Restrict Office 365 (Unified) Group Creation or allow only Certain users to be able to setup Unified Groups

Restriction Office 365 Groups creation user-specific

By Default everyone has permissions to set up the Unified Groups in Office 365, hence there may be the requirement in some organization where they would like to restrict the group creation rights or would like the certain level of persons should only have rights to set up the Groups.

In this post, I will demonstrate how can we restrict or un-restrict the Groups creation in Office 365.

Requirement: In this post, we will be using the Microsoft AzureADpreview Powershell Module make sure you have installed the same prior to following the steps.

if you not yet installed the AzureADpreview please check my post below for the instructions.

How to Install and Connect to AzureADpreview Module for PowerShell

if you are reading this post then I am sure you already are the organization administrator.

Expected Impact: 

This will disable the ability to create groups in all Office 365 services that use groups:
  • Outlook
  • SharePoint
  • Yammer
  • Microsoft Teams: Both admins and users won't be able to create teams.
  • StaffHub: Both admins and managers won't be able to create teams.
  • Planner: Users won't be able to create a plan.
Note: users part of the allowed group will not be impacted.

So let's begin, 

Create a Security Group:

Create a Security Group where we will add users who will be allowed to setup the Groups in Office 365, Creating a security group is pretty straightforward login to O365 Admin portal and click on Group and create a new group.

you will see a window same like below picture select the Security Group in the Type. Give a Name to the Group For example "AllowGroupCreation".

Click Add to create a Group.

Next, connect to AzureADPreview Powershell Module and run the below CMD to get the Security Group information.
Get-AzureADGroup -SearchString "AllowGroupC"

Next, we need to get the Azure AD Directory Setting Templates, run the below CMD.
$Templates = Get-AzureADDirectorySettingTemplate

We need to select the "Group.Unified" template, run the below CMD to pick the same.
$GroupTemplate = $Templates | where {$_.DisplayName -eq 'Group.Unified'}

To review the attributes in the Template run the below CMD.

We need to set the following attributes to restrict the Group Creation.

Let's Create a new Template for the directory Setting from the Template, run the below CMD.

$Setting = $GroupTemplate.CreateDirectorySetting()

If you recall the $setting you can see the current settings on the template

Lets now change the required attributes.

Set the "GroupCreationAllowedGroupId" with the Restricted Group ID.
$GroupID=(Get-AzureADGroup -SearchString "AllowGroupC").objectID

Set the "EnableGroupCreation" to $false


Next, we need to create a new Directory Setting and need to apply the $setting Template, Run the below CMD to create new Azure AD Directory Setting.

New-AzureADDirectorySetting -DirectorySetting $Setting

Now we have created new settings and applied the restricted Settings to it, users should now be restricted and would not be able to Create Groups.

If the Azure Ad Directory Settings for "Group.Unified" already setup in your environment, then you will get an error saying the Object already exists, in that case, then we need to use the 
"Set-AzureADDirectorySetting" cmd to set the new settings we created above.

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}
Set-AzureADDirectorySetting -Id $SettingId -DirectorySetting $Setting

Test the Restriction:

Now if you try to create a new plan you will see the error message as below.

Same way Adding a new group option will be disappeared.

Add the user to the AllowGroupCreation Security Group.

Once we have added the user to the Security Group we can see that now the option to setup the Security Group is showing back again.

Same way if we try to setup the plan now its show us the plan creation wizard.

Remove Restriction (Restore Default Settings)

To remove the Restriction completely run the below CMD.

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"} 
Remove-AzureADDirectorySetting –Id $SettingId.Id

This completes my post, where we learn how can we restrict or un-restrict (restore default settings) the Office 365 Group Creation (unified Groups). we also review the default template and how can we modify the different attributes.