Manage Office 365 Group Creation

This article describes how Office 365 admins can control their users's ability to create Office 365 groups in their environment. This can be useful if you want to allow it only to people in your organization who are using Office 365 services that might need the ability to create Office 365 Groups, such as Dynamics CRM, Power BI, SharePoint, Outlook, Planner, Teams, and REST API.

In this article:

Why is it important to control Office 365 Group creation?

All Office 365 users can create Office 365 Groups by default. Several Office 365 services require the ability to create Office 365 Groups for specific functions, such as creating a plan in Microsoft Planner. An admin might want tighter control of Office 365 Group creation and prefer that not everyone can create them - that only users of Office 365 services that require Office 365 Groups creation are allowed to create them.

For example, all Office 365 Business users have access to Microsoft Planner, and an Office 365 Group is created automatically when a plan is created in Microsoft Planner. If you have not removed their licenses, users not intended to use Microsoft Planner can inadvertently create a large number of Office 365 Groups in Azure Active Directory (the cloud-based user authentication service used to manage Office 365 users) as they experiment with Microsoft Planner. It is easy to see how an admin might want to have tighter control of this, especially if your tenant has many users.

By default, Office 365 users can create up to 250 Office 365 Groups each. Office 365 admins have no limit on the number of Office 365 Groups that they can create. The default maximum number of Office 365 Groups that an Office 365 organization can have is currently 500,000, but can be increased by request. For more information on Office 365 Groups limits, see Office 365 Groups - Admin help.

Note: Note that while you have the ability to control which users can create Office 365 Groups, it does not impact the ability of all licensed users to participates in group activities, such as creating tasks in Planner, or responding to conversations in Outlook.

What do I need to do?

Since all users in your Office 365 tenant are able to create Office 365 Groups by default, an admin can restrict Office 365 Group creation to a specific group of users by doing the following:

What you need to do

How to do it

Step 1: Create a security group of users that need to be able to create Office 365 groups

Multiple ways (Office 365 Admin Center, Azure Active Directory, Active Directory )

Step 2: Check your Company-level configuration settings

  • Verify that the company-wide control for users to create groups is enabled.

Check this using Azure AD PowerShell

Step 3: Configure your Office 365 Group settings

  • Block all users in the tenant from creating Office 365 Groups

  • Allow the security group the ability to create Office 365 Groups

Configure using Azure AD PowerShell

Step 4: Verify that it works

Test with user accounts

Important: As noted previously, the ability to create Office 365 Groups is required to use various other Office 365 services, not just Microsoft Planner. It is important to communicate with admins for other Office 365 services when planning to control Office 365 Group creation in your tenant.

Requirements for running Azure AD PowerShell

You will need the Windows Azure Active Directory Module for Windows PowerShell to check your company-wide settings in Step 2 and to configure your Office 365 Group settings in Azure AD in Step 3. To install it, you need the following:

Step 1: Create a security group for users who need to create Office 365 Groups

The first thing you need to do is to set up a security group in Office 365 to which you can add all of your users that you want to be able to create Office 365 Groups.

There are multiple ways to create a security group in Office 365. For example:

You can set up your security group directly through the Azure AD Admin console in the Office 365 Admin Center.

  1. In the Office 365 Admin Center, in the Dashboard, select Admin, and then select Azure AD.

  2. In the Microsoft Azure Admin Center, select Active Directory.

  3. In the Active Directory page, select the name of the Office 365 tenant to which you want to add a group

  4. In the Active Directory tenant page, select Groups.

  5. In the Groups page, select Add Group.

  6. On the Add Group page:

    • In the Name box, type a friendly name for your group (for example, AllowedToCreateGroups).

    • In the Group Type drop-down, select Security.

    • In the Description box, type a short description of the group's purpose.

    When finished, select the checkmark.

    Adding a group in the Azure AD admin console
  7. In the Groups page, select the group you just created.

    Edit your Group in the Azure AD Admin Console
  8. In the properties page for your new group, select Add Members.

  9. In the Add Members page, click on the members you want to add to the group. When finished, click the checkmark.

  10. In the properties page for your new group, when your users have been successfully added, you will see a confirmation on the bottom of the page.

