Groups are a collaboration feature of Office 365 that allow teams to work together using a shared mailbox, calendar, SharePoint file repository, and OneNote notebook. Office 365 Groups are also a membership service for other applications such as Planner, Teams, and StaffHub. Groups should not be confused with security groups (which control access/permissions to resources) or distribution groups (which are used to distribute email to multiple recipients, although Groups can also do this).

Groups are enabled by default for Office 365 tenants, and Group creation is also enabled for any user in the organization. This allows users to create a Group for their team to collaborate, or create a team in Teams, or start using Planner, without any interaction from the IT department. It’s the type of freedom that many modern workplaces thrive on.

However there are also environments where complete openness and free reign on Groups usage is a problem. Shortly after Groups first appeared in Office 365, a systems engineer at a large university commented to me that their students starting creating hundreds of Groups with no real purpose. Some of the Groups were named specifically to make a joke or insult another person, knowing that the Group would appear in the Outlook address book and be visible to everyone.

There is also the abandoned plan from Microsoft to implement automatic Group creation in Office 365 based on manager/reports relationships in Active Directory. This has subsequently been cancelled, but brought to light the desire of many customers to be able to control how Groups are utilized in their organization.

With those issues in mind, there are two configurations to look at:

  • The settings that control Group creation by users.
  • The setting that controls automatic Group creation based on manager/reports relationships.

Note: at Ignite 2017 Microsoft announced that most of these Groups controls, including the Groups creation permissions, require Azure AD Premium P1 (or higher) licenses to use.

Managing Office 365 Groups Settings

In the past the Groups controls have been applied using OWA mailbox policies to allow or disallow the creation of Groups. This approach was fine when Groups were primarily created and used via Outlook. But Groups is a feature that spans many Office 365 services (e.g. as mentioned earlier, Teams and Planner use Groups). So the OWA mailbox policy approach was only effective in preventing creation of Groups via Outlook, and would not prevent Groups from being created via other workloads (e.g. when a new Planner plan is created).

Eventually a tenant-wide control was added, and could be managed using PowerShell. However, this required a specific preview build of the MS Online PowerShell module (also known as Azure Active Directory Module V1). Getting the right build installed just to perform one configuration task was a bit frustrating, but fortunately only necessary as a one-time change (unless you wanted to modify the config again later on).

Fortunately, the controls are now coming to the Azure Active Directory Module V2, which I’ll just refer to here as the AzureAD module. As I’m writing this the necessary cmdlets are available in the AzureADPreview module, which can happily coexist with the AzureAD on the same computer if necessary. You can check the PowerShell Gallery page for the AzureAD module to find out if the cmdlets used in the demos below (Get-AzureADDirectorySetting, Get-AzureADDirectorySettingTemplate, etc) are included yet. If not, use the AzureADPreview module.

To get started, install the AzureAD or AzureADPreview module on your management workstation.

PS C:\> Install-Module AzureAD

Next, use connect to Azure AD for your tenant, and then run Get-AzureADDirectorySetting to check for existing settings.

PS C:\> Connect-AzureAD

PS C:\> Get-AzureADDirectorySetting

Note, if you have both PowerShell modules installed and want to explicitly use the AzureADPreview module, run the following command to connect.

PS C:\> AzureADPreview\Connect-AzureAD

If you see no output from Get-AzureADDirectorySetting then there are no settings currently in place. However, if you see an entry that uses the TemplateId of 62375ab9-6b52-47ed-826b-58e47e0e304b with a DisplayName of Group.Unified, then you have an existing Groups settings configuration in place.

PS C:\> Get-AzureADDirectorySetting

Id                                   DisplayName   TemplateId                           Values
--                                   -----------   ----------                           ------
d9ac5e4f-f76e-4b0d-838e-d40aa97741fd Group.Unified 62375ab9-6b52-47ed-826b-58e47e0e304b {class SettingValue {...

To view the settings, run Get-AzureADDirectorySetting for the Id of your settings object, which in my example is d9ac5e4f-f76e-4b0d-838e-d40aa97741fd.

