Monday, March 27, 2017

Controlling Groups creation in a tenant using the AAD V2 PowerShell module

Recently I wrote a post how to set classification on Office 365 Groups. If you want to restrict or govern who can create Office 365 Groups, you can basically use the same script. I’ve adapted the steps from Wictor Wilén’s post which uses the old commandlets.
If you want total lockdown except for tenant admins, remove the GroupCreationAllowedGroupId lines, but I recommend setting this to some IT related AAD group to allow some group creation. For a customer we have a custom Groups ordering process, which works regardless of policy settings, allowing full control of Groups creation.
A quick note, at the time of this writing you have to use the preview commandlets as the released one is missing the settings commands needed.
Find-Module AzureADPreview #ensure it's in the list
Install-Module AzureADPreview
Import-Module AzureADPreview
$credentials = Get-Credential
Connect-AzureAD -Credential $credentials

#AD group which should be allowed to create groups
$group = Get-AzureADGroup -SearchString "-Group creators-"
if($group -eq $null) {
    Write-Host "You need to change the script to limit groups creation to a specific AAD group" -ForegroundColor Red
    exit
}

# Try to fetch settings
$policySetting = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}

if ($policySetting -eq $null) {
    $template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
 
    # Create the settings object from the template
    $settings = $template.CreateDirectorySetting()

    # Use this settings object to prevent others than specified group to create Groups
    $settings["EnableGroupCreation"] = $false
    $settings["GroupCreationAllowedGroupId"] = $group.ObjectId
    # (optional) Add a link to the Group usage guidelines
    $settings["UsageGuidelinesUrl"] = "https://contoso.com/guidelines"

    $policySetting = New-AzureADDirectorySetting -DirectorySetting $settings
}
else {
    $policySetting["EnableGroupCreation"] = $false
    $policySetting["GroupCreationAllowedGroupId"] = $group.ObjectId
    $policySetting["UsageGuidelinesUrl"] = "https://contoso.com/guidelines"

    Set-AzureADDirectorySetting -Id $policySetting.Id -DirectorySetting $policySetting
}