Restrict Group Creation in Office 365
Once office 365 has been deployed to organization, the most important thing is to manage it. Not only to manage it, but also configure it with best practices. and one of the most important part in office 365 is to restrict group creation in office 365. There are a lot of communication tool in office 365 which allows users to create a multiple office 365 groups without the consent of Administrator.
Step: 1 Create Security Group
So how do we control users from creating unnecessary groups. Before that we need to make user to whom we will be providing rights to create groups and segregate them from other users. Over here, I have created a security group name ‘allowcreategroup’ in office 365 and added the member to whom we would like to give permission to create office 365 groups.
Step: 2 Install Azure Active Directory PowerShell
As we need the Azure active directory PowerShell to run script to restrict group creation in office 365, we need to install one. To install Azure AD PowerShell, we need to run below script on Windows PowerShell.
Get-InstalledModule -Name "AzureAD*"
At the message about an untrusted repository, type Y. It will take a minute or so for the new module to install.
Step:3 Run PowerShell Commands
Once the module is installed, we need to mark the Security Group Object ID, which we created earlier, this is just to mark. In the end of this blog you will know why we are marking this. To get the object id of azure group, use below cmdlet.
Get-AzureADGroup -SearchString "allowcreategroup"
$GroupName = "allowcreategroup" #name of group for whom we allow to create group.
$AllowGroupCreation = "False" # ‘false’= restrict creation group , ‘true’= disable restrict group
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
Once the script is completed, you will get same object id which we have marked earlier to allow to create group.
Hope this will help you to manage office 365 user group creation.
Understanding Exchange Role Based Access Control (RBAC)
[Step by Step] Installing and configuring Active Directory Rights Management Service 2016
[Fix] Windows 7 Black Screens for Some AMD/ATI GPUs
About Author
pdhewjau
Prashant is a Principal Cybersecurity Specialist at Thakral One Nepal. His prior position as a Modern Work Security Specialist at Microsoft saw him providing invaluable guidance to major clients in Bangladesh, Brunei, Cambodia, and Myanmar, assisting them with their foundational security needs. Awarded the esteemed Microsoft Most Valuable Professional (MVP) accolade in 2017, Prashant is recognized globally among Microsoft peers. Since 2010, he has imparted his expertise as a Microsoft Certified Trainer (MCT), conducting specialized training across Nepal.