PS C:\> (Get-AzureADDirectorySetting -id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd).Values

Name                          Value
----                          -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups     True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId   489c22bb-beba-4915-80b0-85c85f4c64e8
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           False

In the example above, Group creation is disabled except for members of the Group with Id 489c22bb-beba-4915-80b0-85c85f4c64e8, which is a group named Groups Admins in my tenant.

PS C:\> Get-AzureADGroup -ObjectId 489c22bb-beba-4915-80b0-85c85f4c64e8

ObjectId                             DisplayName   Description
--------                             -----------   -----------
489c22bb-beba-4915-80b0-85c85f4c64e8 Groups Admins

From here there’s a few different ways to go, depending on the outcome that you want to achieve. For this article I’ll demonstrate:

  • How to update an existing Groups settings configuration
  • How to remove an existing Groups settings configuration
  • How to configure Groups settings if no settings are already in place

How to Update an Existing Groups Settings Configuration

In the example shown above there is already a Groups settings configuration in place. For this demonstration I’ll modify the configuration so that Groups creation is available for all users, instead of being restricted to the members of one security group. The steps are:

  1. Retrieve the existing directory settings into an object
  2. Update the properties of the object
  3. Set the directory settings with the new object properties
PS C:\> $GroupsConfig = Get-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd

PS C:\> $GroupsConfig["GroupCreationAllowedGroupId"] = $null

PS C:\> $GroupsConfig["EnableGroupCreation"] = $true

PS C:\> Set-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd -DirectorySetting $GroupsConfig

PS C:\> (Get-AzureADDirectorySetting -id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd).Values

Name                          Value
----                          -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner     False
AllowGuestsToAccessGroups     True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests              True
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation           True

Remove an Existing Groups Settings Configuration

If you’d prefer to just remove the settings entirely and let Office 365 apply the default Groups settings to your tenant, then you can do that by running the following command.

PS C:\> Remove-AzureADDirectorySetting -Id d9ac5e4f-f76e-4b0d-838e-d40aa97741fd

Configure Groups Settings for Office 365

If you have no Groups settings configuration already in place, you can create a new one with the controls that you want for your organization. The controls that are available include:

  • EnableGroupCreation – this can be configured to True or False, and controls whether users who do not have admin rights can create Groups.
  • GroupCreationAllowedGroupId – this can be configured with the Guid of a security group that will be allowed to create Groups when EnableGroupCreation is set to False.
  • UsageGuidelinesUrl – a link to Groups usage guidelines for your organization. This could be the URL of an intranet page that informs users about how to effectively use Groups for collaboration.
  • ClassificationList – a comma-delimited list of classifications that can be applied to Groups, such as Internal Only, Confidential, Public, or any other classifications that are part of your information architecture. These classifications are a visual cue for your users to understand the nature of the information in the Group, but are not actually enforced by Office 365.
  • DefaultClassification – the default classification that will be applied if the Group owner or an administrator has not applied a classification yet.
  • AllowGuestsToAccessGroups – controls whether external users will be allowed to have access to Groups content. Note that external access to all Groups-based applications is not currently available (e.g. Teams does not support external/guest access at this time).
  • AllowGuestsToBeGroupOwner – controls whether an external user can be made the owner of a Group.
  • GuestUsageGuidelinesUrl – same as the UsageGuidelinesUrl but applies to guest users. Logically this would be an externally-accessible URL.
  • AllowToAddGuests – controls whether guests can be added at all.

Other settings for DefaultClassification, ClassificationDescriptions, and PrefixSuffixNamingRequirement are all slated for future releases.

