Disable Private Chat in Microsoft Teams for Students

UPDATE 03/19/20: Microsoft has recently released a fantastic doc that walks through this very same process but doing so much more efficiently. I highly recommend you take a look at that resource before continuing.

Microsoft Teams is a powerful collaboration tool with usefulness that spans across segments like enterprise, SMB, and education. However in education we have a bit more specific use cases and restrictions since we are dealing with a younger user base.

One of the top requests I get is “Nick how do I disable private chat for my students only?”. We are trusting the adults in our school districts to know what’s acceptable and what’s not but our student base we may want to gradually allow them the ability to use private chat as district IT and legal feels more comfortable. So how do we do it?

In the past the Microsoft Teams “admin settings” used to live under the old Services & add-ins blade within the Office 365 admin center. In there it had a very nice feature in which you could select anybody assigned a “student license” and disable specific features in Teams for only that user base which is awesome! But this no longer works.

In our new Teams admin center we have a ton of new controls at our fingertips including Messaging Policies, which we are going to use, but this sadly does not have an easy way to deploy to only Student based licenses. In this post we will talk about how to achieve disabling private chat for students only based on their license sku via PowerShell! So let’s begin.

Architecture overview of Demo

This demo tenant has roughly 50 users in it with 18 of them being “Students”. I have only four license types in my tenant so you will need to know how to get your exact sku name which we will touch on. These are cloud only users but the process should be the same. My students in this tenant are already properly licensed with Microsoft 365 A5 for Students.

Need to understand how to manage licensing in M365? Check this out.

I’ve already installed the required PowerShell modules and will not be covering that here. If you need to install these modules I have provided links below that can walk you through the process for each one.

Creating the messaging policy

Before we begin I wanted to share a recommendation from Microsoft. It is typically recommended to disable features in the global policy that is automatically applied to every new users provisioned making the global policy the “most restrictive”. This ensures that any new user is covered out of the gate with said restrictions. You would then create a new policy that allows features, such as private chat, that you would then apply to the appropriate user base such as staff/faculty.

The above is the reverse of what is demoed below and is entirely up to you as the admin.

Now we could create our messaging policy via PowerShell as well but it’s nice and easy in the Admin Center so we will do it there, then use PowerShell to deploy it! So we are going to head to https://admin.teams.microsoft.com and use either a Teams Service Admin or Global Admin to login.

  1. Click on to view all org messaging policies currently in your environment.
  2. By default you should see, typically, three pre-built policies that we are going to ignore for now
    1. Global (Org-wide default)
    2. EduFaculty
    3. EduStudent
  3. Click on the + Add button to create a new policy
  4. Name the policy, provide a description if you would like, then begin disabling features you wish to not have enabled for Students. Remember we are making this policy specific to Students
  5. Below you can see the features I’ve turned on and turned off for my new student policy from PowerShell (easier to see it all in one screen shot) labeled: EDU No Private Chat

Now that we’ve created our new messaging policy, we can see it listed among the defaults in our tenant:

From here we could assign the policy to users manually (and one by one) if we wanted to. This is great for testing our new policy, so let’s do that via the Teams Admin Center to make sure we see the results from the student perspective that we are looking for; no more private chat.

Testing our new messaging policy with manual assignment

While still in the Messaging policies pane we can quickly add individuals to our newly created policy!

WARNING: Following the next few steps will be making a production change and is recommended you be doing this to a test user or in your own test environment. You are doing this at your own risk!
  1. Select the new policy by clicking the “check mark” on the far left side of the policy item
  2. Click on “Manage users” in the top action bar just above the list of policies
  3. In the manage users slide out search for a test user that you will add this policy to. I’ve selected my test user of Brock Guess and clicked “Apply” near the bottom of the slide out
  4. Once you clicked apply and the slide out disappears you will see a success banner along the top of the admin portal

Now that the policy has been applied to our test user we can login as that user and see the navigation bar in Teams is missing “Chat” compared to a different user that is still allowed to use private chat:

No private chat allowed
Teams private chat off

Private chat allowed
Teams private chat on

Assigning the messaging policy to multiple students at once

So by now we have created our new messaging policy that disables private chat (among other stuff in my demo), assigned it directly to a test user, logged in as that test user and confirmed that private chat is off; so now how do we do this to all students and how do we quickly identify them?

There are several options of doing this. However at the time of publishing I’m only going to cover the one I believe to be the most popular and useful. Others might be added later.

Option 1: Assign messaging policy based on users with a student license (my personal favorite)

As mentioned before in the past this was easily done via the old services & add-ins settings pane which had a lovely drop down, now we need to do this via PowerShell. So let’s get started!

Getting Sku Names

Before we can pull in all the users are assigned to our student license, we need to know what our student license is called in our Office 365 tenant. Keep in mind what you will see in my screen shots may not look the same for you based on what you purchased and your licensing levels but the process should still be the same.

