Resource behavior options not being properly set by aad o365group add

[alpozz]

Priority

(Medium) I'm annoyed but I'll live

Description

Upon running aad o365group add with --subscribeNewGroupMembers and without --allowMembersToPost, the resulting group: (i) does not have subscribe new members; and (ii) does not accept email from external addresses.

Steps to reproduce

Running the following code, then checking the group options in the microsoft admin center:

m365 aad o365group add --displayName "Test-37" --description "Test Desc" --mailNickname "KM.Test-37"--subscribeNewGroupMembers --isPrivate

Expected results

The group that is created should have subscribenewgroupmembers enabled and should accept emails from external addresses.

Actual results

The group that is created has subscribenewgroupmembers disabled and does not accept email from external addresses.

Diagnostics

Executing command aad o365group add with options {"options":{"subscribeNewGroupMembers":true,"displayName":"Test-37","description":"Test Desc","mailNickname":"KM.Test-37","isPrivate":true,"debug":true,"output":"json"}}
Creating Microsoft 365 Group...
No users to validate, skipping.
No users to validate, skipping.
Existing access token ... still valid. Returning...
Request:
{
"url": "https://graph.microsoft.com/v1.0/groups",
"method": "post",
"headers": {
"common": {
"Accept": "application/json, text/plain, /"
},
"delete": {},
"get": {},
"head": {},
"post": {
"Content-Type": "application/x-www-form-urlencoded"
},
"put": {
"Content-Type": "application/x-www-form-urlencoded"
},
"patch": {
"Content-Type": "application/x-www-form-urlencoded"
},
"user-agent": "NONISV|SharePointPnP|CLIMicrosoft365/6.8.0",
"accept-encoding": "gzip, deflate",
"X-ClientService-ClientTag": "M365CLI:6.8.0",
"accept": "application/json;odata.metadata=none",
"authorization": "Bearer ..."
},
"responseType": "json",
"decompress": true,
"data": {
"description": "Test Desc",
"displayName": "Test-37",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "KM.Test-37",
"resourceBehaviorOptions": [
"subscribeNewGroupMembers"
],
"securityEnabled": false,
"visibility": "Private"
}
}
Response:
{
"url": "https://graph.microsoft.com/v1.0/groups",
"status": 201,
"statusText": "Created",
"headers": {
"cache-control": "no-cache",
"transfer-encoding": "chunked",
"content-type": "application/json;odata.metadata=none;odata.streaming=true;IEEE754Compatible=false;charset=utf-8",
"location": "https://graph.microsoft.com/v2/99ef6887-0280-42f2-abc1-074bc825ec41/directoryObjects/c5e37752-fbf6-4083-9599-940d94b160f9/Microsoft.DirectoryServices.Group",
"vary": "Accept-Encoding",
"strict-transport-security": "max-age=31536000",
"request-id": "4bd0f79f-e1b1-41a7-8ef3-ce42e4d90697",
"client-request-id": "4bd0f79f-e1b1-41a7-8ef3-ce42e4d90697",
"x-ms-ags-diagnostic": "{"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"005","RoleInstance":"AM4PEPF0001513D"}}",
"x-ms-resource-unit": "1",
"odata-version": "4.0",
"date": "Mon, 21 Aug 2023 13:22:07 GMT",
"connection": "close"
},
"data": {
"id": "c5e37752-fbf6-4083-9599-940d94b160f9",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2023-08-21T13:22:07Z",
"creationOptions": [
"ExchangeProvisioningFlags:2020"
],
"description": "Test Desc",
"displayName": "Test-37",
"expirationDateTime": null,
"groupTypes": [
"Unified"
],
"isAssignableToRole": null,
"mail": "KM.Test-37@....onmicrosoft.com",
"mailEnabled": true,
"mailNickname": "KM.Test-37",
"membershipRule": null,
"membershipRuleProcessingState": null,
"onPremisesDomainName": null,
"onPremisesLastSyncDateTime": null,
"onPremisesNetBiosName": null,
"onPremisesSamAccountName": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": null,
"preferredLanguage": null,
"proxyAddresses": [
"SMTP:KM.Test-37@....onmicrosoft.com"
],
"renewedDateTime": "2023-08-21T13:22:07Z",
"resourceBehaviorOptions": [
"subscribeNewGroupMembers"
],
"resourceProvisioningOptions": [],
"securityEnabled": false,
"securityIdentifier": "S-1-12-1-3320018770-1082391542-227842453-4183863700",
"theme": null,
"visibility": "Private",
"onPremisesProvisioningErrors": [],
"serviceProvisioningErrors": []
}
}
logoPath not set. Skipping
{
"id": "c5e37752-fbf6-4083-9599-940d94b160f9",
"deletedDateTime": null,
"classification": null,
"createdDateTime": "2023-08-21T13:22:07Z",
"creationOptions": [
"ExchangeProvisioningFlags:2020"
],
"description": "Test Desc",
"displayName": "Test-37",
"expirationDateTime": null,
"groupTypes": [
"Unified"
],
"isAssignableToRole": null,
"mail": "KM.Test-37@....onmicrosoft.com",
"mailEnabled": true,
"mailNickname": "KM.Test-37",
"membershipRule": null,
"membershipRuleProcessingState": null,
"onPremisesDomainName": null,
"onPremisesLastSyncDateTime": null,
"onPremisesNetBiosName": null,
"onPremisesSamAccountName": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": null,
"preferredLanguage": null,
"proxyAddresses": [
"SMTP:KM.Test-37@....onmicrosoft.com"
],
"renewedDateTime": "2023-08-21T13:22:07Z",
"resourceBehaviorOptions": [
"subscribeNewGroupMembers"
],
"resourceProvisioningOptions": [],
"securityEnabled": false,
"securityIdentifier": "S-1-12-1-3320018770-1082391542-227842453-4183863700",
"theme": null,
"visibility": "Private",
"onPremisesProvisioningErrors": [],
"serviceProvisioningErrors": []
}
DONE

