Dan Djurasovic Blog
  • SSH
  • Linux
Dan Djurasovic Blog
  • SSH
  • Linux
Dec 01

Step By Steps instruction how to disable creation of Office 365 Groups.

  • 01/12/2018
  • Dan Djurasovic
  • 4 Comments

Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups.

We are going to accomplish this with the following two steps:

  • Disable the default ability for everyone to create a new Office 365 Group
  • Create Azure AD group with a list of people who are allowed to create groups

We will need to uninstall existing AzureAD or AzureADPreview module and install a new one using the following Powershell commands

Get-InstalledModule -Name "AzureAD*"
Uninstall-Module AzureAD
Uninstall-Module AzureADPreview
Install-Module AzureADPreview

Let check version what we have now.

Get-Module -Name AzureADPreview

Login to https://portal.office.com/adminportal/ and create an Azure Security AD group.
Only members of this group ill are able to create Office 365 Groups.
Only one security group can be used to control who is able to create Office 365 Groups.

 

Run the following commands to connect to Azure

Import-Module AzureADPreview
Connect-AzureAD

Check if there is existing Azure AD Directory Setting

(Get-AzureADDirectorySetting).Values

If there is none, execute the following commands to create new Azure AD Settings

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting

Run the following command to see what default values are for Azure AD Directory Setting

 (Get-AzureADDirectorySetting).Values

Note default settings for the following commands

GroupCreationAllowedGroupId = BLANK
EnableGroupCreation   = FALSE

 

 

Run the following commands to change EnableGroupCreation and GroupCreationAllowedGroupId.

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Office 365 Groups - Create").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

 

Check New Values of Azure AD Directory Setting

(Get-AzureADDirectorySetting).Values

 

Compare ObjectID with GroupCreationAllowedGroupId you created at the beginning of the article.

They must match

Get-AzureADGroup -SearchString "Office 365 Groups - Create" (Get-AzureADDirectorySetting).Values

At this moment, we disabled creation of Office 365 for all end users.

Let login with our user.

Note that  + sign is missing

If he tries to create a group through New Command, he will get the following error message.

 

Let now add out user to Group

Now he can create Ofice 365 Groups

 

And the + sign is back

 

How to revert setting of the original setting?

Microsoft instructions to revert to the original configuration it to run the following line

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}
Remove-AzureADDirectorySetting -Id $SettingId.Id

I run this on my tenant. I was able to delete configuration but all client settings were unchanged.

None of the users were able to create Office 365 event if we deleted the whole configuration.
So I came with a proper setting to revert to the original configuration

Run the following PowerShell  lines to revert configuration for EnableGroupCreation  and GroupCreationAllowedGroupId

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting[""] = $True
$Setting["GroupCreationAllowedGroupId"] = $null
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Now you can use original Microsoft command to delete configuration

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq “Group.Unified”} Remove-AzureADDirectorySetting -Id $SettingId.Id

 

After running this command all configuration is reverted and all users can create Office 365 groups as was before.

  • LinkedIn
  • E-Mail

About The Author

Dan is an Azure Technical Advisor, with over a dozen years of IT experience, specializing in Microsoft Office 365, Exchange Server Azure IaaS and Active Directory.

4 Comments

  1. Djawad Souci
    30/10/2019 at 13:40 · Reply

    Hi, thank you for this very informative article.
    Can end-users still create Teams, if we disable the “creation of O365 Groups” in Outlook ?

    • Dan Djurasovic
      02/12/2019 at 03:11 · Reply

      No, then can not. Teams need Office 365 group.

  2. Jim
    15/10/2020 at 16:15 · Reply

    Thank you! I’ve been looking at the crap Microsoft calls “documentation”. Even though I’m trying to do something else, this article pointed me at exactly the right bit of info I needed to figure out the missing element for what I’m doing.

    Boo to Microsoft “documentation” that leaves huge holes…or is sometimes just flat out wrong — and yea to Dan for an article that has great info!

  3. NHKL
    11/07/2021 at 03:08 · Reply

    Thank you. I’m trying to do this but my GroupCreationAllowedGroupId value still blank. Can you help me ?

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Create Azure Policy Assignment to block the creation of expensive VMs and block creation of certain resource types
  • Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Enable Monitoring and Alerting in Azure using Portal Part 1
  • Configure Windows virtual machine in Azure using Azure AD authentication and RDP.
  • How to deploy CIS hardening scripts on Windows VM hosted in the Azure

Recent Comments

  • George Ewusi on How to setup Azure Active Directory Domain Services
  • Vince on Enable and Configure Azure Monitoring and alerting using PowerShell Script.
  • Herman on Create Azure Policy to limit VNet Address Space creation to certain address spaces only
  • Name (required)Pouya Panahy on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command
  • Dan Djurasovic on Migrate physical server to Azure VM using Disk2VHD tool and Add-AzureRmVhd command

Archives

  • July 2022
  • December 2021
  • October 2021
  • June 2021
  • June 2020
  • October 2019
  • June 2019
  • May 2019
  • December 2018
  • November 2018
  • June 2018
  • July 2017
  • January 2017
  • December 2016
  • March 2014
© 2016 djurasovic.com