  1. Open up a PowerShell window as an admin and connect to both MSOL and Skype for Business Online. How to do this was mentioned earlier in the Architecture Overview section
  2. Once connected to both MSOL and Skype for Business Online modules run: Get-MsolAccountSku to see a list of all licenses in your tenant which should look similar to mine shown below:
  3. As you can see by the screen shot I have four license types but the only one I truly care about right now is M365EDU082011:M365EDU_A5_STUDENT which is my student Microsoft 365 A5 licenses. You can also see that I have 18 of those licenses assigned which makes sense as I have 18 students in my tenant.

Great so now I have the name of the sku I need to use to find my student user base since all my students should be licensed with that sku. To be sure I can run a quick PowerShell command to pump out a list of the users that have that license. I’m going to do so and have it display directly in the PowerShell window since I only have 18 users but you may want to dump it to a CSV in your production environment.

  1. In that same PowerShell window run: get-msoluser -all | where-object {($_.licenses).AccountSkuId -match "M365EDU_A5_STUDENT"}
  2. Once that runs you should see a list similar to this:

Notice that I have ‘-all’ listed in the command just after ‘get-msoluser’ though do not use it in my screen shots; this is because my student count is 18 however your’s may be much more. Get-MSOLUser has a default limit of 500 so the all flag allows us to get all accounts. Everything in my student license export looks good so I now know I can pick on just my students by their license and use that to assign our newly created messaging policy!

Assigning the messaging policy to only students based on their license

We are going to combine our PowerShell command from above that we used to see all users with the license of M65EDU_A5_STUDENT with the Cs-TeamsMessagingPolicy command to then apply it to those users.

To do this we are going to use a variable to house the users we pull in and then pipe those users into the Cs-Teams command. Below is what the overall command looks like:
$members=get-msoluser -all | where-object {($_.licenses).AccountSkuId -match "M365EDU_A5_STUDENT"}

Let’s break down that command real quick:
– $members is the variable that will house the users we are pulling in
Get-MSOLUser is a standard command when working with users in Azure AD / Office 365
– We are then looking for user objects that have an AccountSkuID match of “M365EDU_A5_STUDENT”

Once it runs we could then simply type $members and press enter to see the full list (again you should pipe yours to a CSV for review in production). Below you will see both the initial command run along with me reviewing the members in the variable:

Before we change the messaging policy let’s see what a student is currently assigned so that when we continue with our change we have something to compare. In the Teams Admin Center go to Users in the left hand navigation pane.

Find a sample student to look, in my case I’m looking at my student Al Fredrickson:

We can see that Al has 9 global policies assigned and 0 per-user policies assigned. This means he is only assigned to global default policies which we can verify by hovering over the policies assigned text.

We are now ready to move forward and set his, and all other students, to our new no chat policy.

We can also verify what messaging policy is applied to a student by running the following: Get-CsOnlineUser -Identity userUPN | ft DisplayName, TeamsMessagingPolicy

We can see my sample student Al has nothing listed for Messaging Policy because he is assigned the Global Default:

WARNING: This next command will make large scale changes to your students / users in your environment. Be sure to have tested prior to continuing and run at your own risk. 

Quick tip: when making large scale changes via PowerShell it may be wise to break this up into batches. We don’t cover how to do that in this post but definitely something to consider.

When you are ready to change the messaging policy assignment to all your students use the same PowerShell admin window from before run this command: foreach($member in $members) {Grant-CsTeamsMessagingPolicy -PolicyName "EDU No Private Chat" -Identity $member.UserPrincipalName}

Let’s break down that command real quick:
– we are running a foreach and creating a temporary variable of $member that will be used to go user by user from our list of $members
– we are then adding the policy (granting) of “EDU No Private Chat” that we created earlier to each member using their UserPrincipalName from our $members list

Validate the policy has been applied

In PowerShell using a sample student:

Teams Admin Center users pane:

We can get a full list of all users assigned to our new policy by running the following: get-csonlineuser -filter {TeamsMessagingPolicy -eq 'EDU No Private Chat'} | ft DisplayName, TeamsMessagingPolicy

For your production environment you may want to pipe this out to a CSV.

Note that only 18 users show up in my list which equals my student license count, so things are looking great!

Note: Messaging Policy changes can take up 24 hours to complete. Users may still have access to features until the change is complete.

Now logging in as Al we can see his private chat functions have disappeared as desired:

Option 2: Using a CSV

Don’t want to use the licensing based method outlined above? No worries. Check out this sample script directly from Microsoft to achieve the same thing using a CSV file that you would need to generate with your student UPNs.

New user provisioning

Now that you have taken care of all current students what about when you on board new students? Put simply you will need to add a new step in your provisioning process to assign this new policy to new student accounts when they are being created.

You can use this command as part of your provisioning process to assign this new policy: Grant-CsTeamsMessagingPolicy -PolicyName "<<PolicyName for a policy created with Chat Off>>" -Identity userUPN

Congrats you are done!

Yay! You have successfully assigned your new messaging policy to all students based on their student license in Microsoft 365. Remember this process can be used for faculty as well should you wish to make mass changes to their capabilities as well.

Now remember since you have turned off private chat, students will only be able to communicate via the Teams/Channels they are a part of. If someone tries to private chat with them they will receive an error that states they cannot do so. I highly recommend you take advantage of governance features before disabling private chat all together.

Additional resources