Note: The steps will disable the ability to create Office 365 groups in all Microsoft 365 services that use groups, including:
Outlook
SharePoint
Yammer
Microsoft Teams
Microsoft Stream
Planner
PowerBI
Project for the web
Note: These steps will not prevent members of certain Administrator roles from creating Groups.
Azure AD P1 License is required
STEP 1 — CREATE SECURITY GROUP FOR USERS WHO CAN CREATE OFFICE 365 GROUP
Note: it is important that you use a Security Group and not Office 365 Group
In the admin center, go to the Groups > Groups page.
Click on Add a Group.
Choose Security as the group type. (Remember the name of the group. I will use “AllowedToCreateOffice365Group” in my example.
Finish setting up the security group, adding people or other security groups who you want to be able to create groups in your tenant
STEP 2: RUN POWERSHELL COMMANDS
Open PowerShell and run as Administrator (I prefer the PowerShell ISE) In case the script pane not showing, Click “View” on the menu bar and check “show script pane”
# Install the Azure AD Module (make sure you have the latest version)
Install-Module AzureADPreview
Note: You can run Uninstall-Module AzureADPreview to uninstall 2.0 general availability version of the Azure AD PowerShell module (AzureAD) installed, then run Install-Module AzureADPreview
Run the PowerShell below, you can run it in two ways, save the PowerShell to a file e.g AllowedToCreateOffice365Group.ps1 and run it from the path like C:\Users\UserAccount\Desktop\AllowedToCreateOffice365Group.ps1 or copy and past the PowerShell into the script pane and make the necessary modification.
$GroupName = "<SecurityGroupName>"
$AllowGroupCreation = "False"Connect-AzureAD$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreationif($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -Filter "DisplayName eq '$GroupName'").objectId
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
Modifications
You will need to modify the $GroupName of the script to your Office 365 security group name.
Once you run the script, it will request for Admin logon then you see output like below
Licensing requirements
To manage who creates Groups, Admin who configures these group creation settings and members of the security group who are allowed to create groups need Azure AD Premium licenses or Azure AD Basic EDU licenses assigned
The recent update as announced Here, Microsoft has shipped Azure Active Directory Premium P1 with Microsoft 365 Business Premium, other SKUs might need to purchase standalone Active Directory Premium P1, Active Directory Premium P2 or Enterprise Mobility + Security.
After running the PowerShell cmdlet, we have below
Any user that is not a member of the Security group will not be able to create Microsoft teams group or Office 365 group, which gives the Admin control over Office 365 group creation on the tenant.
If in the future you want to change which security group is used, you can rerun the script with the name of the new security group and if you decided to change you mind the following day to allow everyone to start creating groups, modify the cmdlet as below and run it again
$GroupName = “”
$AllowGroupCreation = “True”
When you run the will have below result
Comments
0 comments
Article is closed for comments.