cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Having Issue Setting GroupCreationAllowedGroupId

Deleted
Not applicable

‎May 25 2017 09:44 AM

‎May 25 2017 09:44 AM

Having Issue Setting GroupCreationAllowedGroupId

I was able to create a template and apply nearly all the settings but GroupCreationAllowedGroupId. I didn't have any issue with my test environment. In production, powershell

throws no errors but everytime I run Get-AzureADDirectorySetting | ForEach Values, GroupCreationAllowedGroupId is blank. I verified the group to manage groups creation is in Azure AD. Below are the commands I have been using.

 

$group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “O365-GroupsAllowed”}
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings

 

 

Any ideas?

8,022 Views
0 Likes
6 Replies
Reply
6 Replies
Vasil Michev

‎May 25 2017 11:23 AM

‎May 25 2017 11:23 AM

Re: Having Issue Setting GroupCreationAllowedGroupId

What kind of Group are you using, it cannot be an O365 Group. Other than that, without being able to see the full output, it's a guessing game. Maybe try configuring the setting via the MSOL cmdlets instead?

1 Like
Reply

‎May 25 2017 11:32 AM

‎May 25 2017 11:32 AM

Re: Having Issue Setting GroupCreationAllowedGroupId

It is a security group.

0 Likes
Reply
best response
Drew Madelung

‎May 29 2017 08:32 PM - edited ‎May 30 2017 06:11 AM

‎May 29 2017 08:32 PM - edited ‎May 30 2017 06:11 AM

Solution

Re: Having Issue Setting GroupCreationAllowedGroupId

It could be the Get-AzureADGroup call. The | Where-object clause iterates through all returned group objects to find the group you’re looking for. By default, Get-AzureADGroup returns only the first 100 objects in a directory. So if the group you’re looking for isn’t there, the statement will not return a value for ObjectId.

To get all group objects, try using Get-AzureADGroup -All $True

1 Like
Reply

‎Jun 05 2017 06:05 AM

‎Jun 05 2017 06:05 AM

Re: Having Issue Setting GroupCreationAllowedGroupId

@Drew Madelung I was able to set the GroupCreationAllowedGroupID but after 48 hours of waiting, the people in that group are still not able to create groups. All the other settings have been applied such as the data classifications, usage guidelines, and group creation(false). I verfied the ObjectID in the template and in Azure matched up, that all looks good. I am not sure what is going on.

0 Likes
Reply
matt wright

‎Jun 05 2017 06:12 PM

‎Jun 05 2017 06:12 PM

Re: Having Issue Setting GroupCreationAllowedGroupId

Found out after wasting a day or so that the Azure AD setting and the MSOL setting are not the same.  You have to enable the MSOL setting in order for the Azure AD setting to take effect.  If you have group creation turned off via MSOL (set-msolcompanysettings -UsersPermissionToCreateGroupsEnabled $false), the Azure AD settings and specifically the override group will not take effect.  In this scenario global admins can create groups but no one else can.

1 Like
Reply
Drew Madelung

‎Jun 06 2017 06:57 PM

‎Jun 06 2017 06:57 PM

Re: Having Issue Setting GroupCreationAllowedGroupId

Did you set any Group restriction settings directly in the Azure AD portal?

0 Likes
Reply
1 best response

Accepted Solutions
best response
Drew Madelung

‎May 29 2017 08:32 PM - edited ‎May 30 2017 06:11 AM

‎May 29 2017 08:32 PM - edited ‎May 30 2017 06:11 AM

Solution

Re: Having Issue Setting GroupCreationAllowedGroupId

It could be the Get-AzureADGroup call. The | Where-object clause iterates through all returned group objects to find the group you’re looking for. By default, Get-AzureADGroup returns only the first 100 objects in a directory. So if the group you’re looking for isn’t there, the statement will not return a value for ObjectId.

To get all group objects, try using Get-AzureADGroup -All $True

View solution in original post

1 Like
Reply