Restricting Users from Creating Office 365 Groups

Microsoft is very permissive when it comes to creating Office 365 groups. The default is that everyone can create Office 365 groups. Users can create groups from several different applications, and each user can create up to 250 groups. With this kind of freedom, things can get out of control pretty quickly. Before you know it, your environment can have a plethora of Office 365 Groups that may not be useful or even used. Sometimes the old adage is true – just because they can, doesn’t always mean they should.

This is where restricting users from creating Office 365 groups comes in. You might decide that it would be better if not all your users had the ability to create Office 365 groups. Before you make this decision, there are a few things of which you need to be aware. The restriction will remove the ability to create groups in:

  • Outlook
  • SharePoint
  • Yammer
  • MS Teams (admins & users will not be able to create teams)
  • StaffHub (admins & users will not be able to create teams)
  • Planner (users will not be able to create a plan)
  • Power BI

Users with the restriction will still be able to create Team and Communication Sites; however, the Team Sites will not have an Office 365 group associated with them.

If after reviewing the consequences you decide this is the route you want to take, it is relatively simple to accomplish. Be aware that you need administrator rights and the ability to use PowerShell. Before I review the process, there is one more thing that is important to consider. If your users are restricted from creating Office 365 groups, I recommend creating a process for which users can request a new MS Team (which will create an Office 365 group, a SharePoint Team Site, a shared Mailbox and Calendar, and a OneNote Notebook).  The process can be set up with the following apps:

  • Microsoft Forms – Create a form that users can complete with all the details of the MS Team for which they are requesting.
  • Microsoft Flow – Create a flow that triggers when the form is completed, sends responses to a SharePoint List and sends a notification to the appropriate person(s). An approval flow can also be created if necessary.
  • SharePoint List – Create a SharePoint List to store the responses from the request form.

Here’s how you do it.

Step 1:

Create/Select an Azure AD Security Group to be used as the group that will be granted permissions to create Office 365 groups. (Be sure that all owners of the group are also members of the group.)

Step 2: 

You must have PowerShellGet to Install the AzureADPreview. Learn more here – https://docs.microsoft.com/en-us/powershell/gallery/installing-psget.

Open Windows PowerShell as an administrator.

$SecurityGroup = “”

#Install AzureADPreview
Install-Module -Name AzureADPreview

#Connect to Azure Active Directory
Connect-AzureAD
#You will be prompted to enter your credentials – use admin credentials for the environment you will be working with

#Retrieve Security Group, check to see if more than one group is returned
Get-AzureADGroup -SearchString $SecurityGroup

#If more than one groups is returned, run these commands
$Groups = Get-AzureADGroup -SearchString $SecurityGroup

#Get the ObjectId of the correct security group
$GroupId = $Groups[].ObjectId

#If there is one group returned, run this command
$GroupId = (Get-AzureADGroup -SearchString $SecurityGroup).ObjectId

#Retrieve directory setting template for Group.Unified
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq “Group.Unified”}

#Create a new Directory Setting
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting #If you get an error after this command, just skip to the next command
$Setting = Get-AzureADDirectorySetting -Id (GetAzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id

#Remove permissions to create O365 groups
$Setting[“EnableGroupCreation”] = $False

#Allow Security Group to create O365 groups
$Setting[“GroupCreationAllowedGroupId”] = $GroupId

#Add new settings to Directory Setting
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value “Group.Unified” -EQ).id -DirectorySetting $Setting

#Check Settings, you should see “EnableGroupCreation” set to false, and “GroupCreateAllowedGroupId” set to the ObjectId of the Security Group
(Get-AzureADDirectorySetting).Values

#When you are finished, disconnect from AzureAD
Disconnect-AzureAD

Step 3:

Verify that it worked.

Sign in to Office 365 as someone who isn’t in the chosen Security Group.

Choose the Planner tile.

Choose “+New Plan”

You should get a message that you can’t create a plan.

If it didn’t work, you may need to change the settings in your OWA mailbox policy. See Step 4.

Step 4:

Change the settings of your OWA mailbox policy.

Open Windows Powershell as an administrator.

#Connect to Exchange
$UserCredential = Get-Credential
#You will be prompted to enter your credentials – use admin credentials for the environment you will be working in

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

#Retrieve a list of OwaMailbox Policies
Get-OwaMailboxPolicy

#Enter the name of the chosen policy in below
$OwaMailboxPolicy =

#Get detailed information for the chosen policy
Get-OwaMailboxPolicy -Identity $OwaMailboxPolicy | Format-List

#Look for the “GroupCreationEnabled” property, if it set to true, you need to change it. Run this command.
Set-OwaMailboxPolicy -Identity $OwaMailboxPolicy -GroupCreationEnabled $false

#check to to make sure it worked.
Get-OwaMailboxPolicy -Identity $OwaMailboxPolicy | Format-List

Remove-PSSession $Session

 

It’s that simple! You have designated a select group of users who have the ability to create Office 365 groups, and everyone else is restricted from doing so. Make sure you create the process for users to request new MS Teams, and make the request form available for them in all the easy to find places.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s