Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When running School Data Sync (SDS), you have the option when creating your Managed data with Microsoft 365 configuration to create and manage Organization (School) Administrative Units (AUs) and Security Groups (SGs).
As the year progresses, SDS keeps the memberships updated as school enrollments change in the Student Information System (SIS) and sent to SDS to add or remove memberships.
When you're getting ready for the next academic session or school year, a step in prepping your environment is to remove any users that transferred to another school or graduated. You should run cleanup after your connected data source's sync end date is reached.
Grant permissions
Permissions for Administrative Units
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | User.Read.All, AdministrativeUnit.ReadWrite.All | Not supported |
| Delegated (personal Microsoft account) | Not supported | Not supported |
| Application | User.Read.All, AdministrativeUnit.ReadWrite.All | Not available |
Permissions for Security Groups
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | Not supported |
| Delegated (personal Microsoft account) | Not supported | Not supported |
| Application | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All | Not available |
Prep to run cleanup scripts
First confirm the proper PowerShell module for Microsoft Graph is installed. Instructions can be found here: PowerShell For SDS.
Download one or more scripts and save them in your local c:\temp directory.
Open PowerShell.
Run the following command to set the directory location by running:
set-location c:\tempRun the following command to connect to your tenant and grant permissions:
Connect-MgGraph -Scopes “AdministrativeUnit.ReadWrite.All”,“User.Read.All”,"Group.ReadWrite.All"The command prompts you to navigate to a webpage for authentication.
Select on the Next button or Sign in to proceed. It asks you for permissions and consent on behalf of your organization for connecting to Microsoft Graph PowerShell.
Enable the checkbox 'Consent on behalf of your organization' and select the Accept button.
Ater the successful verification, the PowerShell terminal displays 'Welcome to Microsoft Graph!'
Run the Remove-SchoolAU_Membership Script
Type into PowerShell: .\RemoveSchoolAU_Membership.ps1
Hit enter and address any prompts that appear.
Run the Remove-SchoolSG_Membership Script
Note
Only run this if the Security Group configuration option Organizations, Organizations + Role Groups is selected.
Type into PowerShell: .\RemoveSchoolSG_Membership.ps1
Hit enter and address any prompts that appear.