SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

office365groupcreation

Manage Office 365 Group Creation

This page is just my documentation of this Microsoft article.

I followed these steps to restrict users from creating Office 365 Groups:

Install Azure AD Preview

PS C:\Windows\system32> Get-InstalledModule
Version    Name                                Repository           Description
-------    ----                                ----------           -----------
1.1.183.8  MSOnline                            PSGallery            Microsoft Azure Active Directory Module for Wind...
 
PS C:\Windows\system32> install-module azureadpreview
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y
 
PS C:\Windows\system32> Get-InstalledModule
Version    Name                                Repository           Description
-------    ----                                ----------           -----------
2.0.2.5    AzureADPreview                      PSGallery            Azure Active Directory V2 Preview Module. ...
1.1.183.8  MSOnline                            PSGallery            Microsoft Azure Active Directory Module for Wind...
 
PS C:\Windows\system32> import-module AzureADPreview

Connect To Office365 / Azure Tenant

Note that if you enabled the MFA requirement for admins you need MFA to log on as an administrator:
PS C:\Windows\system32> connect-azuread
Account        Environment TenantId                             TenantDomain       AccountType
-------        ----------- --------                             ------------       -----------
sjoerd@getshifting.com AzureCloud  054d1a1f-e019-4fd7-8455-4fce0f07c7d5 getshifting.onmicrosoft.com User

Find Object ID of Active Directory Security Group

You don't really need the object ID, except you want to check that the correct security group is enabled for Office 365 Group creation:

PS C:\Windows\system32> Get-AzureADGroup -SearchString "Office365_GroupManagement"
ObjectId                             DisplayName                  Description
--------                             -----------                  -----------
8e72b950-35c0-46eb-96cf-979d2ac84230 Office365_GroupManagement Manage Office365 Group Creation

Enable AD Security Group for Office 365 Group Creation

PS C:\Windows\system32> $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
PS C:\Windows\system32> $Setting = $Template.CreateDirectorySetting()
PS C:\Windows\system32> $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
PS C:\Windows\system32> $Setting["EnableGroupCreation"] = $False
PS C:\Windows\system32> $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Office365_GroupManagement" ).objectid
PS C:\Windows\system32> Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
Note that I skipped step 3 New-AzureADDirectorySetting -DirectorySetting $Setting as it was irrelevent for my environment.

Check the Setting

PS C:\Windows\system32> (Get-AzureADDirectorySetting).Values
Name                          Value
----                          -----
CustomBlockedWordsList
EnableMSStandardBlockedWords  false
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     false
AllowGuestsToAccessGroups     False
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId   8e72b950-35c0-46eb-96cf-979d2ac84230
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           False

These settings are the ones you need:

  • GroupCreationAllowedGroupId 8e72b950-35c0-46eb-96cf-979d2ac84230
    • This is the object ID of the AD Security Group that is enabled for Office 365 Group Management
  • EnableGroupCreation False
    • This setting prevents the creation of Office365 groups by other users.
You could leave a comment if you were logged in.
office365groupcreation.txt · Last modified: 2021/09/24 00:25 (external edit)