If you want total lockdown except for tenant admins, remove the GroupCreationAllowedGroupId lines, but I recommend setting this to some IT related AAD group to allow some group creation. For a customer we have a custom Groups ordering process, which works regardless of policy settings, allowing full control of Groups creation.
A quick note, at the time of this writing you have to use the preview commandlets as the released one is missing the settings commands needed.
Find-Module AzureADPreview #ensure it's in the list
Install-Module AzureADPreview
Import-Module AzureADPreview
$credentials = Get-Credential
Connect-AzureAD -Credential $credentials
#AD group which should be allowed to create groups
$group = Get-AzureADGroup -SearchString "-Group creators-"
if($group -eq $null) {
Write-Host "You need to change the script to limit groups creation to a specific AAD group" -ForegroundColor Red
exit
}
# Try to fetch settings
$policySetting = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
if ($policySetting -eq $null) {
$template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
# Create the settings object from the template
$settings = $template.CreateDirectorySetting()
# Use this settings object to prevent others than specified group to create Groups
$settings["EnableGroupCreation"] = $false
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
# (optional) Add a link to the Group usage guidelines
$settings["UsageGuidelinesUrl"] = "https://contoso.com/guidelines"
$policySetting = New-AzureADDirectorySetting -DirectorySetting $settings
}
else {
$policySetting["EnableGroupCreation"] = $false
$policySetting["GroupCreationAllowedGroupId"] = $group.ObjectId
$policySetting["UsageGuidelinesUrl"] = "https://contoso.com/guidelines"
Set-AzureADDirectorySetting -Id $policySetting.Id -DirectorySetting $policySetting
}
