If you have an Office 365 subscription in your organization, you probably know by now that your users can create what is called an Office 365 Group. Don’t get me wrong, it’s an awesome feature with so many possibilities BUT, you need to manage it correctly. Even in a business with less than 50 employees, it can quickly become a mess if not managed.
Why? First, the feature is activated by default meaning that any user can create an Office 365 Group which in turn creates a security group in your AzureAD, a distribution list in your Exchange, a site collection in SharePoint, a plan in Planner and a few other things.
The second point is that management tools associated with O365 Groups are almost non-existent beside using PowerShell which is not an optimal tool for an SMB where there might not be an IT guy. This may only seem a minor annoyance but if you have 50 users who decide to create a O365 Group from the SharePoint Home, Microsoft Teams, Outlook or even Yammer as a test or even for a real use, it doesn’t take very long before you have a several of site collections that are duplicated, unmanaged or unused in your tenant.
So why am I doing a blog post about this? Number 1, if you want to allow the Office 365 group creation capability but only by limited group of users, Microsoft offer you a super handy guide but it doesn’t work because it’s not up to date. Number 2, to remind you that SharePoint and Office 365 is a thing, a very important thing!
How do you manage that pesky Office 365 Group creation?
Note: If you want to completely disable the Office 365 groups in your tenant you can do it from here: https://portal.office.com/adminportal/home#/Settings/ServicesAndAddIns but you will miss out on a very powerful feature of O365.
The official Microsoft guide to do it is available here https://goo.gl/V0Kx9N . The main problem is that the correct version of one of the requirements is not available anymore.
UPDATE as of 2017/04/11: The Microsoft guide has been updated to reflect the changes to the PowerShell modules.
The note mention that you need the version 1.1.130.0 Preview version but the link points to the 1.1.166.0 GA version. A normal human being would say it’s not a problem since surely the 1.1.166.0 version is a later version than 1.1.130.0 thus it contains everything from the previous one. NO that’s not how it works! I won’t do it but if you want to go into details about that read https://goo.gl/TRljUj .
Now what is the solution:
- Install the listed prerequisites (use the 1.1.166.0 version for the second one).
- Also, install the Azure Active Directory V2 PowerShell module (https://goo.gl/my1zQg) using the PowerShell command: Install-Module -Name AzureADPreview
- Proceed with the steps 1 and 2 of the Microsoft guide.
- At steps 3, things get a bit different as the powershell commands changed in the V2 of the PowerShell module. To create a new Group settings objects, use the following commands:
Connect-AzureAD
Get-AzureADGroup -SearchString "NAME_OF_YOUR_SECURITY_GROUP"
$template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq "Group.Unified"}
$setting = $template.CreateDirectorySetting()
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = "ID_OF_YOUR_SECURITY_GROUP"
New-AzureADDirectorySetting -DirectorySetting $setting
If you want to edit a Group settings object instead of creating a new one, the easiest way I found is to use the following script:
Connect-AzureAD
Get-AzureADDirectorySetting
Remove-AzureADDirectorySetting -Id "ID_OF_YOUR_AZUREAD_SETTING"
After this you can simply recreate the AzureADDirectorySetting using the previous procedure. I used this approach because the $setting.GetSettingsValue() method from the Microsoft procedure doesn’t seem to exist anymore in the AzureADPreview module and I haven’t found a replacement.
Now you can now test that only the Admin Office 365 Group can create groups using either graph of try create one with a non admin account.
More to come on the governance part in my next post!