Home » Collaboration » Groups » First Steps: Configuring Office 365 Groups Settings

First Steps: Configuring Office 365 Groups Settings

Groups are a collaboration feature of Office 365 that allow teams to work together using a shared mailbox, calendar, SharePoint file repository, and OneNote notebook. Office 365 Groups are also a membership service for other applications such as Planner, Teams, and StaffHub. Groups should not be confused with security groups (which control access/permissions to resources) or distribution groups (which are used to distribute email to multiple recipients, although Groups can also do this).

Groups are enabled by default for Office 365 tenants, and Group creation is also enabled for any user in the organization. This allows users to create a Group for their team to collaborate, or create a team in Teams, or start using Planner, without any interaction from the IT department. It's the type of freedom that many modern workplaces thrive on.

However there are also environments where complete openness and free reign on Groups usage is a problem. Shortly after Groups first appeared in Office 365 a systems engineer at a large university commented to me that their students starting creating hundreds of Groups with no real purpose. Some of the Groups were named specifically to make a joke or insult another person, knowing that the Group would appear in the Outlook address book and be visible to everyone.

There is also the recent controversy over Microsoft's plans to implement automatic Group creation in Office 365 based on manager/reports relationships in Active Directory. The roll out of that change has slowed down so that more testing can be performed, and more feedback can be gathered, but at this stage it is still intended for the change to go ahead in the near future.

With those issues in mind, there are two configurations to look at:

  • The settings that control Group creation by users.
  • The setting that controls automatic Group creation based on manager/reports relationships.

Managing Office 365 Groups Settings

In the past the Groups controls have been applied using OWA mailbox policies to allow or disallow the creation of Groups. This approach was fine when Groups were primarily created and used via Outlook. But Groups is a feature that spans many Office 365 services (e.g. as mentioned earlier, Teams and Planner use Groups). So the OWA mailbox policy approach was only effective in preventing creation of Groups via Outlook, and would not prevent Groups from being created via other workloads (e.g. when a new Planner plan is created).

Eventually a tenant-wide control was added, and could be managed using PowerShell. However, this required a specific preview build of the MS Online PowerShell module (also known as Azure Active Directory Module V1). Getting the right build installed just to perform one configuration task was a bit frustrating, but fortunately only necessary as a one-time change (unless you wanted to modify the config again later on).

Fortunately, the controls are now coming to the Azure Active Directory Module V2, which I'll just refer to here as the AzureAD module. As I'm writing this the necessary cmdlets are available in the AzureADPreview module, which can happily coexist with the AzureAD on the same computer if necessary. You can check the PowerShell Gallery page for the AzureAD module to find out if the cmdlets used in the demos below (Get-AzureADDirectorySetting, Get-AzureADDirectorySettingTemplate, etc) are included yet. If not, use the AzureADPreview module.

To get started, install the AzureAD or AzureADPreview module on your management workstation.

Next, use connect to Azure AD for your tenant, and then run Get-AzureADDirectorySetting to check for existing settings.

Note, if you have both PowerShell modules installed and want to explicitly use the AzureADPreview module, run the following command to connect.

If you see no output from Get-AzureADDirectorySetting then there are no settings currently in place. However, if you see an entry that uses the TemplateId of 62375ab9-6b52-47ed-826b-58e47e0e304b with a DisplayName of Group.Unified, then you have an existing Groups settings configuration in place.

To view the settings, run Get-AzureADDirectorySetting for the Id of your settings object, which in my example is d9ac5e4f-f76e-4b0d-838e-d40aa97741fd.

In the example above, Group creation is disabled except for members of the Group with Id 489c22bb-beba-4915-80b0-85c85f4c64e8, which is a group named Groups Admins in my tenant.

From here there's a few different ways to go, depending on the outcome that you want to achieve. For this article I'll demonstrate:

  • How to update an existing Groups settings configuration
  • How to remove an existing Groups settings configuration
  • How to configure Groups settings if no settings are already in place

How to Update an Existing Groups Settings Configuration

In the example shown above there is already a Groups settings configuration in place. For this demonstration I'll modify the configuration so that Groups creation is available for all users, instead of being restricted to the members of one security group. The steps are:

  1. Retrieve the existing directory settings into an object
  2. Update the properties of the object
  3. Set the directory settings with the new object properties

Remove an Existing Groups Settings Configuration

If you'd prefer to just remove the settings entirely and let Office 365 apply the default Groups settings to your tenant, then you can do that by running the following command.

Configure Groups Settings for Office 365

If you have no Groups settings configuration already in place, you can create a new one with the controls that you want for your organization. The controls that are available include:

  • EnableGroupCreation – this can be configured to True or False, and controls whether users who do not have admin rights can create Groups.
  • GroupCreationAllowedGroupId – this can be configured with the Guid of a security group that will be allowed to create Groups when EnableGroupCreation is set to False.
  • UsageGuidelinesUrl – a link to Groups usage guidelines for your organization. This could be the URL of an intranet page that informs users about how to effectively use Groups for collaboration.
  • ClassificationList – a comma-delimited list of classifications that can be applied to Groups, such as Internal Only, Confidential, Public, or any other classifications that are part of your information architecture. These classifications are a visual cue for your users to understand the nature of the information in the Group, but are not actually enforced by Office 365.
  • DefaultClassification – the default classification that will be applied if the Group owner or an administrator has not applied a classification yet.
  • AllowGuestsToAccessGroups – controls whether external users will be allowed to have access to Groups content. Note that external access to all Groups-based applications is not currently available (e.g. Teams does not support external/guest access at this time).
  • AllowGuestsToBeGroupOwner – controls whether an external user can be made the owner of a Group.
  • GuestUsageGuidelinesUrl – same as the UsageGuidelinesUrl but applies to guest users. Logically this would be an externally-accessible URL.
  • AllowToAddGuests – controls whether guests can be added at all.

Other settings for DefaultClassification, ClassificationDescriptions, and PrefixSuffixNamingRequirement are all slated for future releases.

For this example we'll apply a Groups settings configuration that:

  • Enables Group creation for end users
  • Makes classifications of Internal Only, Confidential, and Public available
  • Disallows guest access
  • Links to an intranet page for Group usage guidelines

The steps are:

  1. Create a new settings object based on the available Group.Unified template
  2. Configure the desired settings in the settings object
  3. Set the Azure AD directory settings using the settings object

Note that there was no need to set EnableGroupCreation to True in the above commands because that is already the default value.

Configuring Automatic Group Creation Settings

In March 2017 Microsoft announced a change to Office 365 that will automatically create Groups based on manager/reports relationships in Active Directory. There are some conditions that Microsoft will be applying to determine whether a Group should be created for a manager and their team of direct reports, which you can read more about here.

If your organization wants to prevent the automatic Group creation from occurring, you can disable it by connecting to Exchange Online using PowerShell, and then running the following command.

Summary

Office 365 Groups are a useful feature that customers can use for team collaboration. However, some organizations will need to control how Groups are created, or prevent them from being created at all, in order to comply with their own internal IT requirements. Every organization should at least check the Groups settings for their tenant to ensure they meet their expectations.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Collaboration, Groups

3 comments

  1. Harsha Perera says:

    Hi Paul,

    I have enabled group creation only for a specific group that is syncing from on-prem AD. Once configured, even Global Admins cannot create a new Plan in Planner.

    Any idea?

Leave a Reply

Your email address will not be published. Required fields are marked *