LinkedIn Connector for Office 365 Uses Group to Control Users Allowed to Access Contacts

Connecting LinkedIn to Office 365 with Just a Bit of PowerShell

In October 2018, I wrote about the process of connecting Office 365 accounts to LinkedIn accounts so that Office 365 can fetch LinkedIn information about contacts and include it in Office 365 people cards. At that time, tenant administrators had to define a list of individual users allowed to use the LinkedIn connection in Azure Active Directory. This implementation worked, but it was clearly inefficient for larger organizations where thousands of people might want to use LinkedIn. Microsoft therefore announced on April 25 (MC178371) that access is granted to members of a specific group rather than individual users.

The change makes sense. It’s easier to update membership of a security group than inputting lists of individual users into the Azure portal, if only because you can update group membership with PowerShell.

New Security Group Required

The change means that you must create a new security group in Azure Active Directory. If preferred, you can use a distribution list or Office 365 group instead, but a security group is better because it doesn’t show up in the GAL. You can’t use a dynamic group.

Once the group is selected, you can add users who currently have access to LinkedIn today (because they were assigned individual access) to the group by fetching the membership using an Azure app. The result is a set of GUIDs for the accounts (Figure 1).

A list of GUIDs for the accounts allowed to access LinkedIn
Figure 1: A list of GUIDs for the accounts allowed to access LinkedIn

Updating Group Membership with PowerShell

Clicking the link to export the GUIDs to a CSV file creates a file called Users.CSV in the workstation’s Downloads folder. The file is supposed to contain the GUIDs but several attempts to create a populated file failed using Chrome, Edge (Chrome), and Internet Explorer. I eventually gave up and updated the membership of the security group using PowerShell.

——–                             ———–          ———–

# Retrieve the GUID for the group used to control LinkedIn access
Get-AzureADGroup -SearchString LinkedIn

ObjectId                             DisplayName          Description
--------                             -----------          -----------
86a8e632-5dd3-4fa9-a962-08d41e353a19 LinkedIn Connections People allowed to use the LinkedIn
# Update memberships with the GUIDs for the accounts to receive access
Add-AzureADGroupMember -ObjectId 86a8e632-5dd3-4fa9-a962-08d41e353a19 -RefObjectId d446f6d7-5728-44f8-9eac-71adb354fc89

After some quick cut and paste, all of the previous users who had access were added to the group. I verified the membership was correct with:

# Retrieve membership of the group used to control LinkedIn Access
Get-AzureADGroupMember -ObjectId

ObjectId                             DisplayName    UserPrincipalName                    UserTyp
--------                             -----------    -----------------                    -------
eff4cd58-1bb8-4899-94de-795f656b4a18 Tony Redmond    Member
d36b323a-32c3-4ca5-a4a5-2f7b4fbef31c Kim Akers        Member
d446f6d7-5728-44f8-9eac-71adb354fc89 James Abrahams Member
cad05ccf-a359-4ac7-89e0-1e33bf37579e James Ryan       Member

Updating Azure with the Security Group

With a fully populated group, I went to the Azure Active Directory portal and updated the User settings to make sure that the correct group was selected (Figure 2).

Updating Azure Active Directory with the group to control LinkedIn connections
Figure 2: Updating Azure Active Directory with the group to control LinkedIn connections

All we’ve done so far is replace the set of individual LinkedIn connection assignments with a security group whose membership controls who can access LinkedIn data from Office 365. It’s worth emphasizing that individual users must still approve their connection to LinkedIn before Office 365 can retrieve and display contact data.

Updating the Security Group to Add More People for LinkedIn Access

The important thing is that because access is now controlled by a security group, we can easily update the membership of that group to assign access to additional people. For instance, here’s how to assign access to every mailbox in a tenant.

# Add all mailboxes to the set of accounts allowed to access LinkedIn contacts
$Mbx = (Get-Mailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox |Select UserPrincipalName, ExternalDirectoryObjectId)
ForEach ($M in $Mbx) {
  Add-AzureADGroupMember -ObjectId 86a8e632-5dd3-4fa9-a962-08d41e353a19 -RefObjectId $M.ExternalDirectoryObjectId }

You’ll see errors if you try to add a member that already exists in the group. A check to see if a member already exists would solve the problem, but this code is just for illustrative purposes. Clearly, it’s possible to create all sorts of filters to control who gets access if you wish.

For more information about the LinkedIn connection to Office 365, see Chapter 3 of the Office 365 for IT Pros eBook.

One Reply to “LinkedIn Connector for Office 365 Uses Group to Control Users Allowed to Access Contacts”

Comments are closed.