Self-service is for pumping gas or getting your own soft-serve ice cream at the ice cream shop…. not for creating new Office 365 Groups.

By default Outlook Groups can be created by anyone. If you have proper governance guidelines established users will be required to follow your process to request a new group instead of creating new groups at their pleasure.

Community Charter Helps Guide Enterprise Social Users

Governance planning for Enterprise Social Media is key to your success. Introducing a Community Charter is an excellent method to guide users through a validation process before they request a new Office 365 Group. For more information about creating a Community Charter to use for your governance planning click here to view Social Governance Tips.

Once you have introduced the Community Charter and users are required to request creation of ALL new Office 365 Groups you need to limit the ability to create new Office 365 groups. Designate a group of people in your company who are responsible for the creation of new groups.  Then, follow the steps below to Lock-Down Self-Service for Creating New Office 365 Groups.

The Office 365 Groups Lock-Down Process

This article explains how to disable the ability for “everyone” to create groups in all Office 365 services that use groups. Just exactly what Office 365 services allow the use of groups?

Office 365 services that use groups are:

• Outlook
• SharePoint
• Yammer
• Microsoft Teams: Both admins and users won't be able to create teams.
• StaffHub: Both admins and managers won't be able to create teams.
• Planner: Users won't be able to create a plan.
• PowerBI
  
  

You need to create a security group for designated people to create Office 365 Groups.

You will use Windows PowerShell, which is typing commands at the C:\ prompt.

What you need to know before you begin:

• The PowerShell commands change who can create Office 365 Groups. It WILL NOT affect the rest of your Office 365 environment.
• Apply the steps in this article ONLY once in your company, for one security group. If you try to reapply them again for another security group, you will get this error:
  A conflicting object with one or more of the specified property values is present in the directory.
• The steps in this article don't prevent members of the following roles from creating Office 365 Groups in the Office 365 admin center. Although, they are restricted form creating Office 365 Groups from apps and creating teams. Remember: teams are not created in the Office 365 admin center.
  • Office 365 Global admins
  • Mailbox Administrator
  • Partner Tier1 Support
  • Partner Tier2 Support
  • Directory Writers
• These roles can create Office 365 Groups for restricted users. After creating the group, then an owner is assigned.
• *Very Important* You should use a security group - see Step 1 below. This restricts who can create Office 365 groups. Don't try to use an Office 365 Group. Using an Office 365 Group, members won't be able to create a group from SharePoint because it checks for a security group.
• Setting  Set-MSOLCompanySettings -UsersPermissionToCreateGroupsEnabled $True only enables permissions for users to create Security groups, not Office 365 groups.
• If the steps in this article are applied and users still have the ability to created Office 365 Groups, verify that they aren't blocked through their OWA mailbox policy. It provides additional controls to block the creation of Office 365 groups using Outlook.

Only 3 easy steps, so let’s get started………

STEP 1: Create a Security Group for Users to Create Office 365 Groups

Only one security group in your organization can be used to control who is able to create Office 365 Groups. For example, the group named Allow Group Creation is the designated security group, and the groups named Microsoft Planner Users and Exchange Online Users are members of that group.

1. In the Office 365 admin center, create a group of type Security group. Write down the name of the group. You will need it in the next steps.
2. Add people or other security groups who can create Office 365 Groups in your company.

STEP 2: Run PowerShell Commands

1. If you haven't already, open a Windows PowerShell window on your computer.
   • Normal Windows PowerShell window, or
   • Run as administrator
2. Run the following commands. Press Enter after each command.
   Import-Module AzureADPreview
   Connect-AzureAD
   In the Sign in to your Account screen, enter your Office 365 admin account and password to connect you to your service, and click Sign in.
3. Find the name of your security group from Step 1 by using the following syntax:
   Get-AzureADGroup -SearchString "<Name of your security group>"
   For example, I named my group AllowedtoCreateGroups. So I would run:
   Get-AzureADGroup -SearchString "AllowedtoCreateGroups"
   This will display the properties of my AllowedtoCreateGroups security group.

You can see that the ObjectID property value of my AllowedtoCreateGroups group is afc88... You don't need to write down the ObjectID of your security group, but you'll need to be able to recognize it in a later step.

   4. Run this command:
       $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}

   5. Run this command:
       $Setting = $Template.CreateDirectorySetting()

   6. Run this command:
       New-AzureADDirectorySetting -DirectorySetting $Setting
If you get an error like this skip to step 7. The error message means you don't need to do step 6.



Otherwise, upon successful completion, the cmdlet returns the ID of the new settings object.

   7. Run this command:
       $Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

   8. Run this command:
      $Setting["EnableGroupCreation"] = $False

   9. Use this syntax:
      $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "<Name of your security group>").objectid
      For example, I named my group AllowedtoCreateGroups, so I would run this command:
      $Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "AllowedtoCreateGroups").objectid

  10. Run this command:
      Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

   11. To verify your security group CAN create groups, and everyone else in your organization can't, run this command:
      (Get-AzureADDirectorySetting).Values
      The result should look like this (but with the ID value for your security group - this is where you need to be able to recognize it).



Only members of the AllowedtoCreateGroups security group (Afc88abb.....) can create groups. No one else can, as indicated by EnableGroupCreation = False.

STEP 3: Verify That the PowerShell Script for Office 365 Groups Security Worked



1. Sign in to Office 365 with a user account of someone who should NOT have the ability to create groups. That is, they are not a member of the security group you created.
2. Choose the Planner tile.
3. In Planner, in choose New Plan to create a plan.
4. 
5. You should get a message that you can't create a plan:



WAIT! It didn't work. What now?

Verify your OWA mailbox policy and make sure they are not blocked.

Remove the restriction on who can create groups

What's my back-out plan if I need to remove the limits set-up for who can create groups?

Run this command:

$SettingId = Get-AzureADDirectorySetting -All $True | where-object {$_.DisplayName -eq "Group.Unified"}
Remove-AzureADDirectorySetting –Id $SettingId.Id

How well are your users adopting Office 365 Groups?  Too well?  Are they becoming a confusing mess?  Hopefully this article helped you find a way to stem the flood and clean up the ROT (groups that are Redundant, Outdated or Trivial) in your Groups!  Need help with the script?  Contact C5 Insight.