Restrict Group Creation in Office 365
Once office 365 has been deployed to organization, the most important thing is to manage it. Not only to manage it, but also configure it with best practices. and one of the most important part in office 365 is to restrict group creation in office 365. There are a lot of communication tool in office 365 which allows users to create a multiple office 365 groups without the consent of Administrator.
Step: 1 Create Security Group
So how do we control users from creating unnecessary groups. Before that we need to make user to whom we will be providing rights to create groups and segregate them from other users. Over here, I have created a security group name ‘allowcreategroup’ in office 365 and added the member to whom we would like to give permission to create office 365 groups.
Step: 2 Install Azure Active Directory PowerShell
As we need the Azure active directory PowerShell to run script to restrict group creation in office 365, we need to install one. To install Azure AD PowerShell, we need to run below script on Windows PowerShell.
|
1 |
Get-InstalledModule -Name "AzureAD*" |
At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.
Step:3 Run PowerShell Commands
Once the module is installed, we need to mark the Security Group Object ID, which we created earlier, this is just to mark. In the end of this blog you will know why we are marking this. To get the object id of azure group, use below cmdlet.
|
1 |
Get-AzureADGroup -SearchString "allowcreategroup" |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$GroupName = "allowcreategroup" #name of group for whom we allow to create group. $AllowGroupCreation = "False" # ‘false’= restrict creation group , ‘true’= disable restrict group Connect-AzureAD $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID) { $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"} $settingsCopy = $template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $settingsCopy $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id } $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation if($GroupName) { $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid } Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy (Get-AzureADDirectorySetting -Id $settingsObjectID).Values |
Once the script is completed, you will get same object id which we have marked earlier to allow to create group.
Hope this will help you to manage office 365 user group creation.
Enabling Azure Domain Directory Services
Deploy O365 office package using GPO
Part 1 – Configuring Exchange Backup on Azure
About Author
pdhewjau
Prashant is a Microsoft MVP for Office Servers and Services. He works as Technical Lead on Thakral One and a Microsoft Certified Trainer for Windows Server, Exchange Server and office 365.