Defining good governance for your Office 365 groups
The groups are one of the most important pillars of Office 365, considering this for a company is vital to define a good governance in order to better manage them. The tenant admin has an important role to play in this, in fact through Powershell it is possible to set some important attributes at the Azure Active Directory level. Now imagine the bad scenario where in a company every user is able to create a new Microsoft Teams, this can generate an uncontrollable situation with many Teams per user.
We can consider as a good practice to allow the Office 365 groups creation only for a specific group which could be an “Admin Group” namely a group composed only by admin users. This open a scenario, for example, where a user requests a creation of a Teams, SharePoint team site or communication site with an internal workflow where an admin can manage the requests keeping under control the situation. The Azure Active Directory offers several attributes who come to our aid:
As you can see from the picture I defined in my Office 365 tenant that, only a specific group is able to create new Office 365 groups, in fact, the attributes EnableGroupCreation is false and the GroupCreationAllowedGroupdId contains the Guid of a specific group of admins. The first step to do in order to take control of this, is installing the official Powershell cmdlets of Microsoft to interact with Azure Active Directory so take a look in the Powershell Gallery, if you have windows 10 you can open an instance of Powershell like admin and executing the command:
Install-Module -Name AzureADPreview
Once the module is installed, you can start to play with it, just in case you have not specified a setting in you Azure Active Directory you can follow the procedure below to assign a setting from a template and then set up the attributes as you prefer:
- Create an Office 365 Group here in your tenant https://portal.office.com/adminportal/home#/groups
- If you don't have existing setting for the unified group on your Azure Active Directory run the script below:
# Set the credentials and connect to O365 $UserCredential = Get-Credential Connect-AzureAD -Credential $UserCredential # Get the admin's group $group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “GroupAdmins”} # Get the unified group setting template $template = Get-AzureADDirectorySettingTemplate | where-object {$_.displayname -eq “Group.Unified”} # Create new setting $setting = $template.CreateDirectorySetting() # Set up the attributes $setting["EnableGroupCreation"] = $False $setting["GroupCreationAllowedGroupId"] = $group.ObjectId # Add the setting to the AAD New-AzureADDirectorySetting -DirectorySetting $setting
- If you already have the setting for the unified group run this other script:
# Update existing setting # Get the admin's group $group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq “GroupAdmins”} # Get the unified group setting template $settingsAD = Get-AzureADDirectorySetting | Where-Object { $_.DisplayName -eq "Group.Unified" } # Set up the attributes $settingsAD["EnableGroupCreation"] = $False $settingsAD["GroupCreationAllowedGroupId"] = $group.ObjectId # Confim the change Set-AzureADDirectorySetting -Id $settingsAD.Id -DirectorySetting $settingsAD
The final result is that a normal user is not able to create a new Teams for example:
Summarizing only the users which are in the admin group can create new Office 365 group.