Controlling who can and can’t create Microsoft 365 groups can be a very powerful tool. In this post, I will detail step-by-step how to prevent users from creating Microsoft 365 groups unless they are members of a specific security group.
Prerequisites
- Microsoft Entra ID P1 or P2 is needed for the users who are allowed to create groups. (The old name was Azure Active Directory Premium P1 or P2)
- Microsoft Graph Beta Installed.
The Process
- Login to Microsoft Entra admin center
- Click on Groups > All Groups
- Click on New group
- Make sure the Group type is set to Security.
- Give your group a name. In my example, I will use the name Group Creators.
- Add anyone that you want to have the power to create Microsoft 365 Groups to the security group you just created.
- Open PowerShell ISE.
- Copy the script from Microsoft here.
- On line 6 enter the name of the security group you just created. In my case, that group is called Group Creators.
The beginning of the script should look something like this.
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"
$GroupName = "Group Creators"
$AllowGroupCreation = "False"
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
Code language: PowerShell (powershell)
The script will use Microsoft Graph to connect your Microsoft 365 tenant and turn off group creation and set it so that only members of the security group we created are allowed to make Microsoft 365 groups and it will output the Object Id of that group in the results.
If you want to read more about Microsoft Graph I wrote a post that goes into more detail on the setup of Microsoft Graph called Microsoft 365 Setup Microsoft Graph PowerShell SDK.
- Run the script.
You should get an output similar to the image below.
Let’s confirm it worked.
- Log in to OWA with an account that is not a member of Group Creators and click on Groups. You should no longer see the New group option.
- Log in to OWA with an account that is a member of Group Creators and click on Groups. You should see the New group option.
That’s all it takes to control who can and can’t create a Microsoft 365 Group in your Microsoft 365 tenant.
If you want to read more about restricting who can create Microsoft 365 Groups you can read the Microsoft Documentation about it here.