Restricting users from creating new O365 groups

By default, anyone in your tenant can create their own O365 groups. This can happen when a user creates a new Team in Microsoft Teams, a plan in Planner, and several other apps that use O365 groups at the core. In this recipe, we'll use PowerShell to restrict users from self-provisioning their own O365 groups (whether intentionally or incidentally when creating other resources).

Getting ready

You'll need to be able to create security groups (not just O365 groups) and have the latest version of the AzureADPreview module for PowerShell installed. This can be installed by running SharePoint Online Management Shell as administrator and entering the following command:

Install-Module AzureADPreview

There's currently no way to do this without PowerShell.

How to do it…

1. Go to the Microsoft 365 Admin Center at http://admin.microsoft.com.
2. Select Groups > Groups.
3. Select Add a group.
4. Choose Security and Next:
   

   Figure 2.27 – Security groupt type selected

5. Name and describe the group (we're using O365 Group Creators as our example). Click Next:
   

   Figure 2.28 – Group name and description fields when creating a new group

6. Click Create group to confirm details and create the group. Close the panel.
7. Copy the following script from here (if you're reading the e-book) or from https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups:

   $GroupName = "<SecurityGroupName>"
   $AllowGroupCreation = "False"
   Connect-AzureAD
   $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
   if(!$settingsObjectID)
   {
   	  $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
       $settingsCopy = $template.CreateDirectorySetting()
       New-AzureADDirectorySetting -DirectorySetting $settingsCopy
       $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
   }
   $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
   $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
   if($GroupName)
   {
   	$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
   }
    else {
   $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
   }
   Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
   (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

8. Paste the script into Notepad (or similar text editor). Change <SecurityGroupName> in line 1 to the name of your security group. In our example, line 1 would resemble the following:

   $GroupName = "O365 Group Creators"

9. Open SharePoint Online Management Shell (as administrator).
10. Copy the text from your open Notepad application and paste into PowerShell. Hit Enter:
    

    Figure 2.29 – PowerShell screen with pasted script adjusted with our "allowed" group name

11. A sign-in dialog will appear, requesting your administrator credentials to complete the change:
    

    Figure 2.30 – Sign-in dialog presented as part of executing the PowerShell script

12. The script will take a moment to complete, and when finished will show the following:

Figure 2.31 – Confirmation message in PowerShell

How it works…

You have just executed a PowerShell script that will restrict creation of additional O365 groups to members of a specific security group. Don't forget to add members to the new security group once it's created.

Once the script has run, users who are not global admins or members of a qualifying group or role will be unable to create new groups immediately. They can still create new plans and channels associated with existing groups, but will see a message letting them know they cannot create new groups when the opportunity would have traditionally been available:

Figure 2.32 – Message that appears to Planner users when group creation is disabled for them

Another example would be a user without permission trying to create a new team in Teams. They can click Join or create a team as usual, but the option to create a new group/team will not exist:

Figure 2.33 – Teams screen that appears for users who cannot create new teams (therefore, groups)

A final example would be a user creating a new SharePoint team site. They can still create team sites in SharePoint using the new or classic team template, where the classic team site template wouldn't create an associated group anyway. The only change would be the new team site template not being able to create an associated O365 group as would otherwise be normal. If they create the site first and later try to connect it to a new group separately, they will receive the following notice:

Figure 2.34 – Message that appears when users in SharePoint attempt to associate a site with a new group

Tip

Consider utilizing a training course (digital or in person) for users to "earn" the ability to create O365 groups (by getting added to your new security group) after taking the time to understand the implications and best practices.

See also

• Find more information and depth on this process at https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups.
• Gregory Zelfond has written an excellent blog post encouraging extra consideration of the landscape of modern collaboration before disabling group creation: https://sharepointmaven.com/why-you-should-never-disable-team-site-creation-in-office-365/