If you want total lockdown except for tenant admins, remove the GroupCreationAllowedGroupId lines, but I recommend setting this to some IT related AAD group to allow some group creation. For a customer we have a custom Groups ordering process, which works regardless of policy settings, allowing full control of Groups creation.
A quick note, at the time of this writing you have to use the preview commandlets as the released one is missing the settings commands needed.
Find-Module AzureADPreview #ensure it's in the list Install-Module AzureADPreview Import-Module AzureADPreview $credentials = Get-Credential Connect-AzureAD -Credential $credentials #AD group which should be allowed to create groups $group = Get-AzureADGroup -SearchString "-Group creators-" if($group -eq $null) { Write-Host "You need to change the script to limit groups creation to a specific AAD group" -ForegroundColor Red exit } # Try to fetch settings $policySetting = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"} if ($policySetting -eq $null) { $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"} # Create the settings object from the template $settings = $template.CreateDirectorySetting() # Use this settings object to prevent others than specified group to create Groups $settings["EnableGroupCreation"] = $false $settings["GroupCreationAllowedGroupId"] = $group.ObjectId # (optional) Add a link to the Group usage guidelines $settings["UsageGuidelinesUrl"] = "https://contoso.com/guidelines" $policySetting = New-AzureADDirectorySetting -DirectorySetting $settings } else { $policySetting["EnableGroupCreation"] = $false $policySetting["GroupCreationAllowedGroupId"] = $group.ObjectId $policySetting["UsageGuidelinesUrl"] = "https://contoso.com/guidelines" Set-AzureADDirectorySetting -Id $policySetting.Id -DirectorySetting $policySetting }