Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/isgroupcreationdisabled.md

Last active February 12, 2021 23:43
Show Gist options
  • Save plembo/7f9e86f14bb84b532b90d3a3258febfb to your computer and use it in GitHub Desktop.
Save plembo/7f9e86f14bb84b532b90d3a3258febfb to your computer and use it in GitHub Desktop.
Download ZIP
Has Microsoft 365 group creation been disabled
Raw
isgroupcreationdisabled.md

Is Microsoft 365 group creation disabled?

Stumbled on this in a corporate test environment when I tried to create a new Microsoft Team (an operation that requires rights to create new groups) and was only given the choice of adopting an existing group.

By default Microsoft 365 expects everyone is able to create groups on the tenant. Microsoft recommends that you not change that. Then they go ahead and tell you how to change it anyway.

"Manage who can create Microsoft 365 Groups." Microsoft Docs, https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide. Retrieved February 12, 2021.

Well, by now this little bit of dangerous knowledge has made its rounds, and perhaps that's why you wound up here.

So the question is, how do you tell if its been done in your tenant?

Like most things in the world of Microsoft nowadays, the answer is: just run some PowerShell commands!

(requires installation of the AzureADPreview module)

First, log into the tenant's Azure AD:

PS C:\Users\Me> Connect-AzureAD
Account        Environment TenantId                             TenantDomain            AccountType
-------        ----------- --------                             ------------            -----------
me@example.com AzureCloud  4dfc8c83-e20c-4847-ba61-f4e274515e25 example.onmicrosoft.com User

Now get the AD settings by first retrieving the settings object:

PS C:\Users\Me> Get-AzureADDirectorySetting
Id                                   DisplayName            TemplateId                           Values
--                                   -----------            ----------                           ------
316ae495-07e6-45f5-b192-6c6436417d5c Group.Unified          e3f7eabe-4a59-4422-938f-74b251dd96a1 {class SettingValue...

Display the individual settings values:

PS C:\Users\Me> (Get-AzureADDirectorySetting -id 316ae495-07e6-45f5-b192-6c6436417d5c).Values

Name                          Value
----                          -----
EnableMIPLabels               false
CustomBlockedWordsList
EnableMSStandardBlockedWords  false
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups     True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId   b0454bb1-cb3e-4152-a611-0b45096f540b
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           False

"EnableGroupCreation" is the key setting here. It is set to False. There's also a group uuid in "GroupCreationAllowedGroupId".

Finally, retrieve the group name using the uuid shown in "GroupCreationAllowedGroupId":

PS C:\Users\Me> Get-AzureADGroup -ObjectId  b0454bb1-cb3e-4152-a611-0b45096f540b

ObjectId                             DisplayName           Description
--------                             -----------           -----------
b0454bb1-cb3e-4152-a611-0b45096f540b GroupMakersGroup

NOTE: Names and uuids changed to protect the not-so-innocent. Remember, uidgen is your friend!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment