How to Control the Creation of Microsoft 365 Groups (and Teams) in a Tenant

Azure AD – then Microsoft 365 – And Maybe OWA

My recent note about the changes Microsoft made to the Azure AD admin center to control the creation of groups created some additional questions about the overall governance of group creation, specifically for Microsoft 365 Groups. It’s a topic that Microsoft has been accused of over-complicating in the past, but it seems reasonably straightforward now.

The Central Role of Azure AD

Azure AD exerts governance over Microsoft 365 Groups at tenant level. This is easy to understand because Microsoft 365 Groups are a form of Azure AD groups. Every Microsoft 365 group is an Azure AD group, and the group membership and ownership are in Azure AD. Because Microsoft 365 Groups are mail-enabled objects, Exchange Online stores some additional properties for the groups (like proxy addresses, membership counts, and SharePoint Online URLs). However, Azure AD is the directory of record and manages the foundational elements of a group.

In late 2019, Microsoft introduced a dual write mechanism to ensure that any changes made by clients to a Microsoft 365 group must update both the Exchange Online Directory and Azure AD to succeed. This change avoids the synchronization glitches which sometimes interfered with object consistency across the two directories.

Configuring Azure AD for Group Creation

Because Azure AD “owns” groups at the tenant level, it therefore follows that the Azure AD control for group creation (Figure 1) must be switched on before anyone can create Microsoft 365 Groups through any app or administrative interface.

Turning on Microsoft 365 Groups in the Azure AD admin center
Figure 1: Turning on Groups in the Azure AD admin center

The Azure AD control lets users create Microsoft 365 Groups using the Azure portal, API, or PowerShell. By API, it means the Microsoft Graph Groups API, which is how the Microsoft 365 admin center, Teams admin center, and new Exchange admin center create groups. It also covers creation in group-enabled apps like Teams, Planner, and Outlook. PowerShell covers creation using cmdlets like New-UnifiedGroup and New-Team.

Controlling Group Creation by Apps

The next level down is to control group creation by apps. Microsoft 365 uses an Azure AD directory setting policy for this purpose. If the policy doesn’t exist, apps allow anyone to create new Microsoft 365 Groups. If the policy exists, apps use the defined policy settings.

Be aware that using the Azure AD policy to control group creation is an Azure AD premium feature. Administrators and the accounts who are members of the group used to control group creation need an Azure AD Premium P1 license (included in several Microsoft 365 plans and the Enterprise Mobility and Security suite). In the education sector, Azure AD Basic EDU licenses are sufficient. It’s also important to realize that members of the nominated group receive the right to create new groups. It’s not enough to be the owner of the group: if you want to be able to create new groups, you’ve got to be a member.

As discussed in the previous article, some of the settings in the Azure AD policy are accessible through the Azure AD admin center. The settings controlling group creation are not, so PowerShell is needed. The necessary cmdlets are in the Azure AD Preview module. A bunch of PowerShell examples are available to help people understand how to update the settings for group creation, most of which seem to be based on Microsoft’s version. I have my own version of a script to update the group control settings (downloadable from GitHub), which is parameter driven and has more error checking and validation. You won’t run the script very often, but it’s nice to have a version that does things like report back on what it’s done.

The PowerShell commands used to configure group control are simple and relatively straightforward. The basic approach is:

  • Use the Get-AzureADDirectorySetting cmdlet to check whether the tenant has customized the Azure AD policy for groups. If no, create a new policy using the New-AzureADDirectorySetting cmdlet.
  • Fetch the existing settings using the Get-AzureADDirectorySetting cmdlet and update the two settings in the policy used to control group creation.
    • EnableGroupCreation is $True if anyone can create new Microsoft 365 Groups or $False if creation is restricted.
    • GroupCreationAllowedGroupId contains the Azure AD object identifier (GUID) for a group (security group or Microsoft 365) holding the set of users allowed to create new Microsoft 365 Groups. If this property is not set, then no one except administrators can create new Microsoft groups.
  • Update the Azure AD policy for Groups using the Set-AzureADDirectorySetting cmdlet.

Example commands to enable group creation control are shown below. The variables used to hold the group object identifier and the True/False setting for EnableGroupCreation are set beforehand.

$PolicySettingsId = (Get-AzureADDirectorySetting | ? {$_.DisplayName -eq "Group.Unified"}).Id
If (!$PolicySettingsId) { # No policy settings found for the tenant, so create it and extract the identifier
  $PolicyTemplate = Get-AzureADDirectorySettingTemplate | ? {$_.DisplayName -eq "Group.Unified"}
  $PolicySettings = $PolicyTemplate.CreateDirectorySetting()
  New-AzureADDirectorySetting -DirectorySetting $PolicySettings
  $PolicySettingsId = (Get-AzureADDirectorySetting | ? {$_.DisplayName -eq "Group.Unified"}).Id
} # End If

$PolicySettings = Get-AzureADDirectorySetting -Id $PolicySettingsId
$PolicySettings["EnableGroupCreation"] = $OnOffSwitch
$PolicySettings["GroupCreationAllowedGroupId"] = $GroupId
Set-AzureADDirectorySetting -Id $PolicySettingsId -DirectorySetting $PolicySettings

Once you’ve updated the Azure AD policy for Groups, it takes a little while for apps (like Teams and Planner) which support the policy to pick up the new settings. It’s worth mentioning that apps which don’t include code to check the Azure AD policy won’t respect the settings.

OWA Mailbox Policy

When Microsoft launched Office 365 Groups (now Microsoft 365 Groups) in November 2014, OWA was the initial client. At the time, it made sense to have a setting in the OWA mailbox policy to control who could create new groups. Today, the separate OWA setting is an anachronism that should be replaced by the Azure AD policy.

In any case, the GroupCreationEnabled setting controls whether Outlook users can create new Microsoft 365 groups. Anyone assigned an OWA mailbox policy with GroupCreationEnabled set to True can go ahead – that is, if they’re also allowed to do so by the Azure AD policy.

To help understand the situation in a tenant, this code reports the set of OWA mailbox policies which allow group creation, and the set of mailboxes assigned those policies:

[array]$OWAPolicies = Get-OWAMailboxPolicy | ? {$_.GroupCreationEnabled -eq $True} | Select -ExpandProperty Identity
Write-Host ""
Write-Host "OWA Mailbox policies allowing group creation:"
Write-Host ""
[array]$Mailboxes = Get-CasMailbox | ? {$_.OWAMailboxPolicy -in $OWAPolicies } | Select DisplayName, OWAMailboxPolicy
Write-Host ""
Write-Host "The OWA Mailbox policy assigned to these mailboxes allows them to create Microsoft 365 Groups:"

Changing the assigned OWA mailbox policy for an account can take several hours to take effect. You’ll know when the change is effective when OWA no longer offers the option to create a new group.

Managing Group Creation

Managing the creation of Microsoft 365 Groups isn’t difficult. Make sure that Azure AD allows their creation and then decide if everyone or a restricted set can create new groups. Adjust the OWA mailbox policy as required. The need for Azure AD Premium P1 licenses to use the Azure AD policy for groups to control creation is a barrier for some, but probably not in the large enterprise deployments which benefit most from the capability. And if you’re feeling brave, you can create your own approval workflow using Power Apps to allow users to request a new group/team (here’s a useful article to start with).

Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.

3 Replies to “How to Control the Creation of Microsoft 365 Groups (and Teams) in a Tenant”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.