SOLVED

Unable to restrict Microsoft 365 Groups In Teams

Iron Contributor

Hi All,

 

I have a client’s requirement I had to restrict M365 groups and only selected users can create Teams.

 

 

$GroupName = "<GroupName>"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
 else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values​



 

  • I have created a Security  group called as Office 365 Group Creators and I added my name to test it.  

    ArohShukla_1-1628490422843.png

     



    I am also Global Admin for this tenant.

  • I ran the PowerShell as per Microsoft steps as follows:
    ArohShukla_2-1628490422867.png

     

  • But when I wait for 1 hour, I myself cant create new teams although I am in Office 365 Group Creators security group as follows:

    ArohShukla_3-1628490422886.png

     



  • Which step I am missing here? Please advise.
     

  • @Tony Redmond @Juan Carlos González Martín  @ChristianBergstrom 
18 Replies
You are sure you added the group correctly at row 1?

What values are returned by:

$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
$GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
Get-AzureADGroupMember -ObjectId $GroupId



If you don't have a good group identifier in the policy settings, nothing will work...

(from https://office365itpros.com/2021/08/09/updates-group-creation-settings-azure-ad-admin-center/)

Thanks  @adam deltinger  and @Tony Redmond

 

  • Just to safe side, I created a new security groups called  RestrictM365Groups (no spaces in the name)

    ArohShukla_0-1628500834618.pngand added only my name in this group.

    ArohShukla_1-1628500834635.png

     

  • @Tony Redmond :

    I just checked, in the client’s tenant, Security Groups is turned on but Microsoft 365 Groups is turned off at Azure Portal.  

    ArohShukla_2-1628500834652.png

     



    Question: As I have disabled Microsoft 365 Groups for entire organization, turning off Microsoft 365 Groups looks good option. Please advise if its correct.

  • When I ran your script, it did display the RestrictM365Groups

    ArohShukla_3-1628500834657.png

     

  • Logged in and logged out multiple times. But I still can’t create new teams after 40 mins.  

    ArohShukla_4-1628500834669.png


    Any suggestions please. 

Out of curiosity: Do you have Azure AD Premium licenses assigned to the users that belong to your security group?

Thanks for your reply @Juan Carlos González Martín

 

  •  Does M365 Group Restriction require AAD P1 license?  I guess, its only for Naming, Blocked and Group Expiration, isn't it? @Tony Redmond ..could you please advice on that? 

  • But my account does has AAD P1 license. 

    ArohShukla_0-1628503495771.png

     


     
Group creation control requires Azure AD Premium P1, but as this requirement is not enforced, I don't think it is the problem. It's more likely the disablement of Microsoft 365 Groups for the tenant.

Thanks a million @Tony Redmond , I guess I have to turn on Microsoft 365 Groups and it should resolve the problem ...

ArohShukla_0-1628512348283.png

 

@Juan Carlos González Martín  @adam deltinger   @Tony Redmond 

  • Testing it but I cant create Teams. Steps I followed:   

    1)  M365 groups is  Enabled at the M365 Admin Center.
    ArohShukla_0-1628516955941.png

     



  • At Azure Portal, Microsoft 365 Groups is also turned on.

    ArohShukla_1-1628516955957.png

     



  • PowerShell has been executed with my account which has AAD P1 license

    ArohShukla_2-1628516955970.png

     



  • Still with my account which is in RestrictedM365Group security group, I cant create Team

    ArohShukla_3-1628516955982.png

     




Any suggestions please? 

Can you create a team using the Microsoft 365 admin center?

Or a new group by running the New-UnifiedGroup cmdlet?
Wonder if this is a cause of delay due to propagation. But if I recall correctly it goes pretty quick. Have you done a log out and logged back in Teams? Can you create a planner plan from planner directly etc?

Adam

@adam deltinger @Juan Carlos González Martín and @Tony Redmond 

  • I waited for 1 day.

  • I noticed that Microsoft 365 Groups toggled automatically to turned off.
    :facepalm:


  • I turned it on
    ArohShukla_0-1628659370002.png
    and ran the script again.

