October 10, 2015 2 min to read

Control Office365 Group creation permission using OwaMailboxPolicy

Momentum for the use of Office365 Groups increases and it is seen especially across the large educational institutions. These institutions wants to introduce better collaboration among the students community and staffs. They are already using OneNote for Classroom, and they are slowly introducing Office365 Groups. Office365 Groups shares calendar, files and OneNote.

There is a particular scenario where the admins in these institutions wants to control the usage of Office365 Groups, only the certain members are entitled to create Office365 Groups. By default, all the users have the permission to create Office365 Groups. Also the admins wants to follow naming conventions for the groups. Ex:- Append the Department name before the group name such as Maths_Everyone, Maths_Grade7 etc…

The objectives of this blog is

• Restrict the permission to create Office365 Groups to a set of users in a security group
• Imposing a naming convention for the newly created Office365 Groups

Restricting the permission for creating Office365 Groups:

To do this we will be using the powershell cmdlets related to OwaMailboxPolicy. The parameter “GroupCreationEnabled” holds the permission for creating Office365 Groups.

1. Remove the default permission of creating the Office365 Groups from the default mailbox policy(OwaMailboxPolicy-Default)
2. Create a new mailbox policy with “GroupCreationEnabled” to True
3. Set this new mailbox policy to the particular security group who can create Office365 Groups

Below is the powershell script to do this. Replace the new Owa mailbox policy and security group name accordingly in the script.

                            $policyName = "OWAPolicyName"
                            
                            $securityGroupName = "securityGroupName"
                            
                            //Disable the permission of Office365 Group creation
                            Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -GroupCreationEnabled $false
                            
                            //Create new policy with Office365 Group creation enabled
                            New-OwaMailboxPolicy -Name $policyName
                            
                            Set-OwaMailboxPolicy -Identity $policyName -GroupCreationEnabled $true
                            
                            //Set the new policy to the required security group.
                            Get-DistributionGroupMember -Identity $securityGroupName |Set-CASMailbox -OWAMailboxPolicy $policyName

Note: It will take up to 1 hour for the OwaMailboxPolicy settings get reflected on the individual user settings.

Imposing naming convention for the new Office365 Groups while creation

The “Group Naming Policy” available for Distribution can be used for Office365 Groups also. To do this

1. Goto Exchange admin center from Office365 admin portal
2. Click “recipients” in the left-side panel and select “groups”
3. Click “…” and select “Configure group naming policy”

Group naming policy has two parts

1. Prefix and Suffix
2. Blocked words for the group name.

For prefix and suffix we can have either a generic text or an attribute value from the user who creates the group.