CLI for Microsoft 365 version

v6.8.0

nodejs version

v18.12.0

Operating system (environment)

Windows

Shell

PowerShell

cli doctor

{
"os": {
"platform": "win32",
"version": "Windows 10 Pro",
"release": "10.0.22621"
},
"cliVersion": "6.8.0",
"nodeVersion": "v18.12.0",
"cliAadAppId": "31359c7f-bd7e-475c-86db-fdb8c937548e",
"cliAadAppTenant": "common",
"authMode": "Browser",
"cliEnvironment": "",
"cliConfig": {},
"roles": [],
"scopes": [
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"SecurityEvents.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"profile",
"openid",
"email",
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"SecurityEvents.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All",
"AllSites.FullControl",
"AppCatalog.ReadWrite.All",
"AuditLog.Read.All",
"ChannelMember.ReadWrite.All",
"ChannelMessage.Read.All",
"ChannelMessage.Send",
"ChannelSettings.ReadWrite.All",
"Chat.Read",
"Chat.ReadWrite",
"Directory.AccessAsUser.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityProvider.ReadWrite.All",
"Mail.ReadWrite",
"Mail.Send",
"Place.Read.All",
"Policy.Read.All",
"Reports.Read.All",
"SecurityEvents.Read.All",
"ServiceHealth.Read.All",
"ServiceMessage.Read.All",
"ServiceMessageViewpoint.Write",
"Tasks.ReadWrite",
"Team.Create",
"TeamMember.ReadWrite.All",
"TeamsApp.ReadWrite.All",
"TeamsAppInstallation.ReadWriteForUser",
"TeamSettings.ReadWrite.All",
"TeamsTab.ReadWrite.All",
"TermStore.ReadWrite.All",
"User.Invite.All",
"User.ReadWrite.All"
]
}

Additional Info

No response

[milanholemans]

Thank you for logging this issue @alpozz. That doesn't really look right, we'll have a look at it.

[milanholemans]

After doing some research, seems like this option is something different from what you try to achieve. The only description I can find for this property is Group members are subscribed to receive group conversations.. However, this is not for the thing you are trying to achieve. I don't really have a clue what it's used for, it sounds kind of similar (but it obviously isn't).

This option was introduced in #3080, @garrytrinder / @pnp/cli-for-microsoft-365-maintainers do you by any chance have any idea what this option is used for?

