By default all users in Office 365 have the permission to create Office
365 Groups, quickly and easily through their outlook web access portal.
This is because, Office 365 Groups are intended to be created and
managed by both admins and end users, to inculcate better collaboration
among the team members of a project or students and staffs. However in
some organizations, they practice strong security policy, as a result
they require Office 365 Group creation to be controlled only by specific
users.
In our previous
blog,
we dealt with controlling Office365 Group creation permission using
OwaMailboxPolicy, which disables creating Office 365 groups only from
outlook web access portal. But there are other end points such as
Planner, Power BI, etc. from which Office365 Groups are created.
Hence, in this blog we share steps to disable Office 365 Group creation
for all users completely and allow only for certain users using Azure AD
cmdlets – New-MsolSettings, Set-MsolSettings as follows,
- Disable Office 365 Group creation for All Users and Enable only for
a Specific Security Group - Switch Permission to another Security Group
- Re-Enable Office365 Group creation for All Users
NOTE :
- ** Members of following Security Groups will not be affected by
following PowerShell scripts, such as they will continue to have
permission to create Office 365 Groups.- Company Administrator
- User Account Administrator
- Mailbox Administrator
- Partner Tier1 Support
- Partner Tier2 Support
- Directory Writers
Prerequisites
Before starting the process, download and install Azure AD PowerShell
module version – 1.1.117.0 from this
link.
Then execute the script in PowerShell (with Run as Administrator
privilege) by connecting to MsolService as global admin.
Details to be collected prior to script execution
Following details need to be collected prior to executing the following
scripts,
- Open PowerShell and connect to MsolService (Connect-MsolService) as
global admin. - First, get the directory setting – TemplateId associated with
tenant, using cmdlet – Get-AllMsolSettings as,
| Get-MsolAllSettings | select TemplateId | fl |
TemplateId is the unique string ID of the directory setting template
and its value should be used when updating setting.
- Get the ObjectId for Security Groups to be enabled with Office
365 Group creation using cmdlet – Get-MsolGroup.
PowerShell Script
Disable Office 365 Group creation for All Users and Enable only for a
Specific Security Group
Following PowerShell script is used to disable Office365 Group creation
for all users and enable only for a Specific Security Group. This script
uses New-MsolSettings cmdlet to create a directory setting in Azure
Active Directory to disable Office365 Group creation for all users by
providing value for [“EnableGroupCreation”] as “false” and
enable only for a specific security group (SecurityGroup1) by
providing its object ID (d5c8f8cb-2995-41b7-af01-c3e71d2d4e14).
$Gpmodify = Get-MsolSettingTemplate -TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b
$Setobj = $Gpmodify.CreateSettingsObject()
$Setobj[“EnableGroupCreation”] = “false”
$Setobj[“GroupCreationAllowedGroupId”] = "d5c8f8cb-2995-41b7-af01-c3e71d2d4e14"
New-MsolSettings –SettingsObject $Setobj
Switch Permission to another Security Group
After enabling a security group with permission to create Office 365
Groups, if you need to switch the permission to another group, you can
use the following PowerShell script. This script uses
Set-MsolSettings cmdlet to update the existing directory setting in
Azure Active Directory to switch permission to create Office 365 Groups
to another security group (SecurityGroup2) by providing its object
ID (38ee393c-5d1b-4c21-ad64-589384e496bf).
$OrginSetting = Get-MsolAllSettings
$Setobj = $OrginSetting.GetSettingsValue()
$Setobj[“GroupCreationAllowedGroupId”] = "38ee393c-5d1b-4c21-ad64-589384e496bf"
Set-MsolSettings -SettingId $OrginSetting.ObjectId -SettingsValue $Setobj
You can confirm permission status for Office 365 Group creation using
following PowerShell commands,
$UnifiedGp = Get-MsolAllSettings | where-object {$_.displayname -eq "Group.Unified"}
$UnifiedGp.values
The output of the above commands, as highlighted in the above screenshot
confirms the current status, i.e. Office 365 Group creation is
disabled for tenant, but only enabled for SecurityGroup2
(38ee393c-5d1b-4c21-ad64-589384e496bf).
Re-Enable Office365 Group creation for All Users
Finally, if you need to re-enable Office365 Group creation for all
users, you can use the following PowerShell script. This script uses
Set-MsolSettings cmdlet to update the existing directory setting in
Azure Active Directory to re-enable Office365 Group creation for all
users by providing value for [“EnableGroupCreation”] as “true”.
$OrginSetting = Get-MsolAllSettings
$Setobj = $OrginSetting.GetSettingsValue()
$Setobj[“EnableGroupCreation”] = “true”
Set-MsolSettings -SettingId $OrginSetting.ObjectId -SettingsValue $Setobj
NOTE
If you enable a security group for Office 365 Group creation using
Azure AD cmdlet, which was already disabled for Office 365 Group
creation using cmdlet – Set-OwaMailboxPolicy, then the
OwaMailboxPolicy takes precedence, as a result members of that
security group will not be able to create Office 365 Groups from their
outlook web access portal.
