Dan Djurasovic Blog
Dan Djurasovic Blog
Dec 01

Step By Steps instruction how to disable creation of Office 365 Groups.

  • 01/12/2018
  • Dan Djurasovic
  • 3 Comments

Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups.

We are going to accomplish this with the following two steps:

  • Disable the default ability for everyone to create a new Office 365 Group
  • Create Azure AD group with a list of people who are allowed to create groups

We will need to uninstall existing AzureAD or AzureADPreview module and install a new one using the following Powershell commands

Get-InstalledModule -Name "AzureAD*"
Uninstall-Module AzureAD
Uninstall-Module AzureADPreview
Install-Module AzureADPreview

Let check version what we have now.

Get-Module -Name AzureADPreview

Login to https://portal.office.com/adminportal/ and create an Azure Security AD group.
Only members of this group ill are able to create Office 365 Groups.
Only one security group can be used to control who is able to create Office 365 Groups.

 

Run the following commands to connect to Azure

Import-Module AzureADPreview
Connect-AzureAD

Check if there is existing Azure AD Directory Setting

(Get-AzureADDirectorySetting).Values

If there is none, execute the following commands to create new Azure AD Settings

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting

Run the following command to see what default values are for Azure AD Directory Setting

 (Get-AzureADDirectorySetting).Values

Note default settings for the following commands

GroupCreationAllowedGroupId = BLANK
EnableGroupCreation   = FALSE

 

 

Run the following commands to change EnableGroupCreation and GroupCreationAllowedGroupId.

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Office 365 Groups - Create").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

 

Check New Values of Azure AD Directory Setting

(Get-AzureADDirectorySetting).Values

 

Compare ObjectID with GroupCreationAllowedGroupId you created at the beginning of the article.

They must match

Get-AzureADGroup -SearchString "Office 365 Groups - Create" (Get-AzureADDirectorySetting).Values

At this moment, we disabled creation of Office 365 for all end users.

Let login with our user.

Note that  + sign is missing

If he tries to create a group through New Command, he will get the following error message.

 

Let now add out user to Group

Now he can create Ofice 365 Groups

 

And the + sign is back

 

How to revert setting of the original setting?

Microsoft instructions to revert to the original configuration it to run the following line

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}
Remove-AzureADDirectorySetting -Id $SettingId.Id

I run this on my tenant. I was able to delete configuration but all client settings were unchanged.

None of the users were able to create Office 365 event if we deleted the whole configuration.
So I came with a proper setting to revert to the original configuration

Run the following PowerShell  lines to revert configuration for EnableGroupCreation  and GroupCreationAllowedGroupId

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting[""] = $True
$Setting["GroupCreationAllowedGroupId"] = $null
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Now you can use original Microsoft command to delete configuration

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq “Group.Unified”} Remove-AzureADDirectorySetting -Id $SettingId.Id

 

After running this command all configuration is reverted and all users can create Office 365 groups as was before.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related

  • LinkedIn
  • E-Mail

About The Author

Dan is a Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory. Dan is Currently employed with Employment and Social Development / Government of Canada.

3 Comments

  1. Djawad Souci
    30/10/2019 at 13:40 · Reply

    Hi, thank you for this very informative article.
    Can end-users still create Teams, if we disable the “creation of O365 Groups” in Outlook ?

    • Dan Djurasovic
      02/12/2019 at 03:11 · Reply

      No, then can not. Teams need Office 365 group.

  2. Jim
    15/10/2020 at 16:15 · Reply

    Thank you! I’ve been looking at the crap Microsoft calls “documentation”. Even though I’m trying to do something else, this article pointed me at exactly the right bit of info I needed to figure out the missing element for what I’m doing.

    Boo to Microsoft “documentation” that leaves huge holes…or is sometimes just flat out wrong — and yea to Dan for an article that has great info!

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • How to deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot
  • How to setup Azure Active Directory Domain Services
  • How to convert Office 365 mailbox to shared mailbox if a mailbox is synced using AD Connect.
  • Set up disaster recovery for Physical On-premises VMs to Azure using Backup and Site Recovery (OMS) services PART2

Recent Comments

  • Dan Djurasovic on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • Dan Djurasovic on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • rnabidur on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • rnabidur on Change The Source Authority from Azure AD to local Active Directory WITH use of On-premises Exchange Server
  • Jim on Step By Steps instruction how to disable creation of Office 365 Groups.

Archives

  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com