Microsoft has introduced a significant feature recently to block a user from deleting Planner tasks that they didn’t create. The admin can confidently create tasks without having the fear of being removed as this feature judiciously protects the accidental removal of the task.
- The blocked user will not be able to delete any Planner task that they didn’t create irrespective of the group / plan they belong to.
- In case the blocked user is a Global Admin, the admin themselves will not be able to delete the tasks that they didn’t create.
- The users who are not blocked are entitled to delete the tasks created by the blocked users.
Pre-requisites
- You must be a Global Admin to run the PowerShell command
- Download Planner Tenant Admin Powershell Commands
- Unblock your files
- Load the Planner Tenant Admin PowerShell module
Download Planner Tenant Admin Powershell Commands
Download the zip Planner Tenant Admin PowerShell File and Unzip it to a location that you can access from PowerShell.
Unblock script files
The files that have to be unblocked are
- plannertenantadmin.psm1
- microsoft.identitymodel.clients.activedirectory.dll
Please follow the below steps to unblock the files.
- Go to File Explorer and navigate to location where you unzipped the files.
- Right click on the above noted files, and click Properties.
- On the General tab, select Unblock.
How to load the Planner Tenant Admin PowerShell Module
- Start Windows PowerShell. In PowerShell, type the following command to enable running scripts downloaded from the internet for this session only. It may prompt you to confirm by typing “Y”.
Powershell
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
- Enter the following command to execute the plannertenantadmin PowerShell script, this will import a module with all available cmdlets.
Powershell
Import-module "<location of the plannertenantadmin.psm1 file you unzipped>"
For example: If your file is stored in C:UsersjijiUser
Powershell
Import-module "C:UsersjijiUserplannertenantadmin.psm1”
How to Block the user from deleting task
Block Single User
- Use the Set-PlannerUserPolicy cmdlet to block the user from deleting Planner tasks that they didn’t create.
Powershell
Set-PlannerUserPolicy -UserAadIdOrPrincipalName -BlockDeleteTasksNotCreatedBySelf $true
For example:
Powershell
Set-PlannerUserPolicy -UserAadIdOrPrincipalName johannal@jiji.onmicrosoft.com -BlockDeleteTasksNotCreatedBySelf $true
- When you’re prompted to authenticate, sign in as the global admin, not the user you want to block.
User Experience
When the blocked user tries to delete the Planner task that is not created by them, the user gets a warning message – “Only members of the Microsoft 365 Group are allowed to delete tasks”.
Block Multiple Users
Using Set-PlannerUserPolicy cmdlet in an iterative manner, we can block a bunch of users from deleting Planner tasks that they didn’t create in a single shot as below. The list of users has to feed in through a CSV.
#Block-Users-from-Deleting-Task
function Set-Block-Users-from-Deleting-Task
{
param (
$ImportcsvFilePath
)
process
{
#Set-PlannerUserPolicy
Import-module ""
$AllUsers = Import-Csv -Path $ImportcsvFilePath
foreach($Users in $AllUsers)
{
Set-PlannerUserPolicy -UserAadIdOrPrincipalName $Users.UserPrincipalName -BlockDeleteTasksNotCreatedBySelf $true
}
}
}
Set-Block-Users-from-Deleting-Task -ImportcsvFilePath ""
Sample CSV file:
| UserPrincipalName |
|---|
| JoniS@jiji.onmicrosoft.com |
| AllanD@jiji.onmicrosoft.com |
| AlexW@jiji.onmicrosoft.com |
How to Get a user’s current policy
Single User
Check a user’s current policy with the Get-PlannerUserPolicy cmdlet.
Powershell
Get-PlannerUserPolicy -UserAadIdOrPrincipalName "<User's AAD ID or UPN>"
For example, the following cmdlet depicts the view of a user’s current policy
Powershell
Get-PlannerUserPolicy -UserAadIdOrPrincipalName jonis@jiji.onmicrosoft.com | fl
Result
@odata.context : https://tasks.office.com/taskApi/
tenantAdminSettings/$metadata#UserPolicy/$entity
id : jonis@jiji.onmicrosoft.com
blockDeleteTasksNotCreatedBySelf : False
Multiple Users
Check the current policy for a bunch of users using the Get-PlannerUserPolicy cmdlet in an iterative manner. The check is performed against all the licensed users of the domain.
#Install-Module MSOnline : Pre-requisite
function Get-Blocked-Users-from-Deleting-Task
{
param (
$ExportcsvFilePath
)
process
{
$UserPolicyDetails = @()
#ConnectMsolservice
Connect-MsolService
#GetMsolusers
$LicensedUsers = Get-MsolUser -All | Where-Object {$_.IsLicensed -eq $true } |select UserPrincipalName
foreach($LicUsers in $LicensedUsers)
{
$value = Get-PlannerUserPolicy -UserAadIdOrPrincipalName
$LicUsers.UserPrincipalName | select id,blockDeleteTasksNotCreatedBySelf
$UserDetails = "" | Select "UserName","IsblockDeleteTasksNotCreatedBySelf"
$UserDetails.UserName = $value.id
$UserDetails.IsblockDeleteTasksNotCreatedBySelf = $value.blockDeleteTasksNotCreatedBySelf
$UserPolicyDetails+= $UserDetails
}
$UserPolicyDetails
$UserPolicyDetails | Export-csv $ExportcsvFilePath -NoTypeInformation
}
}
Get-Blocked-Users-from-Deleting-Task -ExportcsvFilePath ""
The final output will be written to a CSV file with the list of all licensed users of the domain in the below format.
| UserName | IsblockDeleteTasksNotCreatedBySelf |
|---|---|
| JoniS@jiji.onmicrosoft.com | true |
| AllanD@jiji.onmicrosoft.com | true |
| DebraB@jiji.onmicrosoft.com | false |
| AlexW@jiji.onmicrosoft.com | true |
| LidiaH@jiji.onmicrosoft.com | false |
How to Unblock the user from deleting task
- Use the Set-PlannerUserPolicy cmdlet to unblock the user from deleting Planner tasks that they didn’t create.
Powershell
Set-PlannerUserPolicy -UserAadIdOrPrincipalName -BlockDeleteTasksNotCreatedBySelf $false
For example:
Powershell
Set-PlannerUserPolicy -UserAadIdOrPrincipalName johannal@jiji.onmicrosoft.com -BlockDeleteTasksNotCreatedBySelf $false
- When you’re prompted to authenticate, sign in as the global admin, not the user you want to unblock.