    ArohShukla_1-1628659370017.png

     

  • RestrictM365Groups security group has only my account and no one else.

  • Waited for 40 mins.

  • Using Teams App, I can create new teams
    :hearteyes:

    ArohShukla_2-1628659370023.png

     

  • And other users cannot create new Teams.
    :stareyes:
    ArohShukla_3-1628659370038.png

     

  • Yipee!!:happyface:

  • @Tony Redmond

    We have to turn on both Security Groups and Microsoft 365 Groups to be turned on? Is it?

    ArohShukla_5-1628659683292.png

     


     



I don’t think these 2 settings are relevant for this matter.

@adam deltinger 

You are correct. 

 

 

after around 1 hour, I found that normal users, who are not  RestrictM365Groups security group, in can create teams  

ArohShukla_0-1628670076726.png

looks Groups settings is not impacting this setting

ArohShukla_1-1628670303729.png


Looks I am back to square one.
Any advice experts?

 

@Aroh Shukla Given that you appear to be following the guidelines in https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwi... why don't you log a call with Microsoft support and have them look at your tenant? No one here (except you) can sign into your tenant to check the settings, but Microsoft support can... and an extra set of eyes is often useful when looking for something small that's getting in the way.

best response confirmed by Aroh Shukla (Iron Contributor)
Solution

Hi @Tony Redmond@adam deltinger  and @Juan Carlos González Martín 

 

@Tony Redmond I did contact MS Support and issue is resolved.  Here is summary what happened: 

 

  1. In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh)  from the RestrictM365Groups

  2.   After re-running the script

 

$GroupName = "RestrictM365Groups"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
 else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values


$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
$GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
Get-AzureADGroupMember -ObjectId $GroupId​


and waiting a moment, the settings seemed to be working correctly.

 

  • The issue was, that I was owner of the group but there was no member for the RestrictM365Groups security group

  • After adding my name in both in Owner and Member  
    ArohShukla_6-1628765370584.png
  • I can create teams with my account
    ArohShukla_11-1628765451487.png

     


     
  •  Other users cannot create Teams
    ArohShukla_12-1628765511425.png

    ArohShukla_13-1628765536989.png
  • The Microsoft 365 Groups settings at Azure portal has to be turned off.

    ArohShukla_14-1628765613872.png

     

    Thanks a lot for helping and providing your help! 
The joys of Groups Memberships that are even difficult to remember for Microsoft itself
This makes sense. It's a common mistake inside Microsoft 365 to assume that just because you own a group, you have the rights enjoyed by the membership of the group (access to a Planner plan is another example). When you think about it, a clear demarcation exists because group ownership and membership for a good reason (owners take care of management, members do what they need to do with resources they can access through their membership). Apps like Teams read the Azure AD policy and find that group creation control is enabled and a group id exists. The app reads the membership list and applies the block.

Maybe the Office 365 for IT Pros eBook would help you navigate some of the challenges of tenant management. It's available at https://o365itpros.gumroad.com/l/O365IT (gratuitous ad)
1 best response

Accepted Solutions
best response confirmed by Aroh Shukla (Iron Contributor)
Solution

Hi @Tony Redmond@adam deltinger  and @Juan Carlos González Martín 

 

@Tony Redmond I did contact MS Support and issue is resolved.  Here is summary what happened: 

 

  1. In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh)  from the RestrictM365Groups

  2.   After re-running the script

 

$GroupName = "RestrictM365Groups"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
 else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values


$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
$GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
Get-AzureADGroupMember -ObjectId $GroupId​


and waiting a moment, the settings seemed to be working correctly.

 

  • The issue was, that I was owner of the group but there was no member for the RestrictM365Groups security group

  • After adding my name in both in Owner and Member  
    ArohShukla_6-1628765370584.png
  • I can create teams with my account
    ArohShukla_11-1628765451487.png

     


     
  •  Other users cannot create Teams
    ArohShukla_12-1628765511425.png

    ArohShukla_13-1628765536989.png
  • The Microsoft 365 Groups settings at Azure portal has to be turned off.

    ArohShukla_14-1628765613872.png

     

    Thanks a lot for helping and providing your help! 

View solution in original post