Aug 08 2021 11:41 PM
Hi All,
I have a client’s requirement I had to restrict M365 groups and only selected users can create Teams.
$GroupName = "<GroupName>"
$AllowGroupCreation = $False
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
Aug 08 2021 11:49 PM
Aug 09 2021 01:35 AM - edited Aug 09 2021 01:36 AM
What values are returned by:
$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
$GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
Get-AzureADGroupMember -ObjectId $GroupId
If you don't have a good group identifier in the policy settings, nothing will work...
(from https://office365itpros.com/2021/08/09/updates-group-creation-settings-azure-ad-admin-center/)
Aug 09 2021 02:23 AM
Thanks @adam deltinger and @Tony Redmond
Any suggestions please.
Aug 09 2021 02:43 AM
Aug 09 2021 03:05 AM
Thanks for your reply @Juan Carlos González Martín
Aug 09 2021 03:23 AM
Aug 09 2021 05:32 AM
Thanks a million @Tony Redmond , I guess I have to turn on Microsoft 365 Groups and it should resolve the problem ...
Aug 09 2021 06:50 AM
@Juan Carlos González Martín @adam deltinger @Tony Redmond
Any suggestions please?
Aug 09 2021 07:04 AM
Aug 09 2021 07:07 AM
Aug 10 2021 10:29 PM
@adam deltinger @Juan Carlos González Martín and @Tony Redmond
Aug 11 2021 12:12 AM
Aug 11 2021 01:26 AM
@adam deltinger
You are correct.
after around 1 hour, I found that normal users, who are not RestrictM365Groups security group, in can create teams
looks Groups settings is not impacting this setting
Looks I am back to square one.
Any advice experts?
Aug 11 2021 02:18 AM
@Aroh Shukla Given that you appear to be following the guidelines in https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwi... why don't you log a call with Microsoft support and have them look at your tenant? No one here (except you) can sign into your tenant to check the settings, but Microsoft support can... and an extra set of eyes is often useful when looking for something small that's getting in the way.
Aug 12 2021 03:55 AM
SolutionHi @Tony Redmond, @adam deltinger and @Juan Carlos González Martín
@Tony Redmond I did contact MS Support and issue is resolved. Here is summary what happened:
$GroupName = "RestrictM365Groups"
$AllowGroupCreation = $False
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
$GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
Get-AzureADGroupMember -ObjectId $GroupId
and waiting a moment, the settings seemed to be working correctly.
The Microsoft 365 Groups settings at Azure portal has to be turned off.
Thanks a lot for helping and providing your help!
Aug 12 2021 04:30 AM
Aug 12 2021 05:23 AM
Aug 12 2021 03:55 AM
SolutionHi @Tony Redmond, @adam deltinger and @Juan Carlos González Martín
@Tony Redmond I did contact MS Support and issue is resolved. Here is summary what happened:
$GroupName = "RestrictM365Groups"
$AllowGroupCreation = $False
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
$Values = Get-AzureADDirectorySetting | ?{$_.DisplayName -eq "Group.Unified"}
$GroupId = $Values.Values |?{$_.Name -eq "GroupCreationAllowedGroupId" } | Select -ExpandProperty Value
Write-Host ("The name of the group defined by policy to control group creation is {0} and its object identifier is {1}" -f (Get-AzureADGroup -ObjectId $GroupId).DisplayName, $GroupId)
Get-AzureADGroupMember -ObjectId $GroupId
and waiting a moment, the settings seemed to be working correctly.
The Microsoft 365 Groups settings at Azure portal has to be turned off.
Thanks a lot for helping and providing your help!