Restrict Office 365 group creation – the “hidden” feature

As Office 365 groups are now more and more used in various Office 365 tenants, many administrators complain about a restriction setting. The problem is, that you can only allow or disable the creation of Office 365 groups for all users of your tenant. From an administrative point of view, this setting would be nice to have, because at the moment Microsoft is pushing groups but if you as an admin can’t control who is able to create groups and which groups can be created, this is nothing but a nightmare.

Additionally, if a user creates an O365 group with the e-mail address and you have to create an AD security group with the e-mail address , this would lead to a synchronization error in Azure AD Connect, saying, that there exists already an object with the e-mail address . You as an admin would then go to your AD and search for that object, resulting in nerve-stretching minutes, because you can’t find that object – of course not – because it only exists within your O365 tenant.

So in order to to restrict, which users should be allowed to create groups, the following PowerShell CmdLets will help you to achieve this goal.

First of all, you have to install the Azure AD Powershell V1.1.130.0 public preview from here in order to have the right commands available.

Then connect to your O365 tenant and connect to your Exchange Online environment within your PS and execute the following lines of code:

Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $True

Then you would have to create a normal security group (in your AD or in cloud only) and add the members to that group, which should be able to create O365 groups. In my case this group is called “O365_Group_Creation”. After that exceute the following commands in your PS session:

$grp = Get-MsolGroup -SearchString O365_Group_Creation
$setting = Get-MsolAllSettings | Where-Object { $_.DisplayName -eq Group.Unified }
$settingId = $setting.ObjectId
$value = $setting.GetSettingsValue()
$value[GroupCreationAllowedGroupId] = $grp.ObjectId
$value[EnableGroupCreation] = $false
Set-MsolSettings -SettingId $settingId -SettingsValue $value

After you have executed the commands successfully, I would advise to test the creation of O365 groups with a user who is member of that security group (which should work) and with a user who is not member of that group (which should fail).