Adding Order to the Chaos of Groups

Office 365 Groups are the new hotness in Office 365. I like to think of them as a mail enabled security group on steroids. They combine the functionality of a

  1. distribution group/shared mailbox
  2. A SharePoint document library
  3. OneNote team meeting
  4. A group in Teams
  5. A Planner

Things start to fall apart abit when you get the planner however, because planner users a 1 to 1 relationship so you need to create a new group for every play or in short every plan you create, creates a new Office 365 group. There’s also some massive confusion when it comes to Teams and the terms Teams and Groups, are often intermixed. The biggest mistake that Microsoft made I believe is leaving it open for everyone to create a group. What you end up with in the back end of a huge mess of weirdly named groups and directories. If you try to publish these externally you have to run some administration on it which can also get messy. The other thing you end up with is abandoned groups/SharePoint libraries and files. If you aren’t keeping track, you are setting yourself up to clean up a big mess later on. The most surprising effect of Office 365 groups is the one that caught me off guard the most, this is the social aspect to groups and the jilted person that asks “why didn’t I get included in that group?”

All this to say that Microsoft heard the demands and have responded by adding an Office 365 Group creation policy in Azure Active Directory. If you follow the Office 365 road map ( you’ll find the announcement under the released section.

Configuring this policy is strictly going to be in PowerShell, so I’ve included the cmdlets (corrected, the ones I followed on the Office 365 page were incorrect)

The first thing you need to do upgrade to the newest version of Azure Active Directory V2 PowerShell Module and now get ready to PowerShell.

#Import the Azure AD Module if necessary
Install-Module -name AzureADPreview

#Get Credentials to Connect to MSOL Service
$username= “”
$encrypted = get-content c:\ps\O365pass.txt | ConvertTo-SecureString
$credential = New-object –typename System.Management.Automation.PSCredential –argumentlist ($username,$encrypted)

#Connect to MSOL Service
Connect-MsolService -credential $credential

#Connect to Azure AD
Connect-AzureAD -credential $credential

#Settings to Configure Groups Creation Policy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id
$TempSettings = Get-AzureADDirectorySetting –Id $settingsObjectID
$SecurityGroupID = (Get-AzureADGroup -SearchString “Office365AddGroupsAllow”).ObjectID
$TempSettings[“GroupCreationAllowedGroupId”] = $securityGroupID
$TempSettings[“EnableGroupCreation”] = $false
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $TempSettings
(Get-AzureADDirectorySetting –Id $settingsObjectID).Values

The output will look like this

Now when your users try to create groups, they might see something like

Once you add your authorized users/managers/admins to the security group, log out and log back in they will once again be able to add Office 365 Groups.

This feature is not as clean and simple as I think it should be, but I am sure it will be over time…for now I hope this helps you.

Leave a comment

Your email address will not be published.