228,18 @@ protected override void ExecuteCmdlet() modified = true; } + if (ShowPeoplePickerGroupSuggestionsForIB.HasValue) + { + Tenant.ArchiveRedirectUrl = ArchiveRedirectUrl; + modified = true; + } + + if (BlockSendLabelMismatchEmail.HasValue) + { + Tenant.BlockSendLabelMismatchEmail = BlockSendLabelMismatchEmail.Value; + modified = true; + } + if (BlockDownloadFileTypePolicy.HasValue) { if (!BlockDownloadFileTypePolicy.Value) @@ -1264,7 +1282,7 @@ protected override void ExecuteCmdlet() } Tenant.SetBlockDownloadFileTypePolicyExclusionList(ExcludedBlockDownloadGroupIds); modified = true; - } + } if (modified) { From 23bf50193a30e851478f9030c3756f720c766a9f Mon Sep 17 00:00:00 2001 From: Koen Zomers Date: Tue, 23 May 2023 13:15:44 +0200 Subject: [PATCH 4/4] Resolving merge conflicts --- src/Commands/Admin/SetTenant.cs | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/Commands/Admin/SetTenant.cs b/src/Commands/Admin/SetTenant.cs index 0ea50119c..8eee90f10 100644 --- a/src/Commands/Admin/SetTenant.cs +++ b/src/Commands/Admin/SetTenant.cs @@ -349,13 +349,7 @@ public class SetTenant : PnPAdminCmdlet public bool? ShowPeoplePickerGroupSuggestionsForIB { get; set; } [Parameter(Mandatory = false)] - public int? OneDriveRequestFilesLinkExpirationInDays { get; set; } - - [Parameter(Mandatory = false)] - public string ArchiveRedirectUrl { get; set; } - - [Parameter(Mandatory = false)] - public bool? BlockSendLabelMismatchEmail { get; set; } + public int? OneDriveRequestFilesLinkExpirationInDays { get; set; } [Parameter(Mandatory = false)] public bool? BlockDownloadFileTypePolicy { get; set; }