office365groupcreation
Table of Contents
Manage Office 365 Group Creation
Summary: How to manage who can create groups in Office 365.
Date: Around 2018
Refactor: 8 March 2025: Checked links and formatting.
I followed these steps to restrict users from creating Office 365 Groups:
Install Azure AD Preview
PS C:\Windows\system32> Get-InstalledModule Version Name Repository Description ------- ---- ---------- ----------- 1.1.183.8 MSOnline PSGallery Microsoft Azure Active Directory Module for Wind... PS C:\Windows\system32> install-module azureadpreview Untrusted repository You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y PS C:\Windows\system32> Get-InstalledModule Version Name Repository Description ------- ---- ---------- ----------- 2.0.2.5 AzureADPreview PSGallery Azure Active Directory V2 Preview Module. ... 1.1.183.8 MSOnline PSGallery Microsoft Azure Active Directory Module for Wind... PS C:\Windows\system32> import-module AzureADPreview
Connect To Office365 / Azure Tenant
Note that if you enabled the MFA requirement for admins you need MFA to log on as an administrator:PS C:\Windows\system32> connect-azuread Account Environment TenantId TenantDomain AccountType ------- ----------- -------- ------------ ----------- sjoerd@getshifting.com AzureCloud 054d1a1f-e019-4fd7-8455-4fce0f07c7d5 getshifting.onmicrosoft.com User
Find Object ID of Active Directory Security Group
You don't really need the object ID, except you want to check that the correct security group is enabled for Office 365 Group creation:
PS C:\Windows\system32> Get-AzureADGroup -SearchString "Office365_GroupManagement" ObjectId DisplayName Description -------- ----------- ----------- 8e72b950-35c0-46eb-96cf-979d2ac84230 Office365_GroupManagement Manage Office365 Group Creation
Enable AD Security Group for Office 365 Group Creation
PS C:\Windows\system32> $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'} PS C:\Windows\system32> $Setting = $Template.CreateDirectorySetting() PS C:\Windows\system32> $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id PS C:\Windows\system32> $Setting["EnableGroupCreation"] = $False PS C:\Windows\system32> $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Office365_GroupManagement" ).objectid PS C:\Windows\system32> Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
Note that I skipped step 3New-AzureADDirectorySetting -DirectorySetting $Settingas it was irrelevent for my environment.
Check the Setting
PS C:\Windows\system32> (Get-AzureADDirectorySetting).Values Name Value ---- ----- CustomBlockedWordsList EnableMSStandardBlockedWords false ClassificationDescriptions DefaultClassification PrefixSuffixNamingRequirement AllowGuestsToBeGroupOwner false AllowGuestsToAccessGroups False GuestUsageGuidelinesUrl GroupCreationAllowedGroupId 8e72b950-35c0-46eb-96cf-979d2ac84230 AllowToAddGuests True UsageGuidelinesUrl ClassificationList EnableGroupCreation False
These settings are the ones you need:
- GroupCreationAllowedGroupId 8e72b950-35c0-46eb-96cf-979d2ac84230
- This is the object ID of the AD Security Group that is enabled for Office 365 Group Management
- EnableGroupCreation False
- This setting prevents the creation of Office365 groups by other users.
Useful Links
office365groupcreation.txt · Last modified: by 127.0.0.1