Table of Contents

Manage Office 365 Group Creation

Summary: How to manage who can create groups in Office 365.
Date: Around 2018
Refactor: 8 March 2025: Checked links and formatting.

I followed these steps to restrict users from creating Office 365 Groups:

Install Azure AD Preview

PS C:\Windows\system32> Get-InstalledModule
Version    Name                                Repository           Description
-------    ----                                ----------           -----------
1.1.183.8  MSOnline                            PSGallery            Microsoft Azure Active Directory Module for Wind...
 
PS C:\Windows\system32> install-module azureadpreview
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y
 
PS C:\Windows\system32> Get-InstalledModule
Version    Name                                Repository           Description
-------    ----                                ----------           -----------
2.0.2.5    AzureADPreview                      PSGallery            Azure Active Directory V2 Preview Module. ...
1.1.183.8  MSOnline                            PSGallery            Microsoft Azure Active Directory Module for Wind...
 
PS C:\Windows\system32> import-module AzureADPreview

Connect To Office365 / Azure Tenant

Note that if you enabled the MFA requirement for admins you need MFA to log on as an administrator: 
PS C:\Windows\system32> connect-azuread
Account        Environment TenantId                             TenantDomain       AccountType
-------        ----------- --------                             ------------       -----------
sjoerd@getshifting.com AzureCloud  054d1a1f-e019-4fd7-8455-4fce0f07c7d5 getshifting.onmicrosoft.com User

Find Object ID of Active Directory Security Group

You don't really need the object ID, except you want to check that the correct security group is enabled for Office 365 Group creation: 

PS C:\Windows\system32> Get-AzureADGroup -SearchString "Office365_GroupManagement"
ObjectId                             DisplayName                  Description
--------                             -----------                  -----------
8e72b950-35c0-46eb-96cf-979d2ac84230 Office365_GroupManagement Manage Office365 Group Creation

Enable AD Security Group for Office 365 Group Creation

PS C:\Windows\system32> $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
PS C:\Windows\system32> $Setting = $Template.CreateDirectorySetting()
PS C:\Windows\system32> $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
PS C:\Windows\system32> $Setting["EnableGroupCreation"] = $False
PS C:\Windows\system32> $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Office365_GroupManagement" ).objectid
PS C:\Windows\system32> Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
Note that I skipped step 3 New-AzureADDirectorySetting -DirectorySetting $Setting as it was irrelevent for my environment.

Check the Setting

PS C:\Windows\system32> (Get-AzureADDirectorySetting).Values
Name                          Value
----                          -----
CustomBlockedWordsList
EnableMSStandardBlockedWords  false
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     false
AllowGuestsToAccessGroups     False
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId   8e72b950-35c0-46eb-96cf-979d2ac84230
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           False

These settings are the ones you need:

Useful Links