Office 365 Groups is a collaboration service that allows groups or teams in your organization to create documents, work on project plans, send emails and schedule appointments all in one place.
The process to create an Office 365 Group is straightforward and very user-friendly and does not require involvement from IT. Some organizations may want to have a governance plan in place first and may want to restrict which users can create groups in Office 365. Below are the steps you can take to disable the creation of Office 365 Groups in your tenant.
Install the Azure AD PowerShell Module and the Online Services Sign-In Assistant.
Download and install the Preview version of the Azure AD PowerShell module.
Download Azure AD PowerShell module
You will not be able to run the Get-MsolAllSettings cmdlet if this is not installed. The Get-MsolAllSettings cmdlet will only work with the preview version and not the GA version. This is a little confusing since the GA version is higher than the preview one.
Download and install the Online Services Sign-In Assistant.
Download Microsoft Online Services Sign-In Assistant
Connect to the Office 365 service and sign into your Account.
Connect-MsolService
Check the company level setting for creating Groups in your Office 365 tenant.
Get-MsolCompanyInformation
Verify that UsersPermissiontoCreateGroupsEnabled setting is set to True.
Create a Security Group in Azure AD called “AllowedtoCreateGroups” and find the Object ID of this group.
Get-MsolGroup -SearchString "AllowedtoCreateGroups"
We can now use the ObjectID to restrict Office 365 Group Creation to this group.
Select the Office 365 Group settings template by running the following cmdlet.
$Setting = Get-MsolAllSettings | Where-Object { $_.DisplayName -eq “Group.Unified” }
$SettingId = $Setting.ObjectId
$Value = $Setting.GetSettingsValue()
Disable Group creation and restrict creation to only the group we created earlier.
$Value[“GroupCreationAllowedGroupId”] = "d79b3d44-969b-429d-b5bd-3fa89e7ab7fd"
$Value[“EnableGroupCreation”] = “false”
Set-MsolSettings -SettingId $SettingId -SettingsValue $Value
Verify the new settings of the template.
Get-MsolAllSettings
$setting=Get-MsolSettings -SettingId 1185dbae-cc14-4d61-9ab5-59ae7f6cca6b
$setting.values
Test this with a user not part of the ‘AllowedtoCreateGroups’ security group
You should receive the following message.
If the above steps do not work, try the following steps instead. Get the Group Name
$GroupName = "AllowedtoCreateO365Groups"
$AllowGroupCreation = "False"
Run the following script to restrict the creating of Groups
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values