Forum Discussion
Solved
PowerShell doesn't follow configured policies for Groups creation
We have the requirement to restrict creation of Office 365 Groups to only a number of people, and we have implemented for described in this article to achieve that:
Manage who can create Office 365...
The policy applies to "client" endpoints, PowerShell is not such. You can however create/assign a custom role to any users you want to be able to create Groups via PowerShell. For example, the "Mail Recipients" role already has the New-UnifiedGroup cmdlet.
Thanks for your answer. Unfortunately this still won't let us achieving our requirement to control by applying it to a security group.
Add-AzureADDirectoryRoleMember : Error occurred while executing AddDirectoryRoleMember Code: Request_BadRequest Message: Role membership changes can only contain objects of the following types: 'ServicePrincipal,User'.
So we'll have to create an Application (service principal) and delegate the operations to it, or assign the permissions per-user.
Those are the Exchange roles, not the Azure AD ones. You will find them under O365 Admin portal -> Exchange -> Permissions.
Thanks, that seems to do the trick.
For the record, seems that:
- following permissions are needed for allowing group creation
- Mail Recipients
- Mail Recipients Creation
- still with this it isn't possible to assign that to a security group, but just to specific users
Do you know if this last one is maybe just a limitation in the UI? And what are the cmdlets to perform this operation via PowerShell? (if you know)
You can assign groups, but they need to be mail-enabled security groups.
