Dec 01

Step By Steps instruction how to disable creation of Office 365 Groups.

Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups.

We are going to accomplish this with the following two steps:

  • Disable the default ability for everyone to create a new Office 365 Group
  • Create Azure AD group with a list of people who are allowed to create groups

We will need to uninstall existing AzureAD or AzureADPreview module and install a new one using the following Powershell commands

Get-InstalledModule -Name "AzureAD*"
Uninstall-Module AzureAD
Uninstall-Module AzureADPreview
Install-Module AzureADPreview

Let check version what we have now.

Get-Module -Name AzureADPreview

Login to https://portal.office.com/adminportal/ and create an Azure Security AD group.
Only members of this group ill are able to create Office 365 Groups.
Only one security group can be used to control who is able to create Office 365 Groups.

 

Run the following commands to connect to Azure

Import-Module AzureADPreview
Connect-AzureAD

Check if there is existing Azure AD Directory Setting

(Get-AzureADDirectorySetting).Values

If there is none, execute the following commands to create new Azure AD Settings

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting

Run the following command to see what default values are for Azure AD Directory Setting

 (Get-AzureADDirectorySetting).Values

Note default settings for the following commands

GroupCreationAllowedGroupId = BLANK
EnableGroupCreation   = FALSE

 

 

Run the following commands to change EnableGroupCreation and GroupCreationAllowedGroupId.

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Office 365 Groups - Create").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

 

Check New Values of Azure AD Directory Setting

(Get-AzureADDirectorySetting).Values

 

Compare ObjectID with GroupCreationAllowedGroupId you created at the beginning of the article.

They must match

Get-AzureADGroup -SearchString "Office 365 Groups - Create" (Get-AzureADDirectorySetting).Values

At this moment, we disabled creation of Office 365 for all end users.

Let login with our user.

Note that  + sign is missing

If he tries to create a group through New Command, he will get the following error message.

 

Let now add out user to Group

Now he can create Ofice 365 Groups

 

And the + sign is back

 

How to revert setting of the original setting?

Microsoft instructions to revert to the original configuration it to run the following line

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}
Remove-AzureADDirectorySetting -Id $SettingId.Id

I run this on my tenant. I was able to delete configuration but all client settings were unchanged.

None of the users were able to create Office 365 event if we deleted the whole configuration.
So I came with a proper setting to revert to the original configuration

Run the following PowerShell  lines to revert configuration for EnableGroupCreation  and GroupCreationAllowedGroupId

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting[""] = $True
$Setting["GroupCreationAllowedGroupId"] = $null
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Now you can use original Microsoft command to delete configuration

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq “Group.Unified”} Remove-AzureADDirectorySetting -Id $SettingId.Id

 

After running this command all configuration is reverted and all users can create Office 365 groups as was before.

About The Author

Dan is an Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory.

4 Comments

  1. Djawad Souci
    30/10/2019 at 13:40 · Reply

    Hi, thank you for this very informative article.
    Can end-users still create Teams, if we disable the “creation of O365 Groups” in Outlook ?

  2. Jim
    15/10/2020 at 16:15 · Reply

    Thank you! I’ve been looking at the crap Microsoft calls “documentation”. Even though I’m trying to do something else, this article pointed me at exactly the right bit of info I needed to figure out the missing element for what I’m doing.

    Boo to Microsoft “documentation” that leaves huge holes…or is sometimes just flat out wrong — and yea to Dan for an article that has great info!

  3. NHKL
    11/07/2021 at 03:08 · Reply

    Thank you. I’m trying to do this but my GroupCreationAllowedGroupId value still blank. Can you help me ?

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.