Introduction
Nearly every time Microsoft introduces a solution in Office 365 one of the first thing IT people look for is how to turn it off. The same thing occurred when Office 365 Groups were released to the world. Office 365 Groups are more unique in this situation because they are not really a single technology but more of a solution wrapping multiple technologies within Office 365. There are a lot of other posts out there about what actually makes up Office 365 Groups and I plan to write a much longer one, but here are the basics of what is currently wrapped up:
- Email & Calendar
- Security & Membership
- Files & OneNote
- Planner
- PowerBI
- and more!
One key thing to understand looking at this list is that you have multiple technologies such as Azure AD, Exchange, and SharePoint. When you have multiple technologies you have a harder challenge with centralized management. As Microsoft continues to innovate they will continue to do so using the Minimal Viable Product (MVP) method. This means that we are getting solutions that are not fully developed and one of the most common areas that this is lacking is with IT management. New solutions are people first and personally I like this approach.
What occurred with Office 365 Groups was that until very recently the only way to control Group creation was through Outlook Mailbox Policies via Exchange. This meant that if you created a group via Planner (which Groups are required) or PowerBI it would not follow the policy and the user could still create Groups. This is because the creation is not occurring through an Exchange application and means the OwaMailboxPolicy process doesn’t work anymore.
Managing Group Creation via Azure AD
With the GA of Planner, Microsoft added the ability within Azure AD PowerShell to control who can create Office 365 Groups. This process is no longer dependent on Exchange so it passes throughout Office 365. If an OWA policy exists and Azure AD (AAD) policy is enabled, the OWA policy will be ignored.
You can now do 2 things:
- Disable the default ability of everyone to create a new Office 365 Group
- Point to an AAD group (Office 365 Group or Distribution Group) that contains a list of people who are allowed to create groups
- This group cannot have a group in it, must be individual users
- Users with higher tenant roles already have access (company admin, mailbox admin, etc…)
Prerequisites:
NOTE: Version 1.1.143.0 of the Azure AD PowerShell module includes many changes to renew the existing MSOL PowerShell cmdets. Over time the existing MSOL cmdlets will be replaced. The new module is called “AzureAD.” So where e.g. an existing cmdlet was named “New-MSOLUser”, which adds a new user to the directory, the new cmdlet’s name is “New-AzureADUser.”
My scripts below are using Version 1.1.143.0. Azure AD PowerShell Module Version Release History
Steps to disable ALL Group creation
1 – Connect to Azure AD via PowerShell
Connect-MsolService
2 – Review if you have any MsolSettings currently configured in your tenant
Get-MsolAllSettings | ForEach Values
3a – If you have settings returned it will look like this (properties subject to change over time)
Run this command to set EnableGroupCreation to false and remove any groups entered in GroupCreationAllowedGroupId
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false"
$value["GroupCreationAllowedGroupId"] = ""
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value
3b – If you have NO settings returned it will look like this a new template will need to be created
Run this command to create the new template with EnableGroupCreation set to false
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
New-MsolSettings –SettingsObject $setting
4 – Review your updated settings; now Group creation is disabled for all users
Get-MsolAllSettings | ForEach Values
Steps to disable Group creation except for only authorized users
1 – Connect to Azure AD via PowerShell
Connect-MsolService
2 – Review if you have any MsolSettings currently configured in your tenant
Get-MsolAllSettings | ForEach Values
3a – If you have settings returned it will look like this (properties subject to change over time)
Run this command to update the settings with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.
- Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.
$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”}
$settings = Get-MsolAllSettings | where-object {$_.displayname -eq “Group.Unified”}
$singlesettings = Get-MsolSettings -SettingId $settings.ObjectId
$value = $singlesettings.GetSettingsValue()
$value["EnableGroupCreation"] = "false"
$value["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-MsolSettings -SettingId $settings.ObjectId -SettingsValue $value
Here is a visual example of what we are trying to get via the Azure AD portal.
3b – If you have NO settings returned it will look like this a new template will need to be created
Run this command to create the new template with EnableGroupCreation set to false and pass the group for authorized users who will be able to create groups.
- Replace “ENTER GROUP DISPLAY NAME HERE” with the display name of your group to get the ObjectId of the group.
$group = Get-MsolGroup -All | Where-Object {$_.DisplayName -eq “ENTER GROUP DISPLAY NAME HERE”}
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$setting = $template.CreateSettingsObject()
$setting[“EnableGroupCreation”] = “false”
$setting[“GroupCreationAllowedGroupId”] = $group.ObjectId
New-MsolSettings –SettingsObject $setting
4 – Review your updated settings; now Group creation is disabled for all users EXCEPT the ones in the declared group
Get-MsolAllSettings | ForEach Values
Aftermath
Once configured users will see errors like this when trying to create an Office 365 Group
Via Outlook UI:
Via Planner UI:
All of these Office 365 Group scripts can be found on Github. Large thanks to Tony Redmond, Santhosh Balakrishnan, and Juan Carlos Martin for providing multiple scripts
Please feel free to contribute!