For this example we’ll apply a Groups settings configuration that:

  • Enables Group creation for end users
  • Makes classifications of Internal Only, Confidential, and Public available
  • Disallows guest access
  • Links to an intranet page for Group usage guidelines

The steps are:

  1. Create a new settings object based on the available Group.Unified template
  2. Configure the desired settings in the settings object
  3. Set the Azure AD directory settings using the settings object
PS C:\> $GroupsConfig = (Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b).CreateDirectorySetting()

PS C:\> $GroupsConfig["AllowToAddGuests"] = $false
PS C:\> $GroupsConfig["AllowGuestsToAccessGroups"] = $false
PS C:\> $GroupsConfig["ClassificationList"] = "Internal Only,Confidential,Public"
PS C:\> $GroupsConfig["UsageGuidelinesUrl"] = "https://intranet/help-desk/groups-guidelines"

PS C:\> New-AzureADDirectorySetting -DirectorySetting $GroupsConfig

Note that there was no need to set EnableGroupCreation to True in the above commands because that is already the default value.

Configuring Automatic Group Creation Settings

In March 2017 Microsoft announced a change to Office 365 that would automatically create Groups based on manager/reports relationships in Active Directory. There were some conditions that Microsoft proposed to determine whether a Group should be created for a manager and their team of direct reports, which you can read more about here. Although that plan has since been cancelled, it may return in future. To play it safe, you might want to disable the feature entirely in case it makes a comeback and you miss the announcement.

If your organization wants to prevent the automatic Group creation from occurring, you can disable it by connecting to Exchange Online using PowerShell, and then running the following command.

PS C:\> Set-OrganizationConfig -DirectReportsGroupAutoCreationEnabled:$false

Summary

Office 365 Groups are a useful feature that customers can use for team collaboration. However, some organizations will need to control how Groups are created, or prevent them from being created at all, in order to comply with their own internal IT requirements. Every organization should at least check the Groups settings for their tenant to ensure they meet their expectations.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Thomas Geens

    Hi Paul,

    Might not be the best place to post my question.
    But does Microsoft have any plans on making the ClassificationList value available as a possible attribute for the Office365 Group Naming Policy Suffixes/Prefixes

    Kind regards

  2. Scott Williamson

    We are trying to get our company Privacy policy in the message fofr Guest users? Should this option work for us? We are not finding this in Azure PS and MS seems to know nothing about this.

    Thanks in advance!

    1. Avatar photo
      Paul Cunningham

      As far as I can tell from Microsoft’s doco, the capability to set a guest usage guidelines URL is not yet available.

      1. Thomas Geens

        Hi Scott,

        Seems to be available now as value ‘GuestUsageGuidelinesUrl’

        Kind regards

  3. asdf

    Do you know of a way to change the default group creation settings so that 1. All groups created have private (not public) selected, 2. All groups created automatically have the “Subscribe new members” defaulted to on?

    1. Avatar photo
      Paul Cunningham

      Microsoft is rolling out a change so that all Groups created in OWA are private by default, and the same will be true for other Outlook apps in the near future.

      https://support.office.com/en-us/article/office-365-groups-in-outlook-private-by-default-36236e39-26d3-420b-b0ac-8072d2d2bedc

      Groups also have an option to auto subscribe new members. It’s configurable in the PowerShell if you need to make the change for multiple Groups that already exist.

      https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-unifiedgroup?view=exchange-ps

  4. Rob Hupf

    Paul, referring to your note:
    Note: at Ignite 2017 Microsoft announced that most of these Groups controls, including the
    Groups creation permissions, require Azure AD Premium P1 (or higher) licenses to use.

    Are there ANY Groups controls that don’t require the Premium P1 license? Specifically we are looking for group name controls.

    Thanks

  5. Viktor

    Hi Paul,

    thanks for this post.
    How to delete an existing classification?

    Thanks!

    1. Avatar photo
      Paul Cunningham

      Follow the steps in the “How to Update an Existing Groups Settings Configuration” section of the article.

  6. Harsha Perera

    Hi Paul,

    I have enabled group creation only for a specific group that is syncing from on-prem AD. Once configured, even Global Admins cannot create a new Plan in Planner.

    Any idea?

  7. Vinod

    Wow…!! fantastic article with very detailed steps.

    Thanks Paul.

Leave a Reply