Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups.
We are going to accomplish this with the following two steps:
- Disable the default ability for everyone to create a new Office 365 Group
- Create Azure AD group with a list of people who are allowed to create groups
We will need to uninstall existing AzureAD or AzureADPreview module and install a new one using the following Powershell commands
Get-InstalledModule -Name "AzureAD*" Uninstall-Module AzureAD Uninstall-Module AzureADPreview Install-Module AzureADPreview
Let check version what we have now.
Get-Module -Name AzureADPreview
Login to https://portal.office.com/adminportal/ and create an Azure Security AD group.
Only members of this group ill are able to create Office 365 Groups.
Only one security group can be used to control who is able to create Office 365 Groups.
Run the following commands to connect to Azure
Import-Module AzureADPreview
Connect-AzureAD
Check if there is existing Azure AD Directory Setting
(Get-AzureADDirectorySetting).Values
If there is none, execute the following commands to create new Azure AD Settings
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting
Run the following command to see what default values are for Azure AD Directory Setting
(Get-AzureADDirectorySetting).Values
Note default settings for the following commands
GroupCreationAllowedGroupId = BLANK EnableGroupCreation = FALSE
Run the following commands to change EnableGroupCreation and GroupCreationAllowedGroupId.
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id $Setting["EnableGroupCreation"] = $False $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Office 365 Groups - Create").objectid Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
Check New Values of Azure AD Directory Setting
(Get-AzureADDirectorySetting).Values
Compare ObjectID with GroupCreationAllowedGroupId you created at the beginning of the article.
They must match
Get-AzureADGroup -SearchString "Office 365 Groups - Create" (Get-AzureADDirectorySetting).Values
At this moment, we disabled creation of Office 365 for all end users.
Let login with our user.
Note that + sign is missing
If he tries to create a group through New Command, he will get the following error message.
Let now add out user to Group
Now he can create Ofice 365 Groups
And the + sign is back
How to revert setting of the original setting?
Microsoft instructions to revert to the original configuration it to run the following line
$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}
Remove-AzureADDirectorySetting -Id $SettingId.Id
I run this on my tenant. I was able to delete configuration but all client settings were unchanged.
None of the users were able to create Office 365 event if we deleted the whole configuration.
So I came with a proper setting to revert to the original configuration
Run the following PowerShell lines to revert configuration for EnableGroupCreation and GroupCreationAllowedGroupId
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id $Setting[""] = $True $Setting["GroupCreationAllowedGroupId"] = $null Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
Now you can use original Microsoft command to delete configuration
$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq “Group.Unified”} Remove-AzureADDirectorySetting -Id $SettingId.Id
After running this command all configuration is reverted and all users can create Office 365 groups as was before.
Hi, thank you for this very informative article.
Can end-users still create Teams, if we disable the “creation of O365 Groups” in Outlook ?
No, then can not. Teams need Office 365 group.
Thank you! I’ve been looking at the crap Microsoft calls “documentation”. Even though I’m trying to do something else, this article pointed me at exactly the right bit of info I needed to figure out the missing element for what I’m doing.
Boo to Microsoft “documentation” that leaves huge holes…or is sometimes just flat out wrong — and yea to Dan for an article that has great info!