Paul
September 13, 2016I’ve been driving myself nuts trying to solve the error below while trying these. I have 1.1.143.0 AzureADPreview installed. Any tips?
Get-MsolAllSettings : The term ‘Get-MsolAllSettings’ is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ Get-MsolAllSettings
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MsolAllSettings:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Paul
September 14, 2016I was able to resolve my issues by uninstalling the Azure AD preview and installed the AdministrationConfig-V1.1.130.0-Preview.msi from this link and the command was there.
http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
Drew Madelung
September 14, 2016Thanks for the good info Paul!
Daniel Westerdale
February 1, 2017I had the same issue and went for version 1.1.130 by looking at the documentation. Has Get-MSolAllsettings() been added to any new versions of of the module ? The other thing I wondered was what would happen if somebody accidentally deleted the admin group assigned in the PS script.
Drew Madelung
February 1, 2017Get-MSolAllSettings is being replaced in the V2 module with the *-AzureADDirectorySetting cmdlets. I have not tested what would happen if the admin group is deleted. I’ll be tossing that on my test list!
Keivn
February 28, 2017i am not even sure the command is now in version 1.1.130. The link above states it is but when you go to the download page that states that its been removed.
On installing the command is not there.
moving to the new preview version it’s not there either.
Drew Madelung
February 28, 2017If you are referring to the Azure AD PowerShell V2 Preview, the cmdlets listed in this post have been replaced. Here is a newer post with the cmdlets you can use with V2 Preview http://drewmadelung.com/managing-office-365-group-using-azure-ad-powershell-v2/
Mithun Kanji
November 28, 2016Hi Drew.
Thanks for the detailed command. Just one question, since I am trying this out at the moment, how to I get the converse configured? Basically, I want to disable Office365 group creation only for a group of users.
Thanks again
Mithun
Drew Madelung
January 15, 2017Currently you can not disable for a set of users and only enable for a set of users.
Jorge
February 26, 2017Please help! I’m very new to Azure and PowerShell 🙁
What would the code to disable Group creation except for only authorized users look like using the new AzureAD cmdlets?
Drew Madelung
February 26, 2017I am actually writing up a new post for V2 PowerShell that will be up soon. The only way is with the preview of V2 at this point.
Drew Madelung
February 27, 2017Here is the new post for Azure AD V2 http://drewmadelung.com/managing-office-365-group-using-azure-ad-powershell-v2/
Scott
April 18, 2017I know I have the latest versions but after connecting to azuread none of the commands work
I ran Install-Module -Name AzureADPreview -Force and it downloaded and installed ok but none of the commands work and come back with ” ” is not a recognized as the name of a cmdlet.
—
PS C:\Windows\system32> Get-AzureADDirectorySetting
Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ Get-AzureADDirectorySetting
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Windows\system32> Get-MsolAllSettings
Get-MsolAllSettings : The term ‘Get-MsolAllSettings’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-MsolAllSettings
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MsolAllSettings:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Windows\system32> Get-MsolAllSettingTemplate
Get-MsolAllSettingTemplate : The term ‘Get-MsolAllSettingTemplate’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1
+ Get-MsolAllSettingTemplate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MsolAllSettingTemplate:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Windows\system32>
PS C:\Windows\system32> Get-AzureADDirectorySetting | ForEach Values
Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1
+ Get-AzureADDirectorySetting | ForEach Values
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Drew Madelung
April 23, 2017Ensure you run Connect-AzureAD to connect to your tenant and then run the commands. You can also run a Get-Module command once connected to view what version you have.
Scott
April 25, 2017Trust me I double checked that basic stuff several times. But after I am connected I try to run Get-AzureADDirectorySettingTemplate and I get cmdlet is not recognized error. I ran Connect-AzureAD and logged in and I also ran Connect-MsolService. I’m on the latest powershell version too.
Thanks for your reply!
Drew Madelung
April 27, 2017When you run a Get-Module after connecting to AzureAD what version are you seeing?
Bart Vermeersch
April 28, 2017Same issue, I have 2.0.0.109, no Get-AzureADDirectorySetting available.
Ali
October 13, 2017install PackageManagement PowerShell Modules Preview from :
https://www.microsoft.com/en-us/download/details.aspx?id=51451&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
Then run Install-Module -Name AzureADPreview
you should be able to connect by then
Abraham Lincoln
January 11, 2018I had similar issues. Here’s what I did to resolve:
• Ran this command:
Save-Module PowerShellGet -Path C:\location
• Closed all Powershell sessions
• Deleted the “PowerShellGet” and “PackageManagement” modules in ‘C:\Program Files (x86)\WindowsPowerShell\Modules’
• Copied the new folders from C:\location to ‘C:\Program Files (x86)\WindowsPowerShell\Modules’
Now I can run Get-AzureADDirectorySettingTemplate
Also, in previous troubleshooting I removed AzureAD — not sure if that contributed to the solution:
• Remove-Module -Name AzureAD
Whatismyip
August 9, 2018Thanks for the documents. In our Organisation, we need to deny create “teams” for all users and allow one group.We have posted a ticket on Microsoft and they refer this article to follow and we can now control the users to create new “teams”