cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to stop users creating new Office 365 Groups using an AAD policy

Tony Redmond
MVP

‎Jun 23 2016 04:30 PM

‎Jun 23 2016 04:30 PM

How to stop users creating new Office 365 Groups using an AAD policy

https://thoughtsofanidlemind.com/2016/06/07/controlling-the-creation-of-office-365-groups-using-an-a...

 

The steps necessary to create and enable an Azure Active Directory policy (directory setting) to limit creation of new Office 365 Groups to a set of users defined in a nominated group. All good clean honest fun.

4,842 Views
20 Likes
10 Replies
Reply
10 Replies
Robin St.Clair

‎Jul 17 2016 04:05 AM

‎Jul 17 2016 04:05 AM

RE: How to stop users creating new Office 365 Groups using an AAD policy

I am particularly interested in Azure Information Protection for Office 365 - https://t.co/Z7uYNFu9Jv
0 Likes
Reply
Tony Redmond

‎Jul 22 2016 06:43 AM

‎Jul 22 2016 06:43 AM

Re: RE: How to stop users creating new Office 365 Groups using an AAD policy

You might like the write-up I did on Azure Information Protection at https://www.itunity.com/article/azure-information-protection-3492. I think this product will be very popular with enterprise Office 365 tenants, especially as IRM and rights management in general is so much easier to implement inside Office 365 than it is on-premises.

0 Likes
Reply
Christophe DION

‎Jul 25 2016 01:05 AM

‎Jul 25 2016 01:05 AM

Re: How to stop users creating new Office 365 Groups using an AAD policy

Great blog, it was very helpful to configure this new feature.

I was able ton create a group and update the settings Template

Now the dedicated group members can create a "Planner" which created an unified Group ...

 

But, group members are unable to create a Groups from OWA or Outlook even if I set the OwaMailboxPolicy GroupCreationEnabled to True.

Strange, i've opened a Suport Request from MS Premier., will let you know why :)

/Christophe

0 Likes
Reply
Tony Redmond

‎Jul 25 2016 01:15 AM

‎Jul 25 2016 01:15 AM

Re: How to stop users creating new Office 365 Groups using an AAD policy

You need to keep the OWA mailbox policy in place until Microsoft has fully deployed the feature to all parts of Office 365. There are many ways to create a group:

 

1. Office 365 Admin Center

2. Exchange Admin Center

3. PowerShell

4. Outlook 2016

5. OWA

6. Outlook Groups app

7. Power BI

8. Dynamics CRM Online

9. Microsoft Planner

 

All of these have to be updated to understand and obey the new policy...

3 Likes
Reply
Christophe DION

‎Jul 25 2016 01:33 AM

‎Jul 25 2016 01:33 AM

Re: How to stop users creating new Office 365 Groups using an AAD policy

Thank you for your quick answer.

Yes, this feature is in "Rolling out" as reading the Fastrack portal , I tought it was already available for my Tenant and from OWA/Outlook Rich Client.

 

Let's wait for the launch phase then ...

 

 

1 Like
Reply
Christophe DION

‎Aug 01 2016 01:43 AM

‎Aug 01 2016 01:43 AM

Re: How to stop users creating new Office 365 Groups using an AAD policy

Hello,

 

From Microsoft Support Premier, there is no roadmap for AAD Policy to manage every way to create a group.

OWA Policy remain the answer for o365 groups creation privilege in Exchange Online.

AAD Policy handles the O365 group creation privilege from Planner.

 

It's easier to manage a group membership than a dedicated OwaMailboxPolicy :\

 

/Christophe

0 Likes
Reply
Tony Redmond

‎Aug 01 2016 01:59 AM

‎Aug 01 2016 01:59 AM

Re: How to stop users creating new Office 365 Groups using an AAD policy

My understanding was that a single policy was being introduced that would control creation across all workloads. It obviously doesn't make much sense to keep two policies in place, unless it's just for a short period to allow Outlook and OWA to adjust their permission checks. Outlook is particularly slow in this kind of thing. The C2R version can be changed quickly but the MSI version cannot. In any case, I have reached out to the engineering group to determine what the situation really is.

1 Like
Reply
Harry Dubois

‎Sep 29 2016 05:07 AM

‎Sep 29 2016 05:07 AM

Re: How to stop users creating new Office 365 Groups using an AAD policy

Admin users do not have to be part of this AllowGroupCreation group. But in my tenant the admins are the only ones that have the right to create groups. So... the best scenario here is to create the group as discribed in the post, whithout any users?

0 Likes
Reply
Tony Redmond

‎Sep 29 2016 05:43 AM

‎Sep 29 2016 05:43 AM

Re: How to stop users creating new Office 365 Groups using an AAD policy

Remember that the AAD policy still doesn't cover all workloads. Remember too that the evolution of policy-driven management might take different courses over time. For these reasons, although tenant administrators can run New-UnifiedGroup and use other tools to create groups today without being explicitly listed, I think it's better to be precise and list those who should be able to create groups in the "permitted group". 

0 Likes
Reply