February 28, 2019
HomeAzureRestrict Group Creation in Office 365

Restrict Group Creation in Office 365

By  Azure, Blog, Microsoft 365  0 Comments

Once office 365 has been deployed to organization, the most important thing is to manage it. Not only to manage it, but also configure it with best practices. and one of the most important part in office 365 is to restrict group creation in office 365. There are a lot of communication tool in office 365 which allows users to create a multiple office 365 groups without the consent of Administrator.

Step: 1 Create Security Group

So how do we control users from creating unnecessary groups. Before that we need to make user to whom we will be providing rights to create groups and segregate them from other users. Over here, I have created a security group name ‘allowcreategroup’ in office 365 and added the member to whom we would like to give permission to create office 365 groups.

Step: 2 Install Azure Active Directory PowerShell

As we need the Azure active directory PowerShell to run script to restrict group creation in office 365, we need to install one. To install Azure AD PowerShell, we need to run below script on Windows PowerShell.

Get-InstalledModule -Name "AzureAD*"

At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.

Step:3 Run PowerShell Commands

Once the module is installed, we need to mark the Security Group Object ID, which we created earlier, this is just to mark. In the end of this blog you will know why we are marking this. To get the object id of azure group, use below cmdlet.

Get-AzureADGroup -SearchString "allowcreategroup"

$GroupName = "allowcreategroup" #name of group for whom we allow to create group.
$AllowGroupCreation = "False"  # ‘false’= restrict creation group , ‘true’= disable restrict group

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
	  $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
	$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}

Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Once the script is completed, you will get same object id which we have marked earlier to allow to create group.

Hope this will help you to manage office 365 user group creation.

Tags:, , ,

Related Posts

About Author

pdhewjau

Prashant is a Principal Cybersecurity Specialist at Thakral One Nepal. His prior position as a Modern Work Security Specialist at Microsoft saw him providing invaluable guidance to major clients in Bangladesh, Brunei, Cambodia, and Myanmar, assisting them with their foundational security needs. Awarded the esteemed Microsoft Most Valuable Professional (MVP) accolade in 2017, Prashant is recognized globally among Microsoft peers. Since 2010, he has imparted his expertise as a Microsoft Certified Trainer (MCT), conducting specialized training across Nepal.

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.