Table of Contents
Entra ID – then Microsoft 365 – And Maybe OWA
My recent note about the changes Microsoft made to the Azure AD admin center to control the creation of groups created some additional questions about the overall governance of group creation, specifically for Microsoft 365 Groups. It’s a topic that Microsoft has been accused of over-complicating in the past, but it seems reasonably straightforward now.
The Central Role of Entra ID
Entra ID exerts governance over Microsoft 365 Groups at tenant level. This is easy to understand because Microsoft 365 Groups are a form of Entra ID groups. Every Microsoft 365 group is an Entra ID group, and the group membership and ownership are in Entra ID. Because Microsoft 365 Groups are mail-enabled objects, Exchange Online stores some additional properties for the groups (like proxy addresses, membership counts, and SharePoint Online URLs). However, Entra ID is the directory of record and manages the foundational elements of a group.
In late 2019, Microsoft introduced a dual write mechanism to ensure that any changes made by clients to a Microsoft 365 group must update both the Exchange Online Directory and Entra ID to succeed. This change avoids the synchronization glitches which sometimes interfered with object consistency across the two directories.
Configuring Entra ID to Control Group Creation
Because Entra ID “owns” groups at the tenant level, it therefore follows that the Entra ID control for group creation (Figure 1) must be switched on before anyone can create Microsoft 365 Groups through any app or administrative interface.
The Entra ID control lets users create Microsoft 365 Groups using the Azure portal, API, or PowerShell. By API, it means the Microsoft Graph Groups API, which is how the Microsoft 365 admin center, Teams admin center, and new Exchange admin center create groups. It also covers creation in group-enabled apps like Teams, Planner, and Outlook. PowerShell covers creation using cmdlets like New-UnifiedGroup and New-Team.
Controlling Group Creation by Apps
The next level down is to control group creation by apps. Microsoft 365 uses an Entra ID directory setting object for this purpose. If the policy doesn’t exist, apps allow anyone to create new Microsoft 365 Groups. If the policy exists, apps use the defined policy settings.
Be aware that using the Entra ID policy to control group creation is an Entra premium feature. Administrators and the accounts who are members of the group used to control group creation need an Entra P1 license (included in several Microsoft 365 plans and the Enterprise Mobility and Security suite). In the education sector, Entra ID Basic EDU licenses are sufficient. It’s also important to realize that members of the nominated group receive the right to create new groups. It’s not enough to be the owner of the group: if you want to be able to create new groups, you’ve got to be a member.
As discussed in the previous article, some of the settings in the Entra ID groups policy are accessible through the Entra admin center. The settings controlling group creation are not, so PowerShell is needed. The necessary cmdlets are in the Microsoft Graph PowerShell SDK. A bunch of PowerShell examples are available to help people understand how to update the settings for group creation, most of which seem to be based on Microsoft’s version. I have my own version of a script to update the group control settings (downloadable from GitHub), which is parameter driven and has more error checking and validation. You won’t run the script very often, but it’s nice to have a version that does things like report back on what it’s done.
The PowerShell commands used to configure group control are simple and relatively straightforward. The basic approach is:
- Find the identifier for the group whose members are allowed to create new groups.
- Use the Get-MgGroupSetting cmdlet to check if a tenant version of the policy is available. If not, create a new policy using the New-MgGroupSetting cmdlet.
- Fetch the existing settings using the Get-MgGroupSetting cmdlet and update the two settings in the policy used to control group creation.
- EnableGroupCreation is $True if anyone can create new Microsoft 365 Groups or $False if creation is restricted.
- GroupCreationAllowedGroupId contains the Entra ID object identifier (GUID) for a group (security group or Microsoft 365) holding the set of users allowed to create new Microsoft 365 Groups. If this property is not set, then no one except administrators can create new Microsoft groups.
- Update the Entra ID policy for Groups using the Update-MgGroupSetting cmdlet.
Example commands to enable group creation control are shown below.
$GroupId = (Get-MgGroup -Filter "displayName eq 'GroupCreationControl'").Id
$TenantSettings = Get-MgGroupSetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
If (!($TenantSettings)) {
$PolicyId = (Get-MgGroupSettingTemplateGroupSettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}).Id
New-MgGroupSetting -TemplateId $PolicyId
$TenantSettings = Get-MgGroupSetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
}
$Values = $TenantSettings.Values
($Values | Where-Object Name -eq 'EnableGroupCreation').Value = "false"
($Values | Where-Object Name -eq 'GroupCreationAllowedGroupId').Value = $GroupId
Update-MgGroupSetting -GroupSettingId $TenantSettings.Id -Values $Values
Once you’ve updated the Entra ID policy for Groups, it takes a little while for apps (like Teams and Planner) which support the policy to pick up the new settings. It’s worth mentioning that apps which don’t include code to check the Entra ID policy won’t respect the settings.
OWA Mailbox Policy
When Microsoft launched Office 365 Groups (now Microsoft 365 Groups) in November 2014, OWA was the initial client. At the time, it made sense to have a setting in the OWA mailbox policy to control who could create new groups. Today, the separate OWA setting is an anachronism that should be replaced by the Entra ID Groups policy.
In any case, the GroupCreationEnabled setting controls whether Outlook users can create new Microsoft 365 groups. Anyone assigned an OWA mailbox policy with GroupCreationEnabled set to True can go ahead – that is, if they’re also allowed to do so by the Entra ID policy.
To help understand the situation in a tenant, this code reports the set of OWA mailbox policies which allow group creation, and the set of mailboxes assigned those policies:
[array]$OWAPolicies = Get-OWAMailboxPolicy | ? {$_.GroupCreationEnabled -eq $True} | Select -ExpandProperty Identity
Write-Host ""
Write-Host "OWA Mailbox policies allowing group creation:"
Write-Host ""
$OWAPolicies
[array]$Mailboxes = Get-CasMailbox | ? {$_.OWAMailboxPolicy -in $OWAPolicies } | Select DisplayName, OWAMailboxPolicy
Write-Host ""
Write-Host "The OWA Mailbox policy assigned to these mailboxes allows them to create Microsoft 365 Groups:"
$Mailboxes
Changing the assigned OWA mailbox policy for an account can take several hours to take effect. You’ll know when the change is effective when OWA no longer offers the option to create a new group.
Managing Group Creation
Managing the creation of Microsoft 365 Groups isn’t difficult. Make sure that Entra ID allows their creation and then decide if everyone or a restricted set can create new groups. Adjust the OWA mailbox policy as required. The need for Entra P1 licenses to use the Entra ID policy for groups to control creation is a barrier for some, but probably not in the large enterprise deployments which benefit most from the capability. And if you’re feeling brave, you can create your own approval workflow using Power Apps to allow users to request a new group/team (here’s a useful article to start with).
Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.
3 Replies to “How to Control the Creation of Microsoft 365 Groups (and Teams) in a Tenant”