Disable Office 365 Groups Creation


Office 365 Groups are a (somewhat) new feature that act both like a distribution list and a public folder.  The underlying technology is a SharePoint site mailbox.  The problem with a Public Folder is that … well, it’s a public folder. The problem with a distribution list is that if you get added after the most important message of the year was sent, you’ll never know you missed the most important message of the year.

However, some organizations may make the decision that they’re not ready for wide-spread consumption of groups (maybe they don’t understand how to administer them, haven’t devised a governance plan, or just aren’t really sure what the best method to drive their usage is).  For that, we can go ahead and disable them.  There are several features that use groups (Exchange Online, PowerBI, and the new Planner), so you’ll want to disable them across the board.

You’ll need two things:

Let’s say you don’t want to fully disable the groups, but want to block end-users from creating them through OWA and want to leave the power of Office 365 Groups up to Global Admins to figure out.

** Update **

I’m going to break out the script lines, since these are new cmdlets and a new way of administering some of the settings.

If you haven’t already downloaded the Preview version of the Azure AD module, please follow the above link to get it.  The Get-MsolAllSettingTemplate cmdlet is only available in that module.  Then, connect to Office 365.  You can do so using the following:

Import-Module MSOnline
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $UserCredential

“Office 365 Groups” are a new type of object, and the configuration parameters for it are viewed in the Get-MsolAllSettingTemplate cmdlet:

o365-groups1

Digging further into the cmdlet for the Group.Unified object, you can see some more details:

o365-groups2

The parameters that we need to modify are called “EnableGroupsCreation” and “GroupCreationAllowedGroupId.” Unfortunately, it’s about as clear as mud as to what we need to do here–especially since there’s no “Set-MsolAllSettingTemplate” or anything of that nature.

Digging yet deeper, we can see that there are some method and properties vailable if we pull the setting into a variable, the most interesting being “CreateSettingsObject” and “Values.”

o365-groups3

On a whim, I decided to see what else I could see in Values:

o365-groups4

Values contains the parameters that we’re going to set and type of data they will contain.  GroupCreationAllowedGroupId is a System.Guid, and then EnableGroupCreation is a Boolean (true/false).

We want to define the group that will be allowed to create Office 365 groups (I’m going to choose Global Administrators).  We actually need the ObjectID (remember, the type was “System.Guid”) of the Global Admins role to complete this task:

$GlobalAdmins = Get-MsolRole -RoleName "Company Administrator"
$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()

So, to set those parameters (EnableGroupsCreation and GroupCreationAllowedGroupId), we need to create a new settings variable, and then add the values that we want to set to the variable.

o365-groups5

From there, we’ll be able to apply those new settings to the tenant with the New-MsolSettings cmdlet.

o365-groups6

The last setting we’ll need to modify is the OWA Mailbox policy.

o365-groups7

Putting it all together:

Import-Module MSOnline
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $UserCredential
$GlobalAdmins = Get-MsolRole -RoleName "Company Administrator"
$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()
$template = Get-MsolAllSettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = $GlobalAdminsObjectID
New-MsolSettings -SettingsObject $setting
Get-OwaMailboxPolicy | ? { $_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled $false
Comments (11)

  1. John says:

    Frankly, NO THANKS!

    When you post something like this you need to make sure that you include everything everyone needs to actually use the script! After you download the latest Azure AD PowerShell module, you have to load the module. For this module it’s “Import-Module MSOnline” which the download page (your link above) does NOT identify. Then you have to invoke the connection with a Connect-MsolService (also not included in the Azure AD Powershell page, but can be found all over the place as to actually how to use it.)

    The next thing anyone would do is to walk through the script one line at a time, and of course “Get-MsolAllSettingTemplate” isn’t part of that Module. That’s where I stopped with this out of sheer frustration. What MODULE is this part of? What OTHER Modules will we have to load to run this?

    Part II

    Groups themselves. The default behavior is that ANYONE can create a group named ANYTHING! Of course there is a “blocked words” feature in the Group Naming Policy that you can configure, but you have to think of the names yourself rather than a “check here for removal of common offensive language”

    That means that anyone by default can create a Public group called “TheCEOisa@#$#@$Idiot@companyname.com”

    This is one of the most poorly executed conceptions of a feature I’ve seen by Microsoft in a long, long time.

    Fix It!

    1. I appreciate your feeback, John. Under prerequisites, I said you need “a connection to Office 365 PowerShell” and the “Preview version of the Azure AD Module” (for which I provided a link). If you have the preview version of the module installed, the Get-MsolAllSettingTemplate is part of that module. Then, per the prerequisites, you can connect to Office 365 via the link I provided (to Connect to Office 365 PowerShell). If you run any of the MSOL commands, you will be prompted to run Connect-MsolService. You’ll need to have a connection to the Exchange Online PowerShell endpoint to complete the Set-OwaMailboxPolicy. I didn’t necessarily see a need in reiterating the same content over, but I’m happy to provide that as well and will update the steps accordingly.

