Recently, I have been tasked with implementing DLP (Data Loss Prevention) policies at work. One optional precursor to DLP is setting sensitivity labels. While testing (i.e. publishing labels) to a test group, you need a catch-all permission group so that if you inadvertently send an email to someone outside the test group, they can still read the document. If not, they will get this error:

My catch-all permission group is a dynamic group created in Azure AD based on Microsoft 365 Business Premium service plan:

user.assignedPlans -any (assignedPlan.servicePlanId -eq "41781fb2-bc02-4b7c-bd55-b576c07bb09d" -and assignedPlan.capabilityStatus -eq "Enabled")

Any new employee will automatically be put here so I don’t have to manually manage the group. Cool Beans! However, when you create a group, an annoying welcome email is sent to the entire members of the group. The last thing I want is a barrage of phone calls/emails enquiring about the group. Can’t disable in the UI. Fortunately, solution can be found in simple Power Shell scripts with one nuance….

$UserCredential = get-Credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://blahblah.outlook.com/Powershell-LiveId -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $session -DisableNameChecking

Set-UnifiedGroup -Identity "GroupName" -UnifiedGroupWelcomeMessageEnable:$false

Before running the last line, create the dynamic group first and configure the rule to include only you. You will get an error that the group doesn’t exist if you don’t create the group first. But then doing so will generate the email to everyone; hence, you add yourself first. Then you can run the last line above and go back and edit the dynamic group rule to include the service plan.

And if you need the correct ConnectionURI, just run the below and grab everything before the “?”

Connect-IPPSSession -Credential $UserCredential