Disable Office 365 Groups Creation

Update: There are new cmdlets available for this task.  This blog is for historical reference only.  A new, updated process is available here (https://blogs.technet.microsoft.com/undocumentedfeatures/2017/04/29/disable-office-365-groups-creation-redux/).

Office 365 Groups are a (somewhat) new feature that act both like a distribution list and a public folder or shared mailbox.  When it comes to team notification and collaboration, the problem with a Public Folder is that ... well, it's a public folder. We've honestly been trying to get rid of them since about 4 minutes after we introduced them.  I remember seeing an internal memo that said, "yay! we migrated off the last public folder!"  The problem with a shared mailbox (much like a public folder) is that in order to be aware of new content, you have to remember to go there.

The problem with a distribution list is that if you get added after the most important message of the year was sent, you'll never know you missed the most important message of the year.  More than likely, you'll still have that guy who does a Reply-All to a distribution list, so won't be totally screwed.

However, some organizations may make the decision that they're not ready for wide-spread consumption of groups (maybe they don't understand how to administer them, haven't devised a governance plan, or just aren't really sure what the best method to drive their usage is).  For that, we can go ahead and disable them.  There are several features that use groups (Exchange Online, PowerBI, Teams, and the new Planner), so you'll want to disable them across the board.

You'll need two things:

Let's say you don't want to fully disable the groups, but want to block end-users from creating them through OWA and want to leave the power of Office 365 Groups up to Global Admins to figure out.

** Update **

I'm going to break out the script lines, since these are new cmdlets and a new way of administering some of the settings.

If you haven't already downloaded the Preview version of the Azure AD module, please follow the above link to get it.  The Get-MsolAllSettingTemplate cmdlet is only available in that module.  Then, connect to Office 365.  You can do so using the following:

 Import-Module MSOnline
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $UserCredential

"Office 365 Groups" are a new type of object, and the configuration parameters for it are viewed in the Get-MsolAllSettingTemplate cmdlet:

o365-groups1

Digging further into the cmdlet for the Group.Unified object, you can see some more details:

o365-groups2

The parameters that we need to modify are called "EnableGroupsCreation" and "GroupCreationAllowedGroupId." Unfortunately, it's about as clear as mud as to what we need to do here--especially since there's no "Set-MsolAllSettingTemplate" or anything of that nature.

Digging yet deeper, we can see that there are some method and properties vailable if we pull the setting into a variable, the most interesting being "CreateSettingsObject" and "Values."

o365-groups3

On a whim, I decided to see what else I could see in Values:

o365-groups4

Values contains the parameters that we're going to set and type of data they will contain.  GroupCreationAllowedGroupId is a System.Guid, and then EnableGroupCreation is a Boolean (true/false).

We want to define the group that will be allowed to create Office 365 groups (I'm going to choose Global Administrators).  We actually need the ObjectID (remember, the type was "System.Guid") of the Global Admins role to complete this task:

 $GlobalAdmins = Get-MsolRole -RoleName "Company Administrator"
$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()

So, to set those parameters (EnableGroupsCreation and GroupCreationAllowedGroupId), we need to create a new settings variable, and then add the values that we want to set to the variable.

o365-groups5

From there, we'll be able to apply those new settings to the tenant with the New-MsolSettings cmdlet.

o365-groups6

The last setting we'll need to modify is the OWA Mailbox policy.

o365-groups7

Putting it all together:

 Import-Module MSOnline
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ `
-Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-MsolService -Credential $UserCredential
$GlobalAdmins = Get-MsolRole -RoleName "Company Administrator"
$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()
$template = Get-MsolAllSettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = $GlobalAdminsObjectID
New-MsolSettings -SettingsObject $setting
Get-OwaMailboxPolicy | ? { $_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled $false

If you'd like to have a group of users (such as global admins) have access to be able to create Office 365 groups in OWA, you can simply create a new OWA Mailbox Policy with -GroupCreationEnabled set to $true and assign that policy to group creators.

Additionally, here's a little bit of updated info on the support site:

https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618?ui=en-US\&rs=en-US\&ad=US

https://robsgroupsblog.com/blog/configuring-settings-for-office-365-groups-in-azure-ad