# Disable Office 365 Groups Creation: Redux

•
•
•
•
•
•

Update: I posted roll-back steps at the bottom of the article.

Several months ago, I wrote a blog on Disabling Office 365 Groups.  It seems as though we couldn’t leave well enough alone.  Such is a price of progress.

I got a new laptop a few weeks ago, and then found myself in the position of helping out a few colleagues this week.  One of the tasks for this particular customer was disabling Office 365 Groups.

No sweat. I’ve done this before. I even blogged about it.

I pulled up my blog page referencing the steps.

Pro tip: start a blog so you can have publicly searchable content that has all the steps you used to do  something. Also, it makes you seem smart.

At any rate, I start the process, and go to download the Azure Preview module like my post recommends, only to find that we’ve changed that part, too.  I’m now at the customer with a new laptop and I don’t have access to the tools to complete the job.  So, what do I do?

Without further ado, here’s the cheat sheet for the new cmdlets, where to download the module, and how to be a rockstar in general.

1. If you don’t have Windows 10, go to the PowerShellGallery and download PowerShellGet.
2. Launch an elevated Windows PowerShell console.
3. Get the Azure Active Directory V2 Preview module (details are available here about it, but guess what–there’s nothing to download there) by running this:
Install-Module -Name AzureADPreview
4. Then, replace the original *msolsetting* with *AzureADSetting* cmdlets (oh, and connect to MSOL, Azure, and Exchange Online PowerShell sessions to complete the tasks).

The following script will:

• Connect to Microsoft Online Service
• Connect to the Azure AD endpoint
• Connect to Exchange Online
• Specify Global Admins as the group that can create Unified Groups (Office 365 Groups)
• Disable the Groups Creation in OWA
Import-Module MSOnline
$UserCredential = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession$Session
Connect-AzureAD -Credential $UserCredential Connect-MsolService -Credential$UserCredential
$GlobalAdmins = Get-MsolRole -RoleName "Company Administrator"$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()$template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}$setting = $template.CreateDirectorySetting()$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] =$GlobalAdminsObjectID
New-AzureADDirectorySetting -DirectorySetting $setting Get-OwaMailboxPolicy | ? {$_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled$false

If you’ve already created a directory setting and you want to update it, you can use:

Get-AzureADDirectorySetting | Set-AzureADDirectorySetting -DirectorySetting $setting To revert these changes and set your tenant back to default settings: Import-Module MSOnline$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential$UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session Connect-AzureAD -Credential$UserCredential
Connect-MsolService -Credential $UserCredential$template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}$setting = $template.CreateDirectorySetting()$setting["EnableGroupCreation"] = "true"
$setting["GroupCreationAllowedGroupId"] =$null
Get-AzureADDirectorySetting | Set-AzureADDirectorySetting -DirectorySetting $setting Get-OwaMailboxPolicy | ? {$_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled$true

If you’ve already created a directory setting and you want to update it, you can use:

Get-AzureADDirectorySetting | Set-AzureADDirectorySetting -DirectorySetting $setting Until it changes next time. ### Published by Aaron Guilmette Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese. ## Reader Comments 1. Aaron Guilmette says: The easiest way is to go through and update the DirectorySetting template object to “EnableGroupCreation” to true. I’ve updated the blog post at the end to include the steps. 1. Matthias says: The Microsoft Guide says you have to have Azure AD Premium Subscription for this task. Is this true for your variant? I can get Access to the AzureAd with Powersehell, no Problem. Will the Modification become active then? 1. Aaron Guilmette says: I was able to get it to work in a tenant with only Exchange Online P1 (which has Azure AD basic), but YMMV. 2. Ron says: I get this warning, “WARNING: The command completed successfully but no settings of ‘OwaMailboxPolicy-Default’ have been modified.” Not sure what to do. 1. Aaron Guilmette says: It means that the setting was already in place (to disable group creation in OWA). 3. David B1 says: I can’t for the life of me get this working. I have a windows 10 1703 machine. I try to run install-module -Name AzureAdPreview and it says that the following commands are already available on this system and doesn’t install. So then I try to run your script and it fails on get-azureaddirectorysettingtemplate and the following commands. What am I doing wrong? How do I run this on Windows 10? PS C:\WINDOWS\system32>$template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq “Group.Unified”} Get-AzureADDirectorySettingTemplate : The term ‘Get-AzureADDirectorySettingTemplate’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:13 +$template = Get-AzureADDirectorySettingTemplate | where-object {$_.Di … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySettingTemplate:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException PS C:\WINDOWS\system32>$setting = $template.CreateDirectorySetting() You cannot call a method on a null-valued expression. At line:1 char:1 +$setting = $template.CreateDirectorySetting() + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : InvokeMethodOnNull PS C:\WINDOWS\system32>$setting[“EnableGroupCreation”] = “false”
Cannot index into a null array.
At line:1 char:1
+ $setting[“EnableGroupCreation”] = “false” + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : NullArray PS C:\WINDOWS\system32>$setting[“GroupCreationAllowedGroupId”] = $GlobalAdminsObjectID Cannot index into a null array. At line:1 char:1 +$setting[“GroupCreationAllowedGroupId”] = $GlobalAdminsObjectID + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : NullArray PS C:\WINDOWS\system32> New-AzureADDirectorySetting -DirectorySetting$setting
New-AzureADDirectorySetting : The term ‘New-AzureADDirectorySetting’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ New-AzureADDirectorySetting -DirectorySetting $setting + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (New-AzureADDirectorySetting:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException PS C:\WINDOWS\system32> Get-OwaMailboxPolicy | ? {$_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled$false

