38 C
Dubai
Monday, August 8, 2022
spot_img

Managing Office 365 Groups

Managing Office 365 Groups is a key factor in Office 365 Implementation. if you don’t manage your Office 365 Groups Properly. It goes really unmanageable in a governance point of view. As most of the below products allow group creation by default. So its wise to place a restriction in a top level and manage the members who can create teams for mid and large Organizations.

  • Outlook
  • SharePoint
  • Yammer
  • Microsoft Teams
  • Microsoft Stream
  • Planner
  • PowerBI
  • Roadmap

Once you map a group/group ID you can nest them or use Azure AD premium License to have dynamic membership for the security group to allow limited users to create teams for example.Yes you can configure naming policy and group expiration policies later.

Purpose : Disable Teams Creation by all users . Only member of this security group can create Teams

Lets see how create group creators.

azureadpreview.png
Install AzureADPreview

If you don’t install AzureADPreview you will get command not recognized. If you alreay have azureAD module. you need to uninstall and install the same.

Uninstall-Module AzureAD
Install-Module AzureADPreview
 
if you already installed it. running the script should initiate connect-azureAD

Office 365 Admin Center – Groups – Create a security Group

Office 365 - Groups Creator
SecurityGroup.png

Save below script as ps1 fill the group name in the first line, save and run it.

$GroupName = "Office 365 - Groups Creator"
 $AllowGroupCreation = "False"
 Connect-AzureAD
 $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 if(!$settingsObjectID)
 {
       $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
     $settingsCopy = $template.CreateDirectorySetting()
     New-AzureADDirectorySetting -DirectorySetting $settingsCopy
     $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 }
 $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
 $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
 if($GroupName)
 {
     $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
 }
  else {
 $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
 }
 Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
 (Get-AzureADDirectorySetting -Id $settingsObjectID).Values



You can see GroupCreationAllowedGroupID is mapped to the security group we created.


User is not a member of this Security Group


withRestricition.png

Users is a member of the security group to get a create team option.


withoutrestriction.png

Known Errors #1 –

</p>
<p>Get-AzureADDirectorySetting : A parameter cannot be found that matches parameter name 'Id'.<br />At C:\Scripts\teams.ps1:12 char:46<br />+ $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID<br />+ ~~~<br />+ CategoryInfo : InvalidArgument: (:) [Get-AzureADDirectorySetting], ParameterBindingException<br />+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Open.MSGraphBeta.PowerShell.GetDirectorySetting</p>
<p>Cannot index into a null array.<br />At C:\Scripts\teams.ps1:13 char:2<br />+ $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation<br />+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />+ CategoryInfo : InvalidOperation: (:) [], RuntimeException<br />+ FullyQualifiedErrorId : NullArray</p>
<p>Cannot index into a null array.<br />At C:\Scripts\teams.ps1:16 char:6<br />+ $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup ...<br />+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />+ CategoryInfo : InvalidOperation: (:) [], RuntimeException<br />+ FullyQualifiedErrorId : NullArray</p>
<p>Set-AzureADDirectorySetting : Cannot bind argument to parameter 'DirectorySetting' because it is null.<br />At C:\Scripts\teams.ps1:21 char:70<br />+ ... irectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy<br />+ ~~~~~~~~~~~~~<br />+ CategoryInfo : InvalidData: (:) [Set-AzureADDirectorySetting], ParameterBindingValidationException<br />+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.Open.MSGraphBeta.PowerShell.Set<br />DirectorySetting</p>
<p>Get-AzureADDirectorySetting : A parameter cannot be found that matches parameter name 'Id'.<br />At C:\Scripts\teams.ps1:22 char:31<br />+ (Get-AzureADDirectorySetting -Id $settingsObjectID).Values<br />+ ~~~<br />+ CategoryInfo : InvalidArgument: (:) [Get-AzureADDirectorySetting], ParameterBindingException<br />+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Open.MSGraphBeta.PowerShell.GetDirectorySetting</p>
<p>

Solution – 

Make sure AzureADPreview Module version is above 2.0.2.77

Reference –


https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Specialized in Microsoft Azure - Office 365 / Microsoft Exchange; conducted numerous projects worldwide in designing, supporting, and implementing messaging and virtualization infrastructure for medium-sized and large enterprises. Further, I am a Cloud Architect and Technical Advisor for various start-ups.

Related Articles

2 COMMENTS

  1. I have applied this script. I am a member of the allowed group and when i go into teams i cannot create a team. The option is missing! Help.
    I changed the group name as outlined in your article. What has gone wrong or is it just a matter of propagation time?

LEAVE A REPLY

Please enter your comment!
Please enter your name here