Office 365 Groups are a bit of a strange beast. There’s a lot of misunderstanding surrounding their purpose and provisioning, and many admins fear that enabling self-service group creation might result in data sprawl.
Updated on October 18, 2019.
Because it’s so easy for end users to unknowingly provision groups left and right as they learn the ropes to Office 365, many admins opt to restrict, or even disable, the self-service functionality that makes cloud-based productivity tools so great in the first place.
In the same vein, following an IT-led provisioning model—where users depend on IT to manually approve each new group creation request—is inefficient and virtually impossible to manage at scale.
So how should you go about governing the creation of Office 365 Groups in your environment? You have three basic options:
- Disable self-service Office 365 group creation entirely
- Limit self-service group creation to a select pool of users
- Enable self-service group creation for all users
Option 1: Disable self-service Office 365 group creation tenant-wide
Seems like the most straightforward approach, right? Preventing users from creating the things that, in turn, create Office 365 groups does sound like an effective way to quell sprawl, but it’s far from a perfect solution.
The major trade-off is that you’ll be stuck dealing with a constant stream of requests from your users whenever they need to create something to get their jobs done. Not only that, but if you don't let your users create their own plans in Planner, for example, chances are they’ll simply turn to Trello—thus contributing to another major cloud management pain, “shadow IT”.
Keep in mind that this method will prevent everyone in your organization (except for select admin roles) from creating their own Teams, Plans and other resources. Plus, disabling self-service is kind of a chore, and you need to have either an Azure AD Premium license or an Azure AD Basic EDU license in order to do it.
To disable Office 365 group creation throughout your tenant:
- Install the public preview version of Azure Active Directory PowerShell for Graph (the general availability version won’t work, and you can’t have both versions installed on the same machine).
- Click here to download the
- Fire up a PowerShell window and navigate to the directory where you saved the file (e.g.
- Run the script as-is by typing
One downside to this type of across-the-board restriction is that, should you ever decide to re-enable group creation rights, you’ll need to assign them on a per-user basis. This can obviously become hard to manage for more than a couple of users.
A better solution would be to create an empty security group and then disable group creation for all users not in the group. This way, if you decide down the line to give specific users permission to create groups, you’ll just need to add them to your security group.
This brings us to our second option.
Option 2: Limit self-service group creation to a select pool of power users
Perhaps you want some users, but not all of them, to be able to create their own resources in Office 365—for example, power users who have already been trained and are comfortable with Office 365 Groups and their surrounding concepts.
In this case, the best practice is to create a security group containing only those users, and then running a PowerShell script to disable self-service group creation for everyone else.
Note that you can only have one security group per tenant dedicated to controlling self-service group creation. However, you can nest other security groups within the main one the same way you’d add individual users (meaning you could easily enable self-serve for everyone in your Exchange Users security group, for example). As your users become familiar with the new ways of working in Office 365, you can grant them group creation privileges by adding them to the security group.
Once again, to use this method, you’ll need:
- Either an Azure AD Premium license or an Azure AD Basic EDU license
- The preview version of the Azure AD PowerShell for Graph (the general availability version won’t work)
Here’s a quick rundown of the steps; for the full process, check out Manage who can create Office 365 Groups in the official Microsoft docs.
- Go to the Office 365 Admin center and create a new security group (not an Office 365 group). Call it something descriptive, like
- Add the users and/or groups for whom you wish to enable self-service to your new security group.
- Click here to download the
- Open the text file and replace
<SecurityGroupName>with the name of the security group you created in step 1. Save and quit.
- Fire up a PowerShell console and navigate to the script file’s directory, then run the script by typing
If you decide to re-enable self-service for all users down the line (which you probably should!), just rerun the script with the following changes to the main variables:
$GroupName = ""
$AllowGroupCreation = "true"
Option 3: Enable self-service group creation for all users
We get it—letting your users create whatever they want, whenever they want does sound like a challenge from a governance perspective.
So is enabling self-service for Office 365 Groups worth the effort? Definitely.
Empowering users to make full use of the apps and tools included in Office 365 has been shown to be a huge adoption booster. At a certain level, self-service is Office 365—it’s what makes cloud-based collaboration the most flexible and efficient way for teams to build things together.
Here are a few ways you can keep your Office 365 manageable while giving your users the freedom to create the things they need, when they need them:
- Teach your users about key Office 365 concepts. Microsoft’s Office 365 Training Center is a treasure trove of resources designed to help everyone in your organization make proper, productive use of the tools available to them. Education really is one of the crucial components of successful Office 365 adoption in the workplace.
- Establish a naming convention for your Office 365 groups and enforce it with a policy in Azure AD (requires a premium AD license) to prevent duplicate content creation and optimize search result relevancy
- Set group expiration policies in Azure AD (requires a premium AD license) to automatically delete groups of a certain age unless their owners choose to keep them active
- Use a third-party governance tool to monitor activity on all Office 365 groups in your tenant and automatically notify owners when a group they created hasn’t been touched in a while. Letting the right users decide whether or not to archive their inactive groups in a timely manner means everyone—not just IT—has their fair share of the responsibility for keeping clutter under control.
Successful Office 365 Groups management is a team effort
It can be tempting to restrict or disable self-service Office 365 group creation in an effort to prevent data sprawl. But Office 365 Groups are a powerful part of Microsoft’s cloud productivity offering, and restricting their creation also means depriving your users of a lot of functionality.
Instead, the future-friendly solution is to plan for good governance in your Office 365 Groups implementation. Create and enforce policies to ensure that newly created groups comply with your organizational requirements. Consider using a third-party governance tool such as ShareGate Apricot to supplement the somewhat limited administrative solutions available in Azure AD. And, most importantly, educate your users on the best practices they should follow when using the apps and services available to them.
ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.