9 januari 2017

Disabling Office 365 Groups

It has been a while since I blogged about How to  disable Office 365 Groups for specific users. Disabling groups can be a valid option to keep a little more control over the creation process. While groups are a great way to share and collaborate there are scenario’s where you do not want users to create them yet.

Disable groups for specific users

In the post  How to  disable Office 365 Groups for specific users. The sample used to disable groups was the following:

New-OwaMailboxPolicy –Name "Group Creation"

Set-OwaMailboxPolicy –Identity "Group Creation" –GroupCreationEnabled $false

Set-CASMailbox –Identity -OWAMailboxPolicy "Group Creation"

While this sample still works it has some side effects. It only disables the group creation process in the UI. By disabling groups that way users can no longer create groups. Yet they still can create planner plans that result in groups.

New group creation policy

With the new group creation policies there you have some more control. Using a setting object you can still set who can create groups and who can't. You can set the GroupCreationAllowedGroupId to a Active Directory group of users who are allowed to create groups and setting the flag to false for everyone else. By disabling groups this way you also disable the creation of plans. This will result in a solution where you cannot 'trick' the system to create groups by creating a plan or team.

Group & Plan creation disabled

A sample to disable groups would be:

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq "Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = "<object ID for your group>"
New-MsolSettings -SettingsObject $setting

When you disabled groups using this snippet you get a nice warning when creating a team or plan that it has been disabled

You can find more on Manage Office 365 Group Creation. Specifically Step 3: Configure your Office 365 Group settings in Azure AD PowerShell describes the options to disable groups the correct way.

