June 17, 2016 4 min to read

Disable Office 365 Group Creation in Azure AD

By default all users in Office 365 have the permission to create Office 365 Groups, quickly and easily through their outlook web access portal. This is because, Office 365 Groups are intended to be created and managed by both admins and end users, to inculcate better collaboration among the team members of a project or students and staffs. However in some organizations, they practice strong security policy, as a result they require Office 365 Group creation to be controlled only by specific users.

In our previous blog, we dealt with controlling Office365 Group creation permission using OwaMailboxPolicy, which disables creating Office 365 groups only from outlook web access portal. But there are other end points such as Planner, Power BI, etc. from which Office365 Groups are created. Hence, in this blog we share steps to disable Office 365 Group creation for all users completely and allow only for certain users using Azure AD cmdlets - New-MsolSettings, Set-MsolSettings as follows,

• Disable Office 365 Group creation for All Users and Enable only for a Specific Security Group
• Switch Permission to another Security Group
• Re-Enable Office365 Group creation for All Users

NOTE :

• ** Members of following Security Groups will not be affected by following PowerShell scripts, such as they will continue to have permission to create Office 365 Groups.
  • Company Administrator
  • User Account Administrator
  • Mailbox Administrator
  • Partner Tier1 Support
  • Partner Tier2 Support
  • Directory Writers

Prerequisites

Before starting the process, download and install Azure AD PowerShell module version - 1.1.117.0 from this link. Then execute the script in PowerShell (with Run as Administrator privilege) by connecting to MsolService as global admin.

Details to be collected prior to script execution

Following details need to be collected prior to executing the following scripts,

• Open PowerShell and connect to MsolService (Connect-MsolService) as global admin.
• First, get the directory setting - TemplateId associated with tenant, using cmdlet - Get-AllMsolSettings as,

TemplateId is the unique string ID of the directory setting template and its value should be used when updating setting.

• Get the ObjectId for Security Groups to be enabled with Office 365 Group creation using cmdlet - Get-MsolGroup.

PowerShell Script

Disable Office 365 Group creation for All Users and Enable only for a Specific Security Group

Following PowerShell script is used to disable Office365 Group creation for all users and enable only for a Specific Security Group. This script uses New-MsolSettings cmdlet to create a directory setting in Azure Active Directory to disable Office365 Group creation for all users by providing value for [“EnableGroupCreation”] as “false” and enable only for a specific security group (SecurityGroup1) by providing its object ID (d5c8f8cb-2995-41b7-af01-c3e71d2d4e14).

$Gpmodify = Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b
$Setobj = $Gpmodify.CreateSettingsObject()
$Setobj[“EnableGroupCreation”] = “false”
$Setobj[“GroupCreationAllowedGroupId”] = "d5c8f8cb-2995-41b7-af01-c3e71d2d4e14"
New-MsolSettings –SettingsObject $Setobj

Switch Permission to another Security Group

After enabling a security group with permission to create Office 365 Groups, if you need to switch the permission to another group, you can use the following PowerShell script. This script uses Set-MsolSettings cmdlet to update the existing directory setting in Azure Active Directory to switch permission to create Office 365 Groups to another security group (SecurityGroup2) by providing its object ID (38ee393c-5d1b-4c21-ad64-589384e496bf).

$OrginSetting = Get-MsolAllSettings
$Setobj = $OrginSetting.GetSettingsValue()
$Setobj[“GroupCreationAllowedGroupId”] = "38ee393c-5d1b-4c21-ad64-589384e496bf"
Set-MsolSettings -SettingId $OrginSetting.ObjectId -SettingsValue $Setobj 

You can confirm permission status for Office 365 Group creation using following PowerShell commands,

$UnifiedGp = Get-MsolAllSettings | where-object {$_.displayname -eq "Group.Unified"}
$UnifiedGp.values

The output of the above commands, as highlighted in the above screenshot confirms the current status, i.e. Office 365 Group creation is disabled for tenant, but only enabled for SecurityGroup2 (38ee393c-5d1b-4c21-ad64-589384e496bf).

Re-Enable Office365 Group creation for All Users

Finally, if you need to re-enable Office365 Group creation for all users, you can use the following PowerShell script. This script uses Set-MsolSettings cmdlet to update the existing directory setting in Azure Active Directory to re-enable Office365 Group creation for all users by providing value for [“EnableGroupCreation”] as “true”.

$OrginSetting = Get-MsolAllSettings
$Setobj = $OrginSetting.GetSettingsValue()
$Setobj[“EnableGroupCreation”] = “true”
Set-MsolSettings -SettingId $OrginSetting.ObjectId -SettingsValue $Setobj

NOTE If you enable a security group for Office 365 Group creation using Azure AD cmdlet, which was already disabled for Office 365 Group creation using cmdlet - Set-OwaMailboxPolicy, then the OwaMailboxPolicy takes precedence, as a result members of that security group will not be able to create Office 365 Groups from their outlook web access portal.