Disable Office 365 Groups Creation: Redux

Disable Office 365 Groups Creation: Redux

Rate this post

Update: I posted roll-back steps at the bottom of the article.

Several months ago, I wrote a blog on Disabling Office 365 Groups.  It seems as though we couldn’t leave well enough alone.  Such is a price of progress.

I got a new laptop a few weeks ago, and then found myself in the position of helping out a few colleagues this week.  One of the tasks for this particular customer was disabling Office 365 Groups.

No sweat. I’ve done this before. I even blogged about it.

I pulled up my blog page referencing the steps.

Pro tip: start a blog so you can have publicly searchable content that has all the steps you used to do  something. Also, it makes you seem smart.

At any rate, I start the process, and go to download the Azure Preview module like my post recommends, only to find that we’ve changed that part, too.  I’m now at the customer with a new laptop and I don’t have access to the tools to complete the job.  So, what do I do?

just fuggedaboutit

No, I blog about it.

Without further ado, here’s the cheat sheet for the new cmdlets, where to download the module, and how to be a rockstar in general.

  1. If you don’t have Windows 10, go to the PowerShellGallery and download PowerShellGet.
  2. Launch an elevated Windows PowerShell console.
  3. Get the Azure Active Directory V2 Preview module (details are available here about it, but guess what–there’s nothing to download there) by running this:
    Install-Module -Name AzureADPreview
  4. Then, replace the original *msolsetting* with *AzureADSetting* cmdlets (oh, and connect to MSOL, Azure, and Exchange Online PowerShell sessions to complete the tasks).

The following script will:

  • Connect to Microsoft Online Service
  • Connect to the Azure AD endpoint
  • Connect to Exchange Online
  • Specify Global Admins as the group that can create Unified Groups (Office 365 Groups)
  • Disable the Groups Creation in OWA
Import-Module MSOnline
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-AzureAD -Credential $UserCredential
Connect-MsolService -Credential $UserCredential
$GlobalAdmins = Get-MsolRole -RoleName "Company Administrator"
$GlobalAdminsObjectID = $GlobalAdmins.ObjectId.ToString()
$template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}
$setting = $template.CreateDirectorySetting()
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = $GlobalAdminsObjectID
New-AzureADDirectorySetting -DirectorySetting $setting
Get-OwaMailboxPolicy | ? { $_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled $false

If you’ve already created a directory setting and you want to update it, you can use:

Get-AzureADDirectorySetting | Set-AzureADDirectorySetting -DirectorySetting $setting

To revert these changes and set your tenant back to default settings:

Import-Module MSOnline
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-AzureAD -Credential $UserCredential
Connect-MsolService -Credential $UserCredential
$template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq "Group.Unified"}
$setting = $template.CreateDirectorySetting()
$setting["EnableGroupCreation"] = "true"
$setting["GroupCreationAllowedGroupId"] = $null
Get-AzureADDirectorySetting | Set-AzureADDirectorySetting -DirectorySetting $setting
Get-OwaMailboxPolicy | ? { $_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled $true

If you’ve already created a directory setting and you want to update it, you can use:

Get-AzureADDirectorySetting | Set-AzureADDirectorySetting -DirectorySetting $setting

Until it changes next time.

Reader Comments

    1. The easiest way is to go through and update the DirectorySetting template object to “EnableGroupCreation” to true. I’ve updated the blog post at the end to include the steps.

  1. The Microsoft Guide says you have to have Azure AD Premium Subscription for this task.

    Is this true for your variant? I can get Access to the AzureAd with Powersehell, no Problem.
    Will the Modification become active then?

    1. I was able to get it to work in a tenant with only Exchange Online P1 (which has Azure AD basic), but YMMV.

  2. I get this warning, “WARNING: The command completed successfully but no settings of ‘OwaMailboxPolicy-Default’ have been modified.”

    Not sure what to do.

  3. I can’t for the life of me get this working. I have a windows 10 1703 machine. I try to run install-module -Name AzureAdPreview and it says that the following commands are already available on this system and doesn’t install.

    So then I try to run your script and it fails on get-azureaddirectorysettingtemplate and the following commands. What am I doing wrong? How do I run this on Windows 10?

