How to disable Office Groups and Teams creation the right way.

Why disable groups/ teams creation

Some companies want to permit access to group and our teams creation. There can be many reasons for this. For instance you want to disable the creation of groups and teams to be more in control over these features.

To do this the right way it is recommended that only certain users are able to create groups and teams. In order to perform this it is rather recommended to create a Universal Security Group (which is mail enabled). This group will be used only for group and team creation.

First steps

As mentioned before it is recommended to create a Universal Security Group (which is mail enabled). When you have Azure AD Connect in place you should create this group on-premise and sync this over to Azure AD. That means that you management will maintain On-premise.

You can also create this group in Azure AD itself. If that is your way to go you should just create a security group in Azure AD. Please understand that your management will be in AzureAD/ Office 365.

The Script

To disable the group/ teams creation you can run the script bellow from the Azure AD PowerShell module

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
If ( !( $Settings)) {
# No Group.Unified object found, create new settings object from template
Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Select-Object -ExpandProperty Values
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
$Template | Select-Object -ExpandProperty Values
$Settings = $Template.CreateDirectorySetting()
}
$Settings[‘EnableGroupCreation’] = ‘false’
$Settings[‘AllowToAddGuests’] = ‘false’
$Settings[‘GroupCreationAllowedGroupId’] = ( Get-AzureADGroup -SearchString ‘Office365GroupTeamsAdmins‘).ObjectId
If ( Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} ) {
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Set-AzureADDirectorySetting -DirectorySetting $Settings
}
Else {
New-AzureADDirectorySetting -DirectorySetting $Settings
}

And make sure there is a Synced universal mail enabled security group with the name Office365GroupTeamsAdmins. Because  the user must be in the group Office365GroupTeamsAdmins to create groups and teams so all other users are not permitted.
Thanks to Michel de Rooij for this script
Please follow and like us:

Microsoft Office 365 groups and Office 365 teams Expiry

Yesterday Microsoft has introduced a feature within Office groups to set an expiry date. What does this means.

What does this mean

This means that you can set a 30 days expiration of a group. When the experation date is passed the owner of the group gets a notification to renew the expiration date for another 30 days or even more.

un1

How do i configure this Group Expiry

You can set the expiration of Office groups in Azure Active directory.

Untitled

When you’re not setting a new expiration date the group will be removed and put into soft deleted. If a group is deleted this can be a real pain for the members of this team or group when this was not the intention.

See my post How to restore a group on how to restore a office group.

Please follow and like us:

How to restore Office 365 group

Some of you probably know that it was not possible to restore data in a office group within office 365. Recently microsoft introduced the new functionality to restore office 365 group or team. This means that you can restore a office Group including all content.

Sometimes a removal of a group can really be a pain for the members in this group or team.

First of all a tip on restore Office 365 Group.

Don’t use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an O365 group.

When you start with this topic make sure you have Azure Active Directory PowerShell Version 2 installed else you will mis alot of cmdlets. You can download it from the site of Microsoft. The new version of powershell also contains a lot of new features regarding azure ad. You can also use the command connect-azuread to connect directly into office 365.

To get all removed Office 365 Groups execute the command below

Get-AzureADMSDeletedGroup

Before you want to restore the group or team you need to get more details about the removed office 365 group to get more insights into the group or team. You can also get the object id from here .

Execute the Get command included with the objectID of the removed group. you can also look up the objectid in azure ad.

Get-AzureADMSDeletedGroup –Id <ObjectID>

How to restore your deleted Office 365 group

Once you have verified that the group is in soft deleted, the restore command will restore everything in the office group. (it can take up to 2 days to restore everything) I know this can take a long time and you cant see the status of the restore but the wait is worth the effort.

Restore-AzureADMSDeletedDirectoryObject -Id <ObjectID>

I think you will use this a lot when you manage a office 365 tenant

Please follow and like us: