Manage who can create Office 365 Groups

Contributors: Diane Faigel
Last updated 6 November, 2017

Because it's so easy for users to create Office 365 Groups, you aren't inundated with requests to create them on behalf of other people. Depending on your business, however, you might want to control who has the ability to create groups. Why do this?

This article explains how to disable the ability to create groups in all Office 365 services that use groups:

  • Outlook

  • SharePoint

  • Yammer

  • Microsoft Teams: Both admins and users won't be able to create teams.

  • StaffHub: Both admins and managers won't be able to create teams.

  • Planner: Users won't be able to create a plan.

The best way to do this is to create a security group, and then only the people in that security group will be able to create Office 365 Groups and teams in these apps. This article walks you through these steps.

To control who creates Office 365 Groups, you use Windows PowerShell, which is a lot like typing commands at the C:\ prompt in the old DOS environment. If you've never used PowerShell, this task is a great introduction to using it. We walk you through what you need to do, step-by-step.

What you need to know before you begin

  • The PowerShell commands in this article only change who can create Office 365 Groups. They won't affect the rest of your Office 365 environment.

  • You apply the steps in this article only once in your organization, for one security group. If you try to applying them again for another security group, you'll get an error that looks like this:

    A conflicting object with one or more of the specified property values is present in the directory.
  • The steps in this article don't prevent members of the following roles from creating Office 365 Groups in the Office 365 admin center. However, it does prevent them from creating Office 365 Groups from the apps and it prevents them from creating teams (because you can't create teams in the Office 365 admin center).

    • Office 365 Global admins

    • Mailbox Administrator

    • Partner Tier1 Support

    • Partner Tier2 Support

    • Directory Writers

    If you're a member of one of these roles, you can create Office 365 Groups for restricted users, and then assign the user as the owner of the group.

  • It's important that you use a security group - as described in Step 1 of this article - to restrict who can create Office 365 groups. Don't try to use an Office 365 Group for this. If you try to use an Office 365 Group, members won't be able to create a group from SharePoint because it checks for a security group.

  • Setting  Set-MSOLCompanySettings -UsersPermissionToCreateGroupsEnabled $True only enables permissions for users to create Security groups, not Office 365 groups. For more information about this cmdlet, see Set-Msolcompanysettings.

  • Let's say you do the steps in this article and give some people the ability to create Office 365 Groups. But for some reason they still can't create an Office 365 group using Outlook. Check that they aren't being blocked through their OWA mailbox policy. It provides additional controls to block the creation of Office 365 groups using Outlook.

Install the preview version of the Azure Active Directory Module for Windows PowerShell

IMPORTANT: The procedures in this article require the PREVIEW version Azure Active Directory Module for Windows PowerShell, specifically, the AzureADPreview module, version 2.0.0.137 or later.

As a best practice, we recommend always staying current: uninstall the old AzureADPreview version and get the latest one before you run PowerShell commands.

  1. Open Windows PowerShell as an administrator:

    1. In your search bar, type Windows PowerShell.

    2. Right-click on Windows PowerShell and select Run as Administrator.

      Open PowerShell as "Run as administrator."

    The Windows PowerShell window will pop open. The prompt C:\Windows\system32 means you opened it as an administrator.

    What PowerShell looks like when you first open it.

  2. To uninstall a previous version of AzureADPreview, run this command:

    Uninstall-Module AzureADPreview
  3. To install the latest version of AzureADPreview, run this command:

    Install-Module AzureADPreview

    At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.

Step 1: Create a security group for users who need to create Office 365 Groups

Only one security group in your organization can be used to control who is able to create Office 365 Groups. But, you can nest other security groups as members of this group. For example, the group named Allow Group Creation is the designated security group, and the groups named Microsoft Planner Users and Exchange Online Users are members of that group.

  1. In the Office 365 admin center, create a group of type Security group. Remember the name of the group! You'll need it later.

    Create a security group in the admin center.

  2. Add people or other security groups who you want to be able to create Office 365 Groups groups in your org.

For detailed instructions, see Create, edit, or delete a security group in the Office 365 admin center.

Step 2: Run PowerShell commands

The most common mistakes are not having the preview module and typos. Instead of typing each command, copy and paste the commands and examples in this article. You can use the left and right arrow keys to move around in a command before you run it, and the up and down arrow keys to scroll back through previous commands. If you make a mistake, you'll get a bunch of red text saying there was an error. Just try typing the command again. If you get stuck, call us!

These steps were last tested and verified on 6 November, 2017.

  1. If you haven't already, open a Windows PowerShell window on your computer (it doesn't matter if it's a normal Windows PowerShell window, or one you opened by selecting Run as administrator).

  2. Run the following commands. Press Enter after each command.

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your Office 365 admin account and password to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  3. Find the name of your security group from Step 1 by using the following syntax:

    Get-AzureADGroup -SearchString "<Name of your security group>"

    For example, I named my group AllowedtoCreateGroups. So I would run:

    Get-AzureADGroup -SearchString "AllowedtoCreateGroups"

    This will display the properties of my AllowedtoCreateGroups security group.

    Group information through Azure AD PowerShell

    You can see that the ObjectID property value of my AllowedtoCreateGroups group is afc88... You don't need to write down the ObjectID of your security group, but you'll need to be able to recognize it in a later step.

  4. Run this command:

    $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
  5. Run this command:

    $Setting = $Template.CreateDirectorySetting()
  6. Run this command:

    New-AzureADDirectorySetting -DirectorySetting $Setting

    If you get an error like this skip to step 7. The error message means you don't need to do step 6.

