May 25 2017 09:44 AM
May 25 2017 09:44 AM
I was able to create a template and apply nearly all the settings but GroupCreationAllowedGroupId. I didn't have any issue with my test environment. In production, powershell
throws no errors but everytime I run Get-AzureADDirectorySetting | ForEach Values, GroupCreationAllowedGroupId is blank. I verified the group to manage groups creation is in Azure AD. Below are the commands I have been using.
$group = Get-AzureADGroup | Where-Object {$_.DisplayName -eq “O365-GroupsAllowed”}
$settings = Get-AzureADDirectorySetting | where-object {$_.displayname -eq “Group.Unified”}
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Any ideas?
May 25 2017 11:23 AM
What kind of Group are you using, it cannot be an O365 Group. Other than that, without being able to see the full output, it's a guessing game. Maybe try configuring the setting via the MSOL cmdlets instead?
May 29 2017 08:32 PM - edited May 30 2017 06:11 AM
SolutionIt could be the Get-AzureADGroup call. The | Where-object clause iterates through all returned group objects to find the group you’re looking for. By default, Get-AzureADGroup returns only the first 100 objects in a directory. So if the group you’re looking for isn’t there, the statement will not return a value for ObjectId.
To get all group objects, try using Get-AzureADGroup -All $True
Jun 05 2017 06:05 AM
@Drew Madelung I was able to set the GroupCreationAllowedGroupID but after 48 hours of waiting, the people in that group are still not able to create groups. All the other settings have been applied such as the data classifications, usage guidelines, and group creation(false). I verfied the ObjectID in the template and in Azure matched up, that all looks good. I am not sure what is going on.
Jun 05 2017 06:12 PM
Found out after wasting a day or so that the Azure AD setting and the MSOL setting are not the same. You have to enable the MSOL setting in order for the Azure AD setting to take effect. If you have group creation turned off via MSOL (set-msolcompanysettings -UsersPermissionToCreateGroupsEnabled $false), the Azure AD settings and specifically the override group will not take effect. In this scenario global admins can create groups but no one else can.
Jun 06 2017 06:57 PM
Did you set any Group restriction settings directly in the Azure AD portal?
May 29 2017 08:32 PM - edited May 30 2017 06:11 AM
SolutionIt could be the Get-AzureADGroup call. The | Where-object clause iterates through all returned group objects to find the group you’re looking for. By default, Get-AzureADGroup returns only the first 100 objects in a directory. So if the group you’re looking for isn’t there, the statement will not return a value for ObjectId.
To get all group objects, try using Get-AzureADGroup -All $True