@alpozz if you want to enable Send copies of team emails and events to team members' inboxes for this group, we will have to introduce a new option for this command because this option is not exposed yet by the command.

[alpozz]

Thank you very much for working on this @milanholemans .

I'm mostly certain that the --subscribeNewGroupMembers option and the Send copies of team emails and events to team members' inboxes setting are related. PnP Powershell's version of the cmdlet uses a similar option (-ResourceBehaviorOptions SubscribeNewGroupMembers, see https://pnp.github.io/powershell/cmdlets/New-PnPMicrosoft365Group.html) and this does indeed result in the enabling of Send copies of team emails and events to team members' inboxes.

Also, I've been using the CLI cmdlet in my scripts for around a couple of years, and I was able to get the results that I expected. This change probably occurred sometime around May-June 2023. Groups I've created in May and early June were configured correctly, but groups created in early August appear not. I'm unfortunately not able to identify at which version it started occurring; but could it be the v6 upgrade? Because the v6 apparently changed one of the parameters to a flag (https://pnp.github.io/cli-microsoft365/v6-upgrade-guidance).

Finally, I also note the other issue which is "let people outside the organization email this team". It also used to be the case that this was enabled by default unless I used --allowMembersToPost. It now seems to default to disabled, and I'm not sure how I can enable it. But this may not be due to CLI, because PnP Powershell's cmdlet also results in the same issue (i.e. the setting is disabled by default).

[milanholemans]

Thank you for the extra information @alpozz.
Can you confirm that this option still works in PnP.PowerShell? That would be odd, looking at our code history, I can't really see a point in time where this functionality would break. So my guess is that something changed with the Graph API that we use (which shouldn't happen).

Yesterday I played around a bit with this command. The API request looks correct to me. The only way for me to enable the Send copies of team emails and events to team members' inboxes option was by doing an additional request to set another property of the group that isn't exposed by our command yet.
I will try to find some more time this evening to look into it some more.

[garrytrinder]

This option was introduced in #3080, @garrytrinder / @pnp/cli-for-microsoft-365-maintainers do you by any chance have any idea what this option is used for?

Setting the different properties in the resourceBehaviourOptions when creating a Microsoft 365 group allow you to set different behaviours to the defaults that are set for example when you create a SharePoint site or Microsoft Team through the UI. The idea being is that you can create the group with the desired behaviours and then Teamify the group.

Source: https://learn.microsoft.com/graph/group-set-options

As this affects both CLI and PnP PowerShell, its likely that something has changed in the Graph, or it's not possible to use certain combinations of settings together.

It looks like new options have become available since we implemented #3080 so we should look to implement these options on the command.

[milanholemans]

It looks like new options have become available since we implemented #3080 so we should look to implement these options on the command.

Yes was thinking exactly the same. A few options are looking quite useful. However, I don't really understand the difference between resourceBehaviorOptions/SubscribeNewGroupMembers and autoSubscribeNewMembers.
The last option enables the checkbox Send copies of team emails and events to team members' inboxes, the former doesn't.

[alpozz]

Thank you for the extra information @alpozz.
Can you confirm that this option still works in PnP.PowerShell? That would be odd, looking at our code history, I can't really see a point in time where this functionality would break. So my guess is that something changed with the Graph API that we use (which shouldn't happen).

Yes, I can confirm that it works in PnP.PowerShell. I'd tested that before posting here. The code I ran there was this:
New-PnPMicrosoft365Group -DisplayName "Test-36" -Description "Test desc" -MailNickname "KM.Test-36" -IsPrivate -ResourceBehaviorOptions SubscribeNewGroupMembers

And the resulting group had the checkbox enabled:

[milanholemans]

All right found the culprit for this issue. Will provide a PR with the fix. Thank you for bringing this to the surface @alpozz!

This change probably occurred sometime around May-June 2023. Groups I've created in May and early June were configured correctly, but groups created in early August appear not.

In that case, probably something changed on the API we use because I can't see any significant changes since this option was introduced.

[Jwaegebaert]

hey @alpozz, the fix has just been implemented in the latest beta release. If you want to test it out you can install it using npm i -g @pnp/cli-microsoft365@next

[milanholemans]

Note that this is a new major release and o365group add is renamed to m365group add.