  11. Click Properties.

  12. On the Properties page for the group, note the Object ID. You will need the Object ID for the group later when you use Azure AD PowerShell to allow the group permissions to create Office 365 Groups.

    ObjectId of the new Group

    Note: For more information, see this Support blog post for more details.

Global admins and User Management admins are automatically allowed to create Office 365 Groups. Disabling Group creation globally for your tenant does not affect them, and they do not need to be added to this group.

Additionally, the following built-in roles in Azure Active Directory are also automatically allowed to create Office 365 Groups:

  • Mailbox Administrator

  • Partner Tier1 Support

  • Partner Tier2 Support

  • Directory Writers

The Azure Active Directory cmdlet to allow Office 365 Group creation can only point to a single security group. However, you are allowed to have nested groups within this group. For example, you can great a “Allow Group Creation” security group, and in it have other security groups that contain your users (for example, “Microsoft Planner Users”, “Exchange Online Users”, etc.). All of the users in these nested security groups will be allowed to create Office 365 Groups if the “Allow Group Creation” group is the one specified when you configure your Office 365 Groups settings later in this article.

Step 2: Check your Company-level configuration settings

Now that you have set up your security group, you now need to check your company-wide configuration settings through the Get-MsolCompanyInfo Windows PowerShell cmdlet. This cmdlet will display your current company-wide configuration settings that affect all users. You specifically need to verify that the UserPermissionToCreateGroupsEnabled parameter is set to True. This parameter controls whether your Office 365 users will be able to create groups, including Office 365 Groups. It must be enabled in order for you to configure your Office 365 Group settings in Step 3.

To check your Company-level configuration settings
  1. You will first need to connect to your Office 365 service. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

    Connect-MsolService

    In the Sign in to your Account screen, enter your credentials to connect you to your service, and click Sign in.

    Office 365 credentials

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  2. You will need to display your company-wide configuration settings. To do this, type and enter:

    Get-MsolCompanyInfo

    This will display a listing of the current configuration settings that apply to all users in your company.

    Company-wide configuration settings
  3. In the data that displays, look for the value for the UsersPermissiontoCreateGroupsEnabled setting and verify that it is set to True.

    UsersPermissionToCreateGroupsEnabled setting

If the UsersPermissionsToCreateGroupsEnabled parameter is configured for False, all users in your Office 365 tenant will not be able to create groups, including Office 365 Groups. This parameter can be changed through the Set-MsolCompanySettings cmdlet.

Important: Before attempting to change the value of the UsersPermissionsToCreateGroupsEnabled parameter, check with any other Office 365 admins to see if there are any reasons to not change this back to the default value (True).

To change the UsersPermissionToCreateGroupsEnabled setting value
  1. You will first need to use the Set-MsolCompanySettings cmdlet to change the UsersPermissionToCreateGroupsEnabled parameter to True. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

    Set-MsolCompanySettings - UsersPermissionToCreateGroupsEnabled $True
    Change the value to True

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  2. After changing the setting, you then need to run the Get-MsolCompanyInfo cmdlet to verify that the value has changed to True.

    Get-MsolCompanyInfo

    After running the cmdlet, check the displayed information to verify that the UsersPermissionToCreateGroupsEnabled setting value has changed to True.

Step 3: Configure your Office 365 Group settings in Azure AD PowerShell

After verifying that the company-wide setting to create Groups are enabled, you can now run the Windows PowerShell cmdlets needed to control Office 365 Group Creation for your Office 365 users.

Note: Again, note that the company-wide settings you enabled in Step 2 are required in order to configure your Office 365 Group settings in this step. If your company-wide group settings to enable group creation are not enabled (set to true), configuring your Office 365 Group settings in this step will have no affect.

  • See creating a new Group settings object, if this is the first time you are configuring your Group settings and need to make changes to the default settings.

  • See editing an existing Group settings object if you need to make changes to Group settings that had previously been configured.

