microsoft365 groupsