2 min readControl Office365 Group creation permission using OwaMailboxPolicy

Momentum for the use of Office365 Groups increases and it is seen
especially across the large educational institutions. These institutions
wants to introduce better collaboration among the students community and
staffs. They are already using OneNote for Classroom, and they are
slowly introducing Office365 Groups. Office365 Groups shares calendar,
files and OneNote.

There is a particular scenario where the admins in these institutions
wants to control the usage of Office365 Groups, only the certain members
are entitled to create Office365 Groups. By default, all the users have
the permission to create Office365 Groups. Also the admins wants to
follow naming conventions for the groups. Ex:- Append the Department
name before the group name such as Maths_Everyone, Maths_Grade7 etc…

The objectives of this blog is

• Restrict the permission to create Office365 Groups to a set of users
  
  in a security group
• Imposing a naming convention for the newly created Office365 Groups

Restricting the permission for creating Office365 Groups:

To do this we will be using the powershell cmdlets related to
OwaMailboxPolicy. The parameter “GroupCreationEnabled” holds the
permission for creating Office365 Groups.

1. Remove the default permission of creating the Office365 Groups from
   
   the default mailbox policy(OwaMailboxPolicy-Default)
2. Create a new mailbox policy with “GroupCreationEnabled” to True
3. Set this new mailbox policy to the particular security group who can
   
   create Office365 Groups

Below is the powershell script to do this. Replace the new Owa mailbox
policy and security group name accordingly in the script.

                            $policyName = "OWAPolicyName"
                            
                            $securityGroupName = "securityGroupName"
                            
                            //Disable the permission of Office365 Group creation
                            Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -GroupCreationEnabled $false
                            
                            //Create new policy with Office365 Group creation enabled
                            New-OwaMailboxPolicy -Name $policyName
                            
                            Set-OwaMailboxPolicy -Identity $policyName -GroupCreationEnabled $true
                            
                            //Set the new policy to the required security group.
                            Get-DistributionGroupMember -Identity $securityGroupName |Set-CASMailbox -OWAMailboxPolicy $policyName

Note: It will take up to 1 hour for the OwaMailboxPolicy settings get
reflected on the individual user settings.

Imposing naming convention for the new Office365 Groups while creation

The “Group Naming Policy” available for Distribution can be used for
Office365 Groups also. To do this

1. Goto Exchange admin center from Office365 admin portal
2. Click “recipients” in the left-side panel and select “groups”
3. Click “…” and select “Configure group naming policy”

Group naming policy has two parts

1. Prefix and Suffix
2. Blocked words for the group name.

For prefix and suffix we can have either a generic text or an attribute
value from the user who creates the group.