    PS C:\WINDOWS\system32> $template = Get-AzureADDirectorySettingTemplate | where-object {$_.DisplayName -eq “Group.Unified”}
    Get-AzureADDirectorySettingTemplate : The term ‘Get-AzureADDirectorySettingTemplate’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
    try again.
    At line:1 char:13
    + $template = Get-AzureADDirectorySettingTemplate | where-object {$_.Di …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySettingTemplate:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    PS C:\WINDOWS\system32> $setting = $template.CreateDirectorySetting()
    You cannot call a method on a null-valued expression.
    At line:1 char:1
    + $setting = $template.CreateDirectorySetting()
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    PS C:\WINDOWS\system32> $setting[“EnableGroupCreation”] = “false”
    Cannot index into a null array.
    At line:1 char:1
    + $setting[“EnableGroupCreation”] = “false”
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

    PS C:\WINDOWS\system32> $setting[“GroupCreationAllowedGroupId”] = $GlobalAdminsObjectID
    Cannot index into a null array.
    At line:1 char:1
    + $setting[“GroupCreationAllowedGroupId”] = $GlobalAdminsObjectID
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

    PS C:\WINDOWS\system32> New-AzureADDirectorySetting -DirectorySetting $setting
    New-AzureADDirectorySetting : The term ‘New-AzureADDirectorySetting’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:1
    + New-AzureADDirectorySetting -DirectorySetting $setting
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (New-AzureADDirectorySetting:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    PS C:\WINDOWS\system32> Get-OwaMailboxPolicy | ? { $_.IsDefault -eq $true } | Set-OwaMailboxPolicy -GroupCreationEnabled $false

      1. For others who might have this problem, I thought I’d share how I resolved:

        I got it working by following the instructions in the “For systems running PowerShell 3 or PowerShell 4, that have installed the PackageManagement MSI” section of this website: https://docs.microsoft.com/en-us/powershell/gallery/psget/get_psget_module

        Here’s what I did:

        • Remove-Module -Name AzureAD

        • Save-Module PowerShellGet -Path C:\location

        • Closed all PowerShell sessions

        • Deleted the “PowerShellGet” and “PackageManagement” modules in ‘C:\Program Files (x86)\WindowsPowerShell\Modules’

        • Copied the new folders from C:\location to ‘C:\Program Files (x86)\WindowsPowerShell\Modules’

        Now I can run Get-AzureADDirectorySettingTemplate

  4. If you disable the permissions to create these groups, will that render any existing groups unusable? Will they stop receiving email?

    1. Unfortunately, no. The object type is a System.Guid, so you can’t put more than one value there. I’d recommend creating a new group (like a mail-enabled security group) and including all of the people allowed in that group.

      1. Hello,

        Thanks for this blog, one thing, how to turn back and allow all users to create groups again ???

        Thanks

        1. You should be able to re-run the steps, replacing

          $setting[“EnableGroupCreation”] = “false”
          with
          $setting[“EnableGroupCreation”] = “true”

          And then

          Get-AzureADDirectorySetting | Set-AzureADDirectorySetting -DirectorySetting $setting

          instead of New-AzureADDirectorySetting (because you’ve already set it)

    1. It’s actually a very similar set of steps. 🙂 I just went through this in a commercial tenant last week, so I can verify that it is still valid. You can use the New-AzureGroup cmdlet to create a new group instead of using the Get-MsolRole cmdlet to choose the Global Admins group. The net result is the same.

        1. I don’t know if it’s technically required if you disable the group creation, but I do it anyway so that users will get a dialog error if they try to. 🙂

        2. Based on my testing today, the OWA policy does NOT have to be modified. After following the Microsoft article, I logged into OWA and clicked *New* group and I received the following message: “Sorry, the ability to create groups has been turned off by the person who manages your email.” When I say “clicked New” New was in green text next to “groups”. I only get “discover” when I right-click groups in OWA. I also followed the following guide previously FWIW: https://support.microsoft.com/en-us/help/2580991/how-to-prevent-users-from-creating-and-managing-distribution-groups-in

          “GroupCreationEnabled” is still set to true.

  5. Hello.
    Thank you for your helpful post.
    I’m using AzureADPreview v2.0.0.44 and it doesn’t containt the CreateDirectorySetting”s”() but CreateDirectorySetting().
    AzureADPreview module is used, so I suggest to add the “Import-Module AzureADPreview” cmdlet; otherwise the “AzureAD” module will be used and some cmdlets are not available.

    Bye,
    Luca

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.