If this is the first time you are configuring your Group settings, you need to create a Group settings object that will contain your configuration settings you want to set. You can create the Group settings object by creating a copy from the Groups settings template. After creating the settings object, you configure the setting values you want to change, and then save the new settings object to apply your settings. The following procedure walks you through the required steps:

  1. You will first need to connect to your Office 365 service. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

    Connect-MsolService

    In the Sign in to your Account screen, enter your credentials to connect you to your service, and click Sign in.

    Office 365 credentials

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  2. You will need to find the Object ID for the security group you created earlier to which you will allow Office 365 Group creation. If you do not have it, you can find it by running the following cmdlet in the Windows Azure Active Directory Module. Type and enter:

    Get-MsolGroup -SearchString "<Group Name>"

    For example, if the name of the security group you created is AllowedtoCreateGroups, you would type and enter:

    Get-MsolGroup -SearchString "AllowedtoCreateGroups"

    This will display the properties of the security group with the display name of AllowedtoCreateGroups, which include the Object ID, type, and description.

    Group information through Azure AD PowerShell

    For example, in the graphic above, you are now able to determine that the Object ID for the AllowedtoCreateGroups group is 7e5ba3a7-efae-4002-9b39-5af47205bc83.

  3. After connecting to your Office 365 service, you need to select the Group settings template from which you will pull your settings, which are all set to their default values. The Group settings template has a Display Name of Group.Unified. You can select the template by typing and entering the following:

    $template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq "Group.Unified"}

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  4. After selecting the Group settings template, you need to pull the settings and apply them to a new settings object. Type and enter:

    $setting = $template.CreateSettingsObject()

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  5. After creating the new Group settings object, you can view the default settings by typing and entering the following:

    $setting.Values
    Group settings default values

    The default Group settings values will display. The setting we are going to change are:

    Setting

    Default Value

    GroupCreationAllowedGroupID

    No value

    EnableGroupCreation

    True

  6. Let's first disable Group creation for your Office 365 users. To do this, type and enter:

    $setting["EnableGroupCreation"] = "false"

    You will be returned to a prompt in the Windows Azure Active Directory Module.

    Important: As noted previously, this setting will affect all of your Office 365 users in the tenant. Make sure to communicate with your other Office 365 administrators during your planning.

  7. You already have the Object ID for the security group, so you can now use it to specify the security group to allow its members the ability to create groups. To do this, type and enter:

    $setting["GroupCreationAllowedGroupId"] = "<object ID for your group>"

    For example, if we use the Object ID of the AllowedtoCreateGroups group we found in the example in step 2, we would enter:

    $setting["GroupCreationAllowedGroupId"] = "7e5ba3a7-efae-4002-9b39-5af47205bc83"

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  8. After configuring your settings, you can apply the settings by typing and entering the following:

    New-MsolSettings -SettingsObject $setting

    After entering the cmdlet, information will display about the settings object you just created. If you need to make changes to the Group settings later, you can reference it by the ObjectId.

    New Group Settings object
  9. You can verify your new settings by typing and entering $setting.Values.

    View your Group settings

If successfully applied, the only Office 365 users in your tenant (other than the previously mentioned exempt roles) that will be able to create Office 365 Groups will be the ones added to security group you allowed Group Creation permissions to in Step 7.

If you had previously created a Group settings object, and need to change the value for a setting (for example, specify a different group), you can use the following procedure.

  1. You will first need to connect to your Office 365 service. In the Windows Azure Active Directory Module for Windows PowerShell, type and enter the following:

    Connect-MsolService

    In the Sign in to your Account screen, enter your credentials to connect you to your service, and click Sign in.

    Office 365 credentials

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  2. After connecting to your Office 365 service, you first need to reference the Group settings object that contains the configuration settings. To do this, you will need the ObjectId for it. If you don”™t know the ObjectId, you can search for it by typing and entering the following cmdlet:

    Get-msolallsettings

    This will display the current Group settings object, including its ObjectId.

    Find Group Settings object
  3. After finding the ObjectID for the Groups Settings object, you can use it to select the Group settings object that contains your settings. Type and enter the following cmdlet:

    $setting=Get-MsolSettings -SettingId <ObjectId>

    For example, using the ObjectId in the graphic above:

    $setting=Get-MsolSettings -SettingId a032f8a5-301d-4605-a0ad-6b9080df1055

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  4. After selecting the Group settings object, you should check the current configuration values by typing and entering the following:

    $setting.values
    View your Group settings

    This will display the setting values for the Group settings object and will return you to a prompt in the Windows Azure Active Directory Module. Note in the example above that EnableGroupCreation is set to "False" and that GroupCreationAllowedGroupId currently specifies a group.