1. David B1 says:

I was able to figure it out. I had to uninstall-azuread first.

1. Abraham Lincoln says:

For others who might have this problem, I thought I’d share how I resolved:

I got it working by following the instructions in the “For systems running PowerShell 3 or PowerShell 4, that have installed the PackageManagement MSI” section of this website: https://docs.microsoft.com/en-us/powershell/gallery/psget/get_psget_module

Here’s what I did:

• Save-Module PowerShellGet -Path C:\location

• Closed all PowerShell sessions

• Deleted the “PowerShellGet” and “PackageManagement” modules in ‘C:\Program Files (x86)\WindowsPowerShell\Modules’

• Copied the new folders from C:\location to ‘C:\Program Files (x86)\WindowsPowerShell\Modules’

4. David says:

If you disable the permissions to create these groups, will that render any existing groups unusable? Will they stop receiving email?

1. Aaron Guilmette says:

No. Existing groups will continue to work.

5. Thanks.
Questions: Is it possible to allow more than one group (“Global Admins” and custom O365 security group) to create O365 Groups ?

1. Aaron Guilmette says:

Unfortunately, no. The object type is a System.Guid, so you can’t put more than one value there. I’d recommend creating a new group (like a mail-enabled security group) and including all of the people allowed in that group.

1. Aaron Guilmette says:

No, since Teams relies on the creation of a group for storage.

1. Chris says:

Hello,

Thanks for this blog, one thing, how to turn back and allow all users to create groups again ???

Thanks

1. Aaron Guilmette says:

You should be able to re-run the steps, replacing

$setting[“EnableGroupCreation”] = “false” with$setting[“EnableGroupCreation”] = “true”

And then

1. Aaron Guilmette says:

It’s actually a very similar set of steps. 🙂 I just went through this in a commercial tenant last week, so I can verify that it is still valid. You can use the New-AzureGroup cmdlet to create a new group instead of using the Get-MsolRole cmdlet to choose the Global Admins group. The net result is the same.

1. Mike Crowley says:

Patrick’s link doesn’t talk about setting the OWA policy. Is this still required?

1. Aaron Guilmette says:

I don’t know if it’s technically required if you disable the group creation, but I do it anyway so that users will get a dialog error if they try to. 🙂

2. Blake says:

Based on my testing today, the OWA policy does NOT have to be modified. After following the Microsoft article, I logged into OWA and clicked *New* group and I received the following message: “Sorry, the ability to create groups has been turned off by the person who manages your email.” When I say “clicked New” New was in green text next to “groups”. I only get “discover” when I right-click groups in OWA. I also followed the following guide previously FWIW: https://support.microsoft.com/en-us/help/2580991/how-to-prevent-users-from-creating-and-managing-distribution-groups-in

“GroupCreationEnabled” is still set to true.

6. Luca Fabbri says:

Hello.
I’m using AzureADPreview v2.0.0.44 and it doesn’t containt the CreateDirectorySetting”s”() but CreateDirectorySetting().
AzureADPreview module is used, so I suggest to add the “Import-Module AzureADPreview” cmdlet; otherwise the “AzureAD” module will be used and some cmdlets are not available.

Bye,
Luca

1. Aaron Guilmette says:

Yes, thank you. I corrected the script on the page.

7. turbomcp says:

Thanks
you really do seem smart with that blog:)
maybe you are?:)

This site uses Akismet to reduce spam. Learn how your comment data is processed.