It is simple for users to create Office 365 Groups and you are not inundated with requests to create them on behalf of other people. However, depending on your business, you might want to control who has the ability to create groups.
This article, explains how to disable the ability to create groups in all Office 365 services that use groups, including:
- Outlook
- SharePoint
- Yammer
- Microsoft Teams
- Microsoft Stream
- StaffHub
- Planner
- PowerBI
- Roadmap
You can restrict Office 365 Group creation to the members of a particular security group. To configure this, you need to use Windows PowerShell.
The steps shown in this article won’t prevent members of certain roles from creating Groups. Office 365 Global admins can create Groups via any means, such as the Microsoft 365 admin center, Planner, Teams, Exchange, and SharePoint Online.
Other roles can create Groups via limited means, listed below:
- Exchange Administrator: Exchange Admin center, Azure AD
- Partner Tier 1 Support: Microsoft 365 Admin center, Exchange Admin center, Azure AD
- Partner Tier 2 Support: Microsoft 365 Admin center, Exchange Admin center, Azure AD
- Directory Writers: Azure AD
- SharePoint Administrator: SharePoint Admin center, Azure AD
- Teams Service Administrator: Teams Admin center, Azure AD
- User Management Administrator: Microsoft 365 Admin center, Yammer, Azure AD
If you are a member of one of these roles, you can create Office 365 Groups for restricted users, and then assign the user as the owner of the group. Users who have this role are able to create connected groups in Yammer, regardless of any PowerShell settings that might prevent creation.
Licensing requirements
To manage who creates Groups, the following people need Azure AD Premium licenses or Azure AD Basic EDU licenses assigned to them:
- The admin who configures these group creation settings.
- The members of the security group who are allowed to create groups.
People who are members of Office 365 groups and who don’t have the ability to create other groups don’t need Azure AD Premium or Azure AD Basic EDU licenses assigned to them.
Step 1: Create a security group for users who need to create Office 365 Groups
Important: make sure to use a security group to restrict who can create groups. If you try to use an Office 365 group, members won’t be able to create a group from SharePoint because it checks for a security group.
Only one security group in your organization can be used to control who is able to create Groups. But, you can nest other security groups as members of this group. For example, the group named Allow Group Creation is the designated security group, and the groups named Microsoft Planner Users and Exchange Online Users are members of that group.
Admins in the roles listed above do not need to be members of this group, as they retain their ability to create groups.
To create a security group, you will need to follow the below steps:
- In the admin center, go to > Groups
- Click on Add a Group.
- Choose Security as group type. Remember the name of the group! You’ll need it later.
- Finish setting up the security group, adding people or other security groups who you want to be able to create groups in your org.
Step 2: Run PowerShell commands
You must use the preview version of Azure Active Directory PowerShell for Graph (AzureAD) and the module name is Azure AD Preview.
To change the group-level guest access setting:
- If you haven’t installed any version of the Azure AD PowerShell module before, see Installing the Azure AD Module and follow the instructions to install the public preview release.
- If you have the 2.0 general availability version of the Azure AD PowerShell module (AzureAD) installed, you must uninstall it by running Uninstall-Module AzureAD in your PowerShell session, and then install the preview version by running Install-Module AzureADPreview.
- If you have already installed the preview version, run Install-Module AzureADPreview to make sure it’s the latest version of this module.
Replace <SecurityGroupName> with the name of the security group that you created.
For example:
$GroupName = "Group Creators"
Save the file as GroupCreators.ps1.
In the PowerShell window, navigate to the location where you saved the file (type “CD”).
Run the script by typing:
.\GroupCreators.ps1
And sign in with your administrator account when prompted.
The script can be located here.
If in the future you would like to change which security group is used, you can rerun the script with the name of the new security group.
If you would like to turn off the group creation restriction and again allow all users to create groups, set $GroupName to “” and $AllowGroupCreation to “True” and rerun the script.
For more information, visit: https://messageops.com/ or call 877-788-1617.
Related blog posts
Get our updates straight to your inbox!
Sign up for our email updates to make sure you don't miss any of our new content.