Forum Discussion

aarohbits's avatar
Aug 09, 2021
Solved

Unable to restrict Microsoft 365 Groups In Teams

Hi All,

 

I have a client’s requirement I had to restrict M365 groups and only selected users can create Teams.

 

 

$GroupName = "<GroupName>"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
 else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values​



 

  • I have created a Security  group called as Office 365 Group Creators and I added my name to test it.  

     



    I am also Global Admin for this tenant.

  • I ran the PowerShell as per Microsoft steps as follows:

     

  • But when I wait for 1 hour, I myself cant create new teams although I am in Office 365 Group Creators security group as follows:

     



  • Which step I am missing here? Please advise.
     

  • TonyRedmond jcgonzalezmartin  ChristianBergstrom 
  • aarohbits's avatar
    aarohbits
    Aug 12, 2021

    Hi TonyRedmondadam deltinger  and jcgonzalezmartin 

     

    TonyRedmond I did contact MS Support and issue is resolved.  Here is summary what happened: 

     

    1. In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh)  from the RestrictM365Groups

    2.   After re-running the script

     

    $GroupName = "RestrictM365Groups"
    $AllowGroupCreation = $False
    
    Connect-AzureAD
    
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
    if(!$settingsObjectID)
    {
        $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
        $settingsCopy = $template.CreateDirectorySetting()
        New-AzureADDirectorySetting -DirectorySetting $settingsCopy
        $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
    }
    
    $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
    $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
    
    if($GroupName)
    {
      $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
    }
     else {
    $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
    }
    Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
    
    (Get-AzureADDirectorySetting -Id $settingsObjectID).Values
    
    
    $Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
    $GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
    Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
    Get-AzureADGroupMember -ObjectId $GroupId​


    and waiting a moment, the settings seemed to be working correctly.

     

    • The issue was, that I was owner of the group but there was no member for the RestrictM365Groups security group

    • After adding my name in both in Owner and Member  
    • I can create teams with my account

       


       
    •  Other users cannot create Teams


    • The Microsoft 365 Groups settings at Azure portal has to be turned off.

       

      Thanks a lot for helping and providing your help! 

18 Replies

  • What values are returned by:

    $Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
    $GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
    Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
    Get-AzureADGroupMember -ObjectId $GroupId



    If you don't have a good group identifier in the policy settings, nothing will work...

    (from https://office365itpros.com/2021/08/09/updates-group-creation-settings-azure-ad-admin-center/)

    • aarohbits's avatar
      aarohbits
      MCT

      Thanks  adam deltinger  and TonyRedmond

       

      • Just to safe side, I created a new security groups called  RestrictM365Groups (no spaces in the name)

        and added only my name in this group.

         

      • TonyRedmond :

        I just checked, in the client’s tenant, Security Groups is turned on but Microsoft 365 Groups is turned off at Azure Portal.  

         



        Question: As I have disabled Microsoft 365 Groups for entire organization, turning off Microsoft 365 Groups looks good option. Please advise if its correct.

      • When I ran your script, it did display the RestrictM365Groups

         

      • Logged in and logged out multiple times. But I still can’t create new teams after 40 mins.  


        Any suggestions please. 

      • Out of curiosity: Do you have Azure AD Premium licenses assigned to the users that belong to your security group?

Resources