As Microsoft are starting to role out Groups to all Office 365 tenants we might have the need to disable the function of creating them.
Groups are a great feature but you may not be ready for them, want to create training material before giving them to user or only allow certain users to create them.
The PowerShell script to do this is based on the Outlook Web Access policy for your organisation but you can also create other and assign them to users if you want.
set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity OwaMailboxPolicy-Default
What is important here is that it does not remove Groups, it only prevent users from creating them. Here are some screenshot of the experience to the user
Great Stuff – this is exactly what I wanted to do! – Before I go ahead and run the scripts, I’ve got 2 OWA Policies setup in the system – OwaMailboxPolicy-Default (Which is assigned to all staff) and Students_MailboxPolicy (Which is assigned to all students)
If I want to disable students from creating new groups do I change the line -Identity OwaMailboxPolicy-Default to -Identity Students_MailboxPolicy
Will this remove any other settings that I already have place in my Students policy or just add the new restriction to what already exists?
Thanks
Matt
Hi Matt,
Yes you can do this or you can do it to all of the OWA Policies Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -GroupCreationEnabled $false
Hi Alex, Is this parameter still working?
I’ve tried to change it along with ‘FacebookEnabled’ on our default OwaMailboxPolicy and a test policy with no luck on either. Both parameters throw back a cannot be found error.
Other parameters such as CalendarEnabled can be edited fine though?
Thanks for the guide above. I have hit this problem so my policy was called Student Role Assignment Policy and when I ran set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity Student Role Assignment Policy
I got an error
A positional parameter cannot be found that accepts argument ‘Role’.
+ CategoryInfo : InvalidArgument: (:) [Set-OwaMailboxPolicy], Par
ameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Set-OwaMailboxPolicy
+ PSComputerName : pod51031psh.outlook.com
I assumed that it was because of the spaces in the name so I changed the name to Student_Role_Assignment_Policy
Now when I run
set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity Student_Role_Assignment_Policy
I get an error
The operation couldn’t be performed because object
‘Student_Role_Assignment_Policy’ couldn’t be found on
‘AMSPR06A001DC06.EURPR06A001.prod.outlook.com’.
+ CategoryInfo : NotSpecified: (:) [Set-OwaMailboxPolicy], Manage
mentObjectNotFoundException
+ FullyQualifiedErrorId : [Server=DB4PR06MB347,RequestId=8de18193-4f3e-4cc
a-a503-0876289baf02,TimeStamp=27/11/2014 13:59:15] [FailureCategory=Cmdlet
-ManagementObjectNotFoundException] B50E92DF,Microsoft.Exchange.Management
.Tasks.SetOwaMailboxPolicy
+ PSComputerName : pod51031psh.outlook.com
Do you have any advice?
Hi Mark,
As you have a space in your OWA Policy you need to put the name speech marks. Examples below:
set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity “Student Role Assignment Policy”
What if you want it off for all users except the Admin account? I ran the script and it worked but has also prevented me from creating groups.
Hi,
The admins would require a different OWA Policy where it is enabled.
Hi Alex
I have followed what you said renaming my policy to Student Role Assignment Policy
Then I ran the cmd set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity “Student Role Assignment Policy”
But I am getting the following error
The operation couldn’t be performed because object ‘Student Role Assignment Policy’ couldn’t be found on
‘AMSPR06A001DC09.EURPR06A001.prod.outlook.com’.
+ CategoryInfo : NotSpecified: (:) [Set-OwaMailboxPolicy], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=DB4PR06MB347,RequestId=3af46dff-8fbd-4cce-883a-a1594c52f3bf,TimeStamp=09/12/2014
08:51:12] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] EB57B62B,Microsoft.Exchange.Management.Tasks
.SetOwaMailboxPolicy
+ PSComputerName : pod51031psh.outlook.com
Marc,
I would check that you have right name for your OWA Policy.
