Forum Discussion
aarohbits
Aug 09, 2021MCT
Unable to restrict Microsoft 365 Groups In Teams
Hi All,
I have a client’s requirement I had to restrict M365 groups and only selected users can create Teams.
- I have followed the Microsoft’s step to restrict via PowerShell Manage who can create Microsoft 365 Groups
$GroupName = "<GroupName>"
$AllowGroupCreation = $False
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
- I have created a Security group called as Office 365 Group Creators and I added my name to test it.
I am also Global Admin for this tenant. - I ran the PowerShell as per Microsoft steps as follows:
- But when I wait for 1 hour, I myself cant create new teams although I am in Office 365 Group Creators security group as follows:
- Which step I am missing here? Please advise.
- TonyRedmond jcgonzalezmartin ChristianBergstrom
Hi TonyRedmond, adam deltinger and jcgonzalezmartin
TonyRedmond I did contact MS Support and issue is resolved. Here is summary what happened:
- In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh) from the RestrictM365Groups
- After re-running the script
$GroupName = "RestrictM365Groups" $AllowGroupCreation = $False Connect-AzureAD $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID) { $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"} $settingsCopy = $template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $settingsCopy $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id } $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation if($GroupName) { $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid } else { $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName } Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy (Get-AzureADDirectorySetting -Id $settingsObjectID).Values $Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"} $GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId) Get-AzureADGroupMember -ObjectId $GroupId
and waiting a moment, the settings seemed to be working correctly.- The issue was, that I was owner of the group but there was no member for the RestrictM365Groups security group.
- After adding my name in both in Owner and Member
- I can create teams with my account
- Other users cannot create Teams
The Microsoft 365 Groups settings at Azure portal has to be turned off.
- In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh) from the RestrictM365Groups
18 Replies
What values are returned by:
$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"} $GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId) Get-AzureADGroupMember -ObjectId $GroupId
If you don't have a good group identifier in the policy settings, nothing will work...
(from https://office365itpros.com/2021/08/09/updates-group-creation-settings-azure-ad-admin-center/)Thanks adam deltinger and TonyRedmond
- Just to safe side, I created a new security groups called RestrictM365Groups (no spaces in the name)
and added only my name in this group. - TonyRedmond :
I just checked, in the client’s tenant, Security Groups is turned on but Microsoft 365 Groups is turned off at Azure Portal.
Question: As I have disabled Microsoft 365 Groups for entire organization, turning off Microsoft 365 Groups looks good option. Please advise if its correct. - When I ran your script, it did display the RestrictM365Groups
- Logged in and logged out multiple times. But I still can’t create new teams after 40 mins.
Any suggestions please.
- Out of curiosity: Do you have Azure AD Premium licenses assigned to the users that belong to your security group?
- Just to safe side, I created a new security groups called RestrictM365Groups (no spaces in the name)
- You are sure you added the group correctly at row 1?