Prevent Users from Creating O365 Groups

Office 365 Groups are a powerful collaboration tool within Office 365, and by default can be created by all users. Several objects are created when you create a group, including a shared inbox, group calendar, and a SharePoint site. This, along with the fact that groups can contain users external to your organization, may lead to some concerns about how groups will be managed. Some organizations may prefer to prevent users from being able to create Office 365 groups.

I have seen similar posts that indicate you can just set the GroupCreationEnabled flag to $False in the Outlook Web App policy. And while this will work to some extent, it’s only part of the picture. You have remember that Office 365 Groups are used with several O365 services. SharePoint, Planner, and Teams to name a few. The method of disabling groups mentioned above, will only disable group creation for Exchange Online. To cover the rest of the tenant, we’ll need to use PowerShell to correctly configure the restriction.

We will need to create a security group to contain the users that we want to allow to create Office 365 Groups. Remember, that if you are running a hybrid environment you will want to create and manage this group from on-premises AD and allow it to replicate to O365 before continuing. Once the security group has been created, we can continue with limiting group creation permissions.

Make a remote PowerShell connection to the tenant to perform the rest of the configuration.

The exception has to be applied with a GUID, so lets get the GUID of the group we created for the exception:
[PS] C:\> $GA = (Get-AzureADGroup -SearchString "AllowGroup").ObjectId
Next, we need to create a new directory setting configuration:
[PS] C:\> $NewSetting = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}
Now, we need to apply the desired settings to the configuration:
[PS] C:\> $Policy = $NewSetting.CreateDirectorySetting()
[PS] C:\> $Policy["EnableGroupCreation"] = $False
[PS] C:\> $Policy["GroupCreationAllowedGroupId"] = $GA
Finally, we need to create the actual directory setting using our desired policy settings:
[PS] C:\> New-AzureADDirectorySetting -DirectorySetting $Policy
We should verify that our new settings are in place. Lets look at the values of the directorty setting.
[PS] C:\> (Get-AzureADDirectorySetting).Values

The output should look something like this:
Verify the values ‘GroupCreationAllowedGroupId’ and ‘EnableGroupCreation’ are set as expected.

We can also test by logging in to an account that should not be able to create groups and attempting to create a new O365 Group. Through Outlook, you should receive the following message:
Users should receive this or a similar message from anywhere within the tenant when they try to create an Office 365 Group.

I put this script, along with a simple script to undo these changes on GitHub. In case you prefer to download scripts that way, they are available here.