Control Microsoft 365 Group Creation

February 17, 2024bytheDXT

Controlling who can and can’t create Microsoft 365 groups can be a very powerful tool. In this post, I will detail step-by-step how to prevent users from creating Microsoft 365 groups unless they are members of a specific security group.

Prerequisites

Microsoft Entra ID P1 or P2 is needed for the users who are allowed to create groups. (The old name was Azure Active Directory Premium P1 or P2)
Microsoft Graph Beta Installed.

The Process

Login to Microsoft Entra admin center
Click on Groups > All Groups

Click on New group

Make sure the Group type is set to Security.
Give your group a name. In my example, I will use the name Group Creators.

Add anyone that you want to have the power to create Microsoft 365 Groups to the security group you just created.
Open PowerShell ISE.
Copy the script from Microsoft here.
On line 6 enter the name of the security group you just created. In my case, that group is called Group Creators.

The beginning of the script should look something like this.

Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups

Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"

$GroupName = "Group Creators"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
Code language: PowerShell (powershell)

The script will use Microsoft Graph to connect your Microsoft 365 tenant and turn off group creation and set it so that only members of the security group we created are allowed to make Microsoft 365 groups and it will output the Object Id of that group in the results.

If you want to read more about Microsoft Graph I wrote a post that goes into more detail on the setup of Microsoft Graph called Microsoft 365 Setup Microsoft Graph PowerShell SDK.