How to Disable Office 365 Group Creation using PowerShell?
Requirement: Disable Office 365 Group Creation using PowerShell.
How to Disable Group Creation in Office 365?
Office 365 group is a shared workspace that lets you choose a set of people you wish to collaborate with a collection of resources such as a shared Outlook inbox, shared calendar, SharePoint document library, Yammer Group, Planner, PowerBI, OneNote, etc. While many organizations are fine with end-users creating groups, and related artifacts, some may prefer to have administrators control the creation and management of groups as part of the governance policies.
By default, end-users can create Groups in Office 365 environment. The process is simple! Create a security group and pass the group name to PowerShell. Here is how we can disable 365 group creation:
Step 1: Install the Azure AD Preview PowerShell Module:
We need to have the latest AzureADPreview PowerShell module. You can get a list of all installed PowerShell modules by:
Get-module -ListAvailable
To install the Azure AD Preview PowerShell module, Open the Windows PowerShell console as Administrator and enter:
Install-Module AzureADPreview
Please note, If you have the AzureAD module installed, You must uninstall it first and then Install AzureADPreview Module.
Step 2: Create an Active Directory Security Group
We need this security group to restrict the Office 365 group creation to the members within the particular group.
- Login to Microsoft Admin Center at https://admin.microsoft.com
- Groups >> Add a Group >> Choose “Security” >> Provide a Name to your group, Say “Office 365 Group Creators”
- Add members to this security group who you want to be able to create groups in your Office 365 tenant.
Step 3: Disable Group Creation in Office 365 using PowerShell
Alright, Once we are ready with the above steps, We should run this PowerShell script to disable Office 365 group creation for all users, except the members of the security group. Set the $GroupName parameter to the group you created and run! You’ll be prompted to login – Log in as Global Administrator.
#Parameter for AD Security Group
$GroupName = "Office 365 Group Creators"
#Connect to Azure AD
Connect-AzureAD
#Get the ID of Allowed AD Group
$GroupID = (Get-AzureADGroup -SearchString $GroupName).ObjectId
#Get the Office 365 Group Creation Settings ID
$GroupCreationSettingsID = (Get-AzureADDirectorySetting | Where-object {$_.Displayname -Eq "Group.Unified"}).Id
#Create Group Creation Settings, If it doesn't exist
If(!$GroupCreationSettingsID)
{
#Create Settings from Template
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
$DirectorySettings = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $DirectorySettings
$GroupCreationSettingsID = (Get-AzureADDirectorySetting | Where-object {$_.Displayname -Eq "Group.Unified"}).Id
}
#Apply Settings
$GroupCreationSettings = Get-AzureADDirectorySetting -Id $GroupCreationSettingsID
$GroupCreationSettings["EnableGroupCreation"] = "False"
$GroupCreationSettings["GroupCreationAllowedGroupId"] = $GroupID
#Commit Settings
Set-AzureADDirectorySetting -Id $GroupCreationSettingsID -DirectorySetting $GroupCreationSettings
#Verify Settings
(Get-AzureADDirectorySetting -Id $GroupCreationSettingsID).Values
This disables the default ability of everyone to create new Office 365 Groups. Please note, These steps will not prevent members of specific Admin roles from creating Office 365 Groups. Say, for instance: Global admins, Exchange Admin, SharePoint Admin, Teams Service Administrator, and User Management Administrator can create Office 365 groups irrespective of the above settings from the respective admin center and other places.
Verify Group Creation Settings Changes
These changes may take some time to reflect. You can verify the new settings from any application. Here, I’m going to use Microsoft Teams.
- Login to Microsoft Teams as an end-user not part of the AD group we’ve configured >> Click on the “Join or Create Team” link at the bottom.
- You’ll get only the “Join a Team” tile. Create team tile should be hidden. (However, You’ll be allowed to create a new Team from an existing Office 365 Group based on your access rights!)
Similarly, If you try to create a group through outlook, You’ll get “Sorry, the ability to create groups has been turned off by the person who manages your email”
How do I revert these changes?
Well, just change these two lines in the above script and run it once!
$GroupCreationSettings["EnableGroupCreation"] = "True"
$GroupCreationSettings["GroupCreationAllowedGroupId"] = ""
Microsoft documentation on disabling Office 365 group creation: https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups
Conclusion
In summary, disabling the ability to create Office 365 Groups can be a useful measure for organizations that need to maintain strict control over their collaboration and communication channels. By preventing the creation of new groups, IT teams can better manage the number of groups in the organization and ensure that they are being used effectively, and help to reduce clutter and improve security. However, it’s also important to consider the potential drawbacks, such as limiting collaboration and flexibility for employees. Ultimately, whether or not to disable group creation will depend on the specific needs and goals of the organization.
I can´t find in the official document or anywhere a way just to check the actual status.
The script only points to change the values and when you change it, you get the new status but if you want to know which group is assigned, how can you do that? And for my particular case, I want to execute this in a tenant with only Global Reader, just want to check the actual status becasue I won´t be able to change anything.
Great info! And presnted very well. Thank you.
Does this require an Azure AD P1 licenses?
No, Just works fine with any Microsoft 365 plan.
Great website…excellent design…very accessible content…thank You