Forum Discussion
aarohbits
Aug 09, 2021MCT
Unable to restrict Microsoft 365 Groups In Teams
 Hi All,     I have a client’s requirement I had to restrict M365 groups and only selected users can create Teams.      I have followed the Microsoft’s step to restrict via PowerShell Manage who can c...
- Aug 12, 2021Hi TonyRedmond, adam deltinger and jcgonzalezmartin TonyRedmond I did contact MS Support and issue is resolved. Here is summary what happened: - In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh)  from the RestrictM365Groups
- After re-running the script
 $GroupName = "RestrictM365Groups" $AllowGroupCreation = $False Connect-AzureAD $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID) { $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"} $settingsCopy = $template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $settingsCopy $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id } $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation if($GroupName) { $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid } else { $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName } Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy (Get-AzureADDirectorySetting -Id $settingsObjectID).Values $Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"} $GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId) Get-AzureADGroupMember -ObjectId $GroupId
 and waiting a moment, the settings seemed to be working correctly.- The issue was, that I was owner of the group but there was no member for the RestrictM365Groups security group. 
- After adding my name in both in Owner and Member  
- I can create teams with my account
-  Other users cannot create Teams
- The Microsoft 365 Groups settings at Azure portal has to be turned off. 
 Thanks a lot for helping and providing your help!
 
- In Microsoft call, they were added a different user (Alex) to the group as a Member and Owner as well as. Removed my account (Aroh)  from the RestrictM365Groups
TonyRedmond
Aug 09, 2021MVP
What values are returned by:
$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
$GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
Get-AzureADGroupMember -ObjectId $GroupId
If you don't have a good group identifier in the policy settings, nothing will work...
(from https://office365itpros.com/2021/08/09/updates-group-creation-settings-azure-ad-admin-center/)
- aarohbitsAug 09, 2021MCTThanks adam deltinger and TonyRedmond - Just to safe side, I created a new security groups called  RestrictM365Groups (no spaces in the name)
 and added only my name in this group.
- TonyRedmond :
 I just checked, in the client’s tenant, Security Groups is turned on but Microsoft 365 Groups is turned off at Azure Portal.
 Question: As I have disabled Microsoft 365 Groups for entire organization, turning off Microsoft 365 Groups looks good option. Please advise if its correct.
- When I ran your script, it did display the RestrictM365Groups
- Logged in and logged out multiple times. But I still can’t create new teams after 40 mins.  
 Any suggestions please.
 - Aug 09, 2021Out of curiosity: Do you have Azure AD Premium licenses assigned to the users that belong to your security group?- aarohbitsAug 09, 2021MCTThanks for your reply jcgonzalezmartin -  Does M365 Group Restriction require AAD P1 license?  I guess, its only for Naming, Blocked and Group Expiration, isn't it? TonyRedmond ..could you please advice on that? 
- But my account does has AAD P1 license. 
 
 
-  Does M365 Group Restriction require AAD P1 license?  I guess, its only for Naming, Blocked and Group Expiration, isn't it? TonyRedmond ..could you please advice on that? 
 
 
- Just to safe side, I created a new security groups called  RestrictM365Groups (no spaces in the name)