    If you get an error message, skip to step 7.

    Otherwise, upon successful completion, the cmdlet returns the ID of the new settings object.

  7. Run this command:

    $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
  8. Run this command:

    $Setting["EnableGroupCreation"] = $False
  9. Use this syntax:

    $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "<Name of your security group>").objectid

    For example, I named my group AllowedtoCreateGroups, so I would run this command:

    $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "AllowedtoCreateGroups").objectid
  10. Run this command:

    Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
  11. To verify your security group CAN create groups, and everyone else in your organization can't, run this command:

    (Get-AzureADDirectorySetting).Values

    The result should look like this (but with the ID value for your security group - this is where you need to be able to recognize it):

    This is what your settings will look like when you're done.

    Only members of the AllowedtoCreateGroups security group (Afc88abb.....) can create groups. No one else can, as indicated by EnableGroupCreation = False.

Step 3: Verify that it works

  1. Sign in to Office 365 with a user account of someone who should NOT have the ability to create groups. That is, they are not a member of the security group you created.

  2. Choose the Planner tile.

  3. In Planner, in choose New Plan to create a plan.

    In Planner, choose New plan.

  4. You should get a message that you can't create a plan:

    Message that you can't create a plan.

What should I do if it doesn't work?

Check that they aren't being blocked through their OWA mailbox policy.

If this doesn't fix the problem, call us for help.

Remove the restriction on who can create groups

Let's say after a while you want to remove the limit you put on who can create groups. Run this command:

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}
Remove-AzureADDirectorySetting –Id $SettingId.Id

More information on managing groups

All Office 365 users can create Office 365 Groups by default:

  • Users can create up to 250 Office 365 Groups each.

  • Office 365 admins have no limit on the number of Office 365 Groups that they can create.

  • The default maximum number of Office 365 Groups that an Office 365 organization can have is currently 500,000, but can be increased by request. For more information on Office 365 Groups limits, see Office 365 Groups - Admin help.

Several Office 365 services require the ability to create Office 365 Groups for specific functions. For example, a group is created automatically when a plan is created using Microsoft Planner. This means users can inadvertently create a lot of groups as they experiment with creating plans.

You might want tighter control of Office 365 Group creation and prefer that not everyone can create them - that only users of Office 365 services that require Office 365 Groups creation are allowed to create them.

Note: Note that while you have the ability to control which users can create Office 365 Groups, it does not impact the ability of all licensed users to participate in group activities, such as creating tasks in Planner or responding to conversations in Outlook.

If you had previously created a Group settings object, and need to change the value for a setting (for example, specify a different group), you can use the following procedure.

  1. Open a Windows PowerShell window on your computer and run the following command:

    Import-Module AzureADPreview
    Connect-AzureAD

    In the Sign in to your Account screen that opens, enter your credentials to connect you to your service, and click Sign in.

    Enter your Office 365 credentials
  2. After connecting to your Office 365 service, you first need to reference the Group settings object that contains the configuration settings. To do this, you will need the ObjectId for it. If you don't know the ObjectId, you can search for it by typing and entering the following cmdlet:

    Get-AzureADDirectorySetting

    This will display the current Group settings object, including its ObjectId.

    Example of values that might appear Find Group Settings object
  3. After finding the ObjectID for the Groups Settings object, you can use it to select the Group settings object that contains your settings. Type and enter the following cmdlet:

    $setting=Get-AzureADDirectorySetting -Id <ObjectId>

    For example, using the ObjectId in the graphic above

    $setting=Get-AzureADDirectorySetting -id d634c419-bde2-4ebb-880e-a1dc4a1904cb

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  4. After selecting the Group settings object, you should check the current configuration values by typing and entering the following:

    $setting.values
    Screenshot of list of the current configuration values

    This will display the setting values for the Group settings object and will return you to a prompt in the Windows Azure Active Directory Module. In the example above GroupCreationAllowedGroupId indicates that members of the security group 1f8f32... can create groups. And because EnableGroupCreation = "False" no one else in the company can create groups.

  5. Now you can make specific changes to the Group setting values. As an example, you can use the following cmdlet if you want to point to a different group to allow Group creation:

    $settings["GroupCreationAllowedGroupId"] = "<object ID for the new group>"

    For example, let's change from the AllowedtoCreateGroups group we previously set, to a different group we had created with an ObjectId of 3054dce3-37e6-437a-a817-2363272cac1c:

    $settings["GroupCreationAllowedGroupId"] = "3054dce3-37e6-437a-a817-2363272cac1c"

    After configuring your settings, you will be returned to a prompt in the Windows Azure Active Directory Module.

  6. After configuring your new settings, you can apply the settings directly to the Group settings object by typing and entering the following:

    Set-AzureADDirectorySetting -Id <object ID for the new group> -DirectorySetting $Setting

    For example, using the ObjectID of the Group settings object we are editing:

    Set-AzureADDirectorySetting -Id d634c419-bde2-4ebb-880e-a1dc4a1904cb -DirectorySetting $Setting

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  7. You can verify that you Group settings have been updated by running the $settings.values cmdlet and verifying the values.

    Group settings object with changed value

    Notice that the GroupCreationAllowedGroupId setting has changed to your new group.

The short icon for LinkedIn Learning. New to Office 365?
Discover free video courses for Office 365 admins and IT pros, brought to you by LinkedIn Learning.

Related articles

Getting started with Office 365 PowerShell
Configuring settings for Office 365 Groups in Azure AD
Blog Post: Azure Active Directory cmdlets for configuring group settings Azure Active Directory Cmdlets - MSDN

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×