ALex
Thank you for this. One question, who do I run a query that outputs the members of a specific Outlook Web App policy?
Hi guys,
I am trying to stop our students and staff from making groups…however just need a bit of help if possible.
I have created 3 policies…and now I want to apply, however I keep getting an error.
Policies are:
IT Admin Policy
Staff Policy
Student Policy
I can change the policy using Get-Mailbox (mailbox user) | where { $_.RoleAssignmentPolicy -Eq “Default Role Assignment Policy” } | Set-Mailbox -RoleAssignmentPolicy “Staff Policy”
and this in theory changes the policy, however the user is still able to create groups. I have unchecked the boxes to create groups within the policies themselves.
Any ideas? Or how I could use set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity OwaMailboxPolicy-Default in my scenario?
Thanks in advance for help and replies.
Ajay
Hi Ajay,
As you’ve created 3 policies, you need to set the group creation policy for each.
set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity -Identity “IT Admin Policy”
set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity -Identity “Staff Policy”
set-OwaMailboxPolicy -GroupCreationEnabled $false -Identity -Identity “Student Policy”
Once you’ve done, you can then assign it to the user.
set-mailbox -identity Username -RoleAssignmentPolicy “Staff Policy”
Thanks mate I will give this a go.
Great artcile buddy
5stars
Hi guys…
I need disable the option to create public group to user, but the private group option i need to remain enable.
Regards,
Paulo Mira
hi
thanks for the info. i get an error stating that “WARNING: The command completed successfully but no settings of ‘Student_OwaMailboxPolicy’ have been modified.”
any suggestions would be very much appreciated.
thanks
hi,
for anyone else getting the same error, it is because the setting is already in place. the commands also take quite a while to apply, therefore testing your changes in the live environment immediately after running the command makes it seem that they aren’t working.
you can use the “Get-OwaMailboxPolicy” command and look for the “GroupCreationEnabled” line to see if has made the change.
to apply custom policies to groups of users, the following site has good info. https://msdn.microsoft.com/en-us/library/gg981506(v=exchsrvcs.149).aspx#AssignToMany
thanks again, you’ve saved me from days and days of manual changes!
I wrote a script that will do this for you 🙂
http://joseespitia.com/2016/08/11/prevent-users-from-creating-office-365-groups/
Hope it helps someone!
Hi, Does this apply to Office 365 hybrid users running Outlook 2010. 2013 and 2016? We want to shut down the ability for end-users to create Office 365 Groups.
I keep getting “The role assignment policy “Oakwood” wasn’t found… while in powershell
Hi Alex,
Thanks for sharing.
We have also come across this problem and have been able to rectify the problem by doing the following. ( This may help someone who have slimier issue)
In our scenario, we have a domain for our staff and students. The domains are as follows;
Staff: j.smith@school.com.au
Students: j.smith@2017.school.com.au (Graduation year before the domain name)
We only want disable group creation permission only for students.
1. Install the preview version of the Azure Active Directory Module for Windows PowerShell ( https://support.office.com/en-us/article/Control-who-can-create-Office-365-Groups-4c46c8cb-17d0-44b5-9776-005fced8e618 )
2. New-OwaMailboxPolicy -Name “StuRoleAssignmentPolicy”
3. Set-OwaMailboxPolicy -Identity StuRoleAssignmentPolicy -GroupCreationEnabled $false
4. Get-CASMailbox -ResultSize unlimited | WHERE {$_.RecipientTypeDetails -eq “UserMailbox” -and $_.PrimarySMTPAddress -like “*@2017.school.com.au”} | Set-CASMailbox -OWAMailboxPolicy “StuRoleAssignmentPolicy”
Hope it helps someone..!
What would I need to change here to apply the above the a different attribute for example the active directory “Office” attribute populated with “ClassB” or Users from a different GAL?
Is it possible to set the OWA policies to a security group? So that i don’t have to remeber to assign permissions for a new member of staff all the time
I’m afraid not