  5. After verifying the current values in the Group Settings object, you can make changes to the current values by typing and entering the following:

    $value=$setting.GetSettingsValue()

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  6. Now you can make specific changes to the Group setting values. As an example, you can use the following cmdlet if you want to point to a different group to allow Group creation:

    $value["GroupCreationAllowedGroupId"] = "<object ID for the new group>"

    For example, let”™s change from the AllowedtoCreateGroups group we previously set, to a different group we had created with an ObjectId of 3054dce3-37e6-437a-a817-2363272cac1c:

    $value["GroupCreationAllowedGroupId"] = “3054dce3-37e6-437a-a817-2363272cac1c"

    After configuring your settings, you will be returned to a prompt in the Windows Azure Active Directory Module.

  7. After configuring your new settings, you can apply the settings directly to the Group settings object by typing and entering the following:

    Set-MsolSettings -SettingId <ObjectId of the settings object> -SettingsValue $value

    For example, using the ObjectID of the Group settings object we are editing:

    Set-MsolSettings -SettingId a032f8a5-301d-4605-a0ad-6b9080df1055 -SettingsValue $value

    You will be returned to a prompt in the Windows Azure Active Directory Module.

  8. You can verify that you Group settings have been updated by running the $settings.values cmdlet and verifying the values.

    Group settings object with changed value

    Notice that the GroupCreationAllowedGroupId setting has changed to your new group.

Step 4: Verify that it works

After applying your settings, it was mentioned that you could verify that your settings were applied to the Group settings object by running the $settings.values cmdlet in the Azure Active Directory Module. Additional methods to verify that it worked are to:

You can verify the current status of your group settings through the Microsoft Graph Explorer. It provides you a different view of the data that was also provided to you by running $settings.values in the Azure Active Directory Module. You can use the API functionality to obtain data about fixed entities in your tenant from services such as Azure Active Directory.

  1. Go to the Microsoft Graph Explorer page (https://graph.microsoft.io/en-us/) and select Try the API.

  2. On the next page, select Sign in and log in with your Office 365 tenant credentials.

  3. In the Version drop-down menu, select beta.

  4. In the box to the left of beta, replace the URL with https://graph.microsoft.com/beta/settings and click Enter.

  5. You will see a listing of your current Group settings for your tenant:

    Office Graph view of Group Settings

The true test for success is to verify that it all works for your users. Log into Office 365 with a user accounts that you know is not allowed to create Office 365 Groups (not a member in the security group you specified earlier), and then try to use an Office 365 service that requires Office 365 Group creation. For example, you can try to create a plan in Microsoft Planner. The user should not be allowed to create a plan and will see the following message:

Cannot Create Groups in Microsoft Planner

Users who are not allowed to create Office 365 Groups will see a similar message when they try to create Office 365 Groups throughout their Office 365 tenant, not only in Microsoft Planner.

Conversely, you also need to verify if the users in your security group are able to create Office 365 Groups, since the above only verifies half of what you are trying to do. Log in with a user account that is allowed to create Office 365 Groups (a member of the security group you specified earlier), and try to do something that requires you the ability to create an Office 365 Groups, such as creating a plan in Microsoft Planner. You should be able to accomplish your task, as in this example the user should be able to successfully create the plan in Microsoft Planner without seeing the error message.

Note: Make sure that you are not testing with an account that is always allowed to create Office 365 Groups, such as a Global Admin account.

See Also

Getting started with Office 365 PowerShell

Configuring settings for Office 365 Groups in Azure AD

Blog Post: Azure Active Directory cmdlets for configuring group settings

Blog Post: Microsoft Planner - a few simple support questions

Blog Post: Microsoft Planner: Another look as MsolSettings”“and a couple more answers

Azure Active Directory Cmdlets - MSDN

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×