      1. MG says:

        You’ve ignored his “Part II” comments, which I would like to reiterate. If it’s bad in a corporate environment, think how much worse it is in a school.

        You just can’t allow students to create stuff like this, by default, with no easy option to turn it off. Expecting people to find blog posts like this, and type in runes to fix things, is not reasonable.

        I have started this tedious and complicated process and the first thing is:

        Import-Module : Could not load file or assembly ‘file:///C:\Windows\system32\WindowsPowerShell\v1.0\Modules\msonline\Microsoft.Online.Administration.
        Automation.PSModule.dll’ or one of its dependencies. This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded

        So it looks like I’ll first be forced to upgrade .net. Hope that doesn’t impact on anything else …

        “But the plans were on display…”
        “On display? I eventually had to go down to the cellar to find them.”
        “That’s the display department.”
        “With a flashlight.”
        “Ah, well, the lights had probably gone.”
        “So had the stairs.”
        “But look, you found the notice, didn’t you?”
        “Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”

        ― Douglas Adams, The Hitchhiker’s Guide to the Galaxy

        1. MG / John,

          Please forgive me as I was wrapped up in updating the blog post with more detailed information and totally forgot to circle back around. As a former corporate IT administrator and executive at a managed service practice, I certainly understand your concerns and pain points, and I’m sorry that you’re in this predicament. The best advice I can give you is to voice your concerns over at the Office 365 UserVoice forum (https://office365.uservoice.com/), and, if you are a Premier customer, share your feedback with your account team. If you have further concerns, I’d be happy to work with you offline to try to resolve them. You can contact me at aaron dot guilmette at microsoft dot com.

          1. MG says:

            Thank you for your response Aaron.

            For anyone else tripping over this page, I got this working but it was actually the Windows Management Framework 3.0 I had to install, having been through a .net Framework which may or may not have been necessary after all.

            Also, while I acknowledge that you did say “The Preview version of the Azure AD PowerShell module”, I initially installed the GA version on the basis that the GA release notes post-date your blog post, and have an apparently later version number (1.1.160.0 vs 1.1.130.0). So I thought it had gone GA since the blog post. However that GA version doesn’t contain the necessary Get-MsolAllSettingTemplate cmdlet so I had to uninstall it, then install the preview version as you said.

            At which point your script seemed to work. Haven’t tested yet to make sure it really has the required effect …

            Thanks again for at least posting this info, and responding to our feedback.

          2. You’re welcome. This entire area is sticky for those of us in services to navigate–you’re not the first customers I’ve heard this feedback from.

            The version numbers don’t seem to be helpful in this instance; I don’t know if there’s another way to identify different code branches (preview vs GA).

  2. Hikmer says:

    The focus of this article is about Office 365 Groups, while I understand the frustration of setting up Azure AD Powershell (it Should be far easier) I want to thanks the blog author for doing this. The problem I am encountering is that their is no easy way to test this out unless people use it…then it is somewhat too late. So I am left to only imagine how these products work unless I commit to turning them on is some fashion. My question, the folks that can create groups…must they be a member of these groups? Or can they create them and walk away?

    1. I would recommend provisioning a “trial” tenant–it’s free (at least for 30 days), so you can see the features and experiment with them. The way the script is constructed, it should only allow people who are members of the Global Admins group to configure Office 365 groups in most services. You would need to configure an additional OWA Mailbox policy that did had -GroupCreationEnabled $true and assign it to a user who is a member of global admins to provision groups in OWA.

  3. Jammy says:

    Aaron, BIG THANKS For your undocumented features, especially this usefule article.
    I’m following your step and it work perfact.
    But the only question is can we restore to default setting ?

    1. Yes–you can put it back to default.

      I believe this will do it (but haven’t tested):

      Import-Module MSOnline
      $UserCredential = Get-Credential
      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
      -Credential $UserCredential -Authentication Basic -AllowRedirection
      Import-PSSession $Session
      Connect-MsolService -Credential $UserCredential
      $GlobalAdmins = Get-MsolRole -RoleName “Company Administrator”
      $GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()
      $template = Get-MsolAllSettingTemplate | where-object {$_.DisplayName -eq “Group.Unified”}
      $setting = $template.CreateSettingsObject()
      $setting[“EnableGroupCreation”] = “true”
      $setting[“GroupCreationAllowedGroupId”] = $null
      New-MsolSettings -SettingsObject $setting
      Get-OwaMailboxPolicy | ? { $_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled $true