How to Control Who Can Create M365 Groups

Collaboration is at the heart of the modern Microsoft 365 experience—especially if we look at coming innovations and those planned for the future. As Jeff Teper, President of Collaborative Apps & Platforms at Microsoft, explained in our conversation: with collaboration enabled by effective governance, organizations will leap into a brighter future.

Microsoft 365 groups and staying on top of who creates them are part of this.

Some would even go as far as to say Microsoft 365 groups will prove critical because they’re the central mechanism that keeps your digital workspace’s wheels in motion. Groups are where team members assemble to work, and it’s where they interact with each other to get things done.

If hiccups start turning up here, it’s a slippery slope downward that can negatively affect collaboration and productivity. The first step to staying on top of this is effective governance and having an eagle’s eye view over who can do what in your Microsoft 365 environment.

To help with Microsoft 365 group governance, we explain how you can control who can create a Microsoft 365 group and manage this process.

Let’s dive in!

Table of contents

Understanding Microsoft 365 Groups
How to create a Microsoft 365 group
Benefits of Microsoft 365 Groups
Default settings for creating Microsoft 365 groups
The importance of managing group creation
Potential risks of unregulated Microsoft 365 group creation
A step-by-step guide to manual group creation management
Self-service management of group creation by IT admins
Key takeaways and looking beyond with self-serve

Understanding Microsoft 365 Groups

To understand what Microsoft 365 groups can do for organizations regarding productivity and collaboration, let’s quickly go through what defines these groups and their purpose.

What are they?

In a nutshell, Microsoft 365 groups are a collaboration feature that connects people, content, and apps in a centralized shared workspace.

What do they do?

Microsoft 365 groups allow group members to share resources (mailbox, calendar, file library, SharePoint sites, etc.), manage tasks, communicate in group conversations, and organize workflows in a centralized environment.

The structure

Each Microsoft 365 group has a shared group inbox (different from a group mailbox), calendar, file library, OneNote notebook, Planner, and a SharePoint site.

And the functionality

Shared Mailbox: Allows group members to send and receive emails from members assigned a common address.
Shared Calendar: Enables scheduling of events related to the group.
File Library: A place for storing and collaborating on group documents.
OneNote Notebook: A digital notebook for capturing and organizing group ideas.
Planner: A tool for task management within the group.
SharePoint Site: A platform for sharing and managing content, knowledge, and applications.
Group creation: Any user can create a group by default, but IT administrators can have additional settings to control this.
Access: Members can access group resources in their respective applications, like Outlook, SharePoint, etc.
Integration: Microsoft 365 Groups integrate with other Microsoft services. For instance, you can add Microsoft Teams to your group for seamless collaboration.
Security: Groups can be public (anyone in the member organization can join) or private (only approved members can join).

How to create a Microsoft 365 group

Here are some of the easiest ways you can create a Microsoft 365 group:

When you create a Team, a group is automatically created for you (along with a OneNote, Planner plan, SharePoint site, etc.). This is important because sometimes end users don’t know this, and they create a team and a group, meaning that there’s a duplicate group name causing clutter and confusion.
You can also create a group from the Microsoft 365 admin center. In the Admin center, go to the Groups section, click “Create group,” and choose a group name to create a Microsoft 365 group.
When you create a SharePoint site, a group with the same group name is automatically created for you. You can also create a group for a SharePoint site by going to the desired site in the SharePoint admin center and going to Settings –> Site Information –> View all site settings –> Users and Permissions –> People and groups –> New.

Benefits of Microsoft 365 Groups

Microsoft 365 groups come with multiple advantages, such as helping improve collaboration, streamlining communication for team members, and making it easier to access shared resources.

Improved collaboration: Microsoft 365 groups bring together various collaboration tools in one place, making it easier for team members to collaborate, share ideas in group conversations, and achieve common goals.
Streamlined communication: With shared mailboxes and calendars, communication within the group becomes more efficient. Members can easily stay updated on group activities and discussions.
Easy access to resources: The shared file library and other group resources are easily accessible to all group members, saving time and effort in searching for information or resources elsewhere.

Default settings for creating Microsoft 365 groups

There are certain ways Microsoft 365 handles group creation by default. These include:

Default group creation

Self-service is turned on straight out of the box. Meaning all users in a Microsoft 365 environment have permission to create groups.

Although the ability to spontaneously create groups is advantageous, larger organizations might require control over who can create groups and what they can do with them.

Microsoft’s third-party sidekick, ShareGate, can help with its administration feature. For example, you can add and remove members directly, copy structure and content, edit groups by changing the privacy or group name, and more—all directly from a centralized interface!

Default permission settings

The default settings in Microsoft 365 Groups allow members to invite others to the group, view and edit shared content, add other members, and participate in group conversations. Again, larger organizations might need to regulate this.

It’s also worth noting ShareGate’s permissions management feature. With a Permissions Matrix report, you’ll receive a breakdown highlighting all permission settings throughout the workplace and actionable steps about where you need to make changes.

Role of IT administrators in managing who can create a Microsoft 365 group

Regulating group creation

IT administrators can change the default settings and restrict group creation to certain users or groups. This can help maintain order and security within the organization.

Managing permissions

IT admins can also manage the permissions within each group, controlling who can view, edit, or share the group’s content. This is crucial for protecting sensitive information and maintaining data integrity.

The importance of managing group creation

When you create a Microsoft 365 group, you indirectly define how you’ll approach group management in your digital workspace. If you have set processes and policies defining what to do when creating a Microsoft 365 group, you’ll have zero issues down the line and be able to govern more effectively. Here’s how:

Organizational efficiency

If you have order in the form of a defined process for creating a Microsoft 365 group, it’ll help prevent clutter and unnecessary groups and help group members navigate and find what they’re looking for more easily. When users can locate what they need without hassle, it increases their productivity and efficiency.

Safeguarding sensitive information

By controlling group creation, administrators can ensure that sensitive information is only shared within appropriate groups, thereby enhancing the security of the organization’s data.

However, it’s also important not to overdo governance and end up restricting users so much that they end up turning to shadow IT when they don’t have the freedom to work how they want or need to.

Perfect security shouldn’t come at such a hefty price, and administrators should focus on achieving a balance.

If you’re working in self-serve environment, knowing how to implement a Microsoft 365 governance strategy will help you better manage group creation and end-user permissions.

Potential risks of unregulated Microsoft 365 group creation

Not taking control over Microsoft groups can have undesirable consequences and increase potential risks to security. Let’s take a closer look at some of these risks:

Data sprawl: Without regulation, there can be an excessive creation of groups leading to data sprawl. Important information can be scattered across multiple groups; trying to locate inactive Microsoft teams and groups and manage them later is not easy.
Security vulnerabilities: Unregulated group creation can lead to security risks if unauthorized individuals create groups and gain access to sensitive information. This could potentially lead to data breaches.
Inefficient resource use: Excessive and unregulated group creation can lead to inefficient use of resources, as storage and processing power may be wasted on unnecessary groups.

A step-by-step guide to manual group creation management

Here’s a step-by-step guide for IT admins looking to manage group creation in Microsoft 365 manually:

Step 1: Accessing admin settings

Start by logging into the Microsoft 365 admin center and navigating to group settings.

Step 2: Creating a security group

When you’re at the admin center, create a dedicated security group for users who should be allowed to create Microsoft 365 groups. This can be done in the Microsoft 365 admin center or using PowerShell commands.

Step 3: Configuring group creation settings

Once the security group is created, configure settings to restrict group creation to only the members of this security group. This can be done using Azure Active Directory PowerShell for the Graph module.

Step 4: Verifying the changes

After configuring the settings, verify that the changes have been implemented correctly in the admin center. You can do this by attempting to create a group with a user who is not part of the designated security group.

Step 5: Regular monitoring and adjustments

Finally, IT admins should regularly monitor group creation activities and adjust the settings as necessary to ensure the continued efficiency and security of the organization.

Self-service management of group creation by IT admins

Another way to manage group creation is through self-serve, the default method by which Microsoft 365 was designed to be used. The reason is simple: self serve makes it easy for users to manage their digital workspace and collaborate more effectively.

Many admins might shy away from using self-service because, in their opinion, it gives end users more control than they should have. Admins fear team members might unknowingly mess up things, like cluttering the workspace with unnecessary data.

But today, with all the features now available with Microsoft 365, this is simply not the case.

End users should have control, and implementing self-service the right way balances out security with end-user satisfaction. If too many guardrails are put in place and self-serve taken away, you’ll create too many hurdles for end users and push them towards shadow IT.

There are ways to maintain hierarchical organization and avoid issues like clutter with self-serve enabled, such as effective provisioning strategies that leverage automation. Let’s look at how self-service in Microsoft 365 can be enabled for group creation the right way:

How to enable self-service in Microsoft 365

Step 1: Check if self-service is enabled

The first thing is to check if self-service is enabled. By default, self-service is enabled in Microsoft 365. So unless you previously turned it off, you don’t need to do anything. If it’s disabled, you can enable it again for not just M365 group creation but all M365 tools and services in the Microsoft 365 admin center.

This allows users to add and manage members to their groups, add Microsoft Teams integration, SharePoint sites, and more, thus reducing the administrative load on IT.

Step 2: Setting up a group naming policy

Next, set up a group naming policy to maintain order and consistency. This can include prefixes or suffixes based on user attributes or group types, like department or location.

Step 3: Implement group expiration policy

Next, set up an expiration policy to prevent inactive groups from cluttering the system. Groups that are not renewed within the specified period will be deleted. You can also automate inactive team detection with ShareGate.

Step 4: Use group creation templates

It’s wise to create provisioning templates for group creation. These templates can pre-configure certain settings, making creating groups that comply with organizational policies easier for users.

Step 5: Monitor and review

Once you’re here, you’ve successfully set up group creation in Microsoft 365 through self-serve. It’s time to regularly monitor and review group creation activities to ensure compliance with organizational policies and security requirements.

Key takeaways and looking beyond with self-serve

Whether or not you enable self-service, managing who can create a Microsoft 365 group will determine the effectiveness of team collaboration and security.

This is why implementing processes like following a hierarchical organizational structure, using naming and tagging policies, and monitoring and reviewing for compliance are all essential.

To recap, here are the key takeaways to take note of when creating a new group:

Maintaining order with group creation ensures organizational efficiency and helps make it easier for team members to navigate and find the needed groups.
Each Microsoft 365 group has a shared mailbox, Outlook group calendar, file library, OneNote notebook, Planner, and a SharePoint site.
Controlling group creation helps safeguard sensitive information. But, it also should be implemented not to restrict end users too much and enable shadow IT.
Potential risks of unregulated groups include data sprawl, increased security risks, and inefficient use of resources.
In Microsoft 365, self-service is enabled by default to help manage Microsoft 365 groups.

If you ask us, self-service is the way to go if you want to manage administration for any new Microsoft 365 group. It gives users control over their digital workspace and enables them to collaborate without friction. Of course, IT admins need to balance this out by taking the necessary security measures to manage group creation.

The bottom line is finding a delicate balance between both when enabling self-service to manage group creation.

You should check out this blog post about self-service for Microsoft 365 groups, where we cover this in detail.

Smooth, straightforward M365 migrations.

Next-generation digital workspace provisioning.

Powerful reporting. Surprisingly simple.

Automated governance for Microsoft 365.

Tackle day-to-day operations with agility.

Manage SharePoint and Teams permissions.

Exchange Online migrations, right out of the box.

Migrate to Microsoft 365 without the headache.

Centralize the administration of your digital workspace.

Migrate Teams with the ease of drag and drop.

Manage Teams better and faster with automation.

Ensure end users are using your tools the right way.

Move, edit, and restructure SharePoint in a snap.

Pro tips to prepare for Microsoft 365 Copilot

Rise up – Ignite your Microsoft 365 tenant-to-tenant migration playbook

Follow us

How to control who can create Microsoft 365 groups