Skip to main content
Version: Insiders

Control creation of Microsoft 365 Groups

In the default setup, all users possess the ability to create Microsoft 365 Groups. However, with the introduction of EasyLife 365 Collaboration, you have the option to restrict group creation for all users. By implementing this restriction, you ensure that Microsoft 365 Groups (and Teams) are exclusively generated through EasyLife 365.

caution

While we advise disabling group creation outside of EasyLife 365 Collaboration, it's not mandatory for EasyLife to operate. EasyLife includes a default policy for managing groups created outside of its scope.

Disabling Group Creation in the Entra ID Portal

To prevent the creation of Microsoft 365 Groups in the Entra ID Portal, follow these steps:

  • Access the Entra ID portal.
  • Navigate to Groups -> All Groups -> General.
  • Adjust Users can create Microsoft 365 groups in Azure portals, API, or PowerShell to No.
  • Save the changes by clicking Save.

Currently, there's no direct method to enable group creation for a specific subset of users in the Entra ID Portal. If you require such functionality, please consider using the PowerShell approach outlined below.

Disabling Group Creation via PowerShell

For detailed instructions, refer to the official documentation here.

To disable group creation for your tenant using PowerShell:

# Install the latest version of the AzureAD preview PowerShell module from the gallery
Install-module azureadpreview -AllowClobber -Force

# Specify the display name of the security group to exempt (if needed)
$groupException = "GroupCreationExceptions"

# Set to $false to disable group creation in your tenant; set to $true to enable group creation again.
$allowGroupCreation = $false

AzureADPreview\Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
	$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $allowGroupCreation

if (![String]::IsNullOrWhiteSpace($groupException)) {
   $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $groupException).objectid
}

Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values