Forum Discussion
Solved
Unable to restrict Microsoft 365 Groups In Teams
Hi All, I have a client’s requirement I had to restrict M365 groups and only selected users can create Teams. I have followed the Microsoft’s step to restrict via PowerShell Manage who can c...
Hi TonyRedmond, adam deltinger and jcgonzalezmartin
TonyRedmond I did contact MS Support and issue is resolved. Here is summary what happened:
- In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh) from the RestrictM365Groups
- After re-running the script
$GroupName = "RestrictM365Groups" $AllowGroupCreation = $False Connect-AzureAD $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID) { $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"} $settingsCopy = $template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $settingsCopy $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id } $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation if($GroupName) { $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid } else { $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName } Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy (Get-AzureADDirectorySetting -Id $settingsObjectID).Values $Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"} $GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId) Get-AzureADGroupMember -ObjectId $GroupId
and waiting a moment, the settings seemed to be working correctly.- The issue was, that I was owner of the group but there was no member for the RestrictM365Groups security group.
- After adding my name in both in Owner and Member
- I can create teams with my account
- Other users cannot create Teams
The Microsoft 365 Groups settings at Azure portal has to be turned off.
Thanks a lot for helping and providing your help!
- In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh) from the RestrictM365Groups
Wonder if this is a cause of delay due to propagation. But if I recall correctly it goes pretty quick. Have you done a log out and logged back in Teams? Can you create a planner plan from planner directly etc?
Adam
Adam
adam deltinger jcgonzalezmartin and TonyRedmond
- I waited for 1 day.
- I noticed that Microsoft 365 Groups toggled automatically to turned off.
- I turned it on
and ran the script again. - RestrictM365Groups security group has only my account and no one else.
- Waited for 40 mins.
- Using Teams App, I can create new teams
- And other users cannot create new Teams.
- Yipee!!
- TonyRedmond
We have to turn on both Security Groups and Microsoft 365 Groups to be turned on? Is it?
- Classic
- This makes sense. It's a common mistake inside Microsoft 365 to assume that just because you own a group, you have the rights enjoyed by the membership of the group (access to a Planner plan is another example). When you think about it, a clear demarcation exists because group ownership and membership for a good reason (owners take care of management, members do what they need to do with resources they can access through their membership). Apps like Teams read the Azure AD policy and find that group creation control is enabled and a group id exists. The app reads the membership list and applies the block.
Maybe the Office 365 for IT Pros eBook would help you navigate some of the challenges of tenant management. It's available at https://o365itpros.gumroad.com/l/O365IT (gratuitous ad) - The joys of Groups Memberships that are even difficult to remember for Microsoft itself
Hi TonyRedmond, adam deltinger and jcgonzalezmartin
TonyRedmond I did contact MS Support and issue is resolved. Here is summary what happened:
- In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh) from the RestrictM365Groups
- After re-running the script
$GroupName = "RestrictM365Groups" $AllowGroupCreation = $False Connect-AzureAD $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID) { $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"} $settingsCopy = $template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $settingsCopy $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id } $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation if($GroupName) { $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid } else { $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName } Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy (Get-AzureADDirectorySetting -Id $settingsObjectID).Values $Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"} $GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId) Get-AzureADGroupMember -ObjectId $GroupId
and waiting a moment, the settings seemed to be working correctly.- The issue was, that I was owner of the group but there was no member for the RestrictM365Groups security group.
- After adding my name in both in Owner and Member
- I can create teams with my account
- Other users cannot create Teams
The Microsoft 365 Groups settings at Azure portal has to be turned off.
Thanks a lot for helping and providing your help!
- In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh) from the RestrictM365Groups
aarohbits Given that you appear to be following the guidelines in https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide, why don't you log a call with Microsoft support and have them look at your tenant? No one here (except you) can sign into your tenant to check the settings, but Microsoft support can... and an extra set of eyes is often useful when looking for something small that's getting in the way.
adam deltinger
You are correct.after around 1 hour, I found that normal users, who are not RestrictM365Groups security group, in can create teams
looks Groups settings is not impacting this setting
Looks I am back to square one.
Any advice experts?- I don’t think these 2 settings are relevant for this matter.
