Skip to main content
Version: Insiders

Control creation of Microsoft 365 Groups

In the default setup, all users possess the ability to create Microsoft 365 Groups. However, with the introduction of EasyLife 365 Collaboration, you have the option to restrict group creation for all users. By implementing this restriction, you ensure that Microsoft 365 Groups (and Teams) are exclusively generated through EasyLife 365.

caution

While we advise disabling group creation outside of EasyLife 365 Collaboration, it's not mandatory for EasyLife to operate. EasyLife includes a default policy for managing groups created outside of its scope.

Disabling Group Creation in the Entra ID Portal

To prevent the creation of Microsoft 365 Groups in the Entra ID Portal, follow these steps:

  • Access the Entra ID portal.
  • Navigate to Groups -> All Groups -> General.
  • Adjust Users can create Microsoft 365 groups in Azure portals, API, or PowerShell to No.
  • Save the changes by clicking Save.

Currently, there's no direct method to enable group creation for a specific subset of users in the Entra ID Portal. If you require such functionality, please consider using the PowerShell approach outlined below.

Disabling Group Creation via PowerShell

For detailed instructions, refer to the official documentation here.

To disable group creation for your tenant using PowerShell:

# Install and import the Microsoft Graph Beta module
Install-Module Microsoft.Graph.Beta.Identity.DirectoryManagement -AllowClobber -Force
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement

# Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Policy.ReadWrite.DirectorySettings"

# Your Entra ID group object ID
$groupId = "" # Replace with actual Entra ID if required
$allowGroupCreation = $false # Set to $true to enable

# Try to get an existing directory setting for Group.Unified
$existingSetting = Get-MgBetaDirectorySetting | Where-Object DisplayName -eq "Group.Unified"

# Get the template ID for Group.Unified settings
$template = Get-MgBetaDirectorySettingTemplate | Where-Object DisplayName -eq "Group.Unified"

# Prepare the values array
$values = @(
@{
name = "EnableGroupCreation"
value = $allowGroupCreation.ToString().ToLower()
}
)

if (-not [string]::IsNullOrWhiteSpace($groupId)) {
$values += @{
name = "GroupCreationAllowedGroupId"
value = $groupId
}
}

# Prepare the parameter object
$params = @{
templateId = $template.Id
values = $values
}

# Create or update the setting accordingly
if (-not $existingSetting) {
# No existing setting — create a new one
New-MgBetaDirectorySetting @params
} else {
# Update existing setting by ID
Update-MgBetaDirectorySetting -DirectorySettingId $existingSetting.Id -Values $values
}

# Output current state
(Get-MgBetaDirectorySetting | Where-Object DisplayName -eq "Group.Unified").Values | Format-Table Name, Value