How To: Limit Office 365 Group Creation with PowerShell

Sean Wallbridge
August 8, 2018

In our webinar, Drive Adoption of Office 365 Groups and SharePoint Sites, we were asked how to limit creation of new SharePoint Sites. Our answer: Start by limiting who can create groups.

For the bigger reference, use this Microsoft article.

However, here’s my personal Coles Notes I keep so I can get right down to it (replace items in green with your appropriate values).

Note: “Allow Creation of Office 365 Groups” is the name of a Security Group created already in Office 365 that contains the names of users that we wish to be able to create Office 365 groups.

 

install-module azureadpreview

import-module azureadpreview

connect-azuread

Get-AzureADGroup -SearchString "Allow Creation of Office 365 Groups"

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}

$Setting = $Template.CreateDirectorySetting()

New-AzureADDirectorySetting -DirectorySetting $Setting 

#****the above should return an ID****

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$Setting["EnableGroupCreation"] = $False

$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Allow Creation of Office 365 Groups").objectid

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

(Get-AzureADDirectorySetting).Values

This is the desired result:

 

3 thoughts on “How To: Limit Office 365 Group Creation with PowerShell”

  • Hi,
    Thanks for the reply to my question, much appreciated 🙂
    I heard that switching off the access for users to create groups will break the creation of Planner as that needs a group to work. Is that correct as we are adopting planner as a replacement for Trello?
    Cheers, Ellya

    • Sean Wallbridge says:

      Hey Ellya,

      That’s a good point and while I haven’t tried it (and I’m on vacation so not near a PC), I suspect that would be absolutely correct by design. If you create a Plan that is attempting to create a new group, you’d need permissions to do it. While that would create a bottleneck obviously, I personally defer to the preference of Governance over this new ‘free lovin’ style Microsoft is trying. And I LOVE Trello but also see the value in wanting to use Planner as a replacement (we’ve been exploring it ourselves and are waiting on some key functionality).

      One thought/suggestion as it is our typical approach for clients to the “I need a new SharePoint Site” request is…

      1. Put a form in front of this process (perhaps use Microsoft Forms) that asks “Why” they need the site (or in your case, the Plan). Questions might include Who is it for? What need does it address? Who needs to approve it?
      2. Do whatever workflow you need to have it be approved/validated updating the requester along the way (in Flow)
      3. If it is approved, CREATE the group for the person, along with the Plan and send them a link to the finished result

      The benefit of the above is some governance/control, some awareness of new objects/systems being added to your environment (avoiding potential sprawl) and folks taking a moment to ask “do I really need this plan? Is there one out there that already exists?”, etc.

      Hope that helps.
      Sean

Leave a Reply

Your email address will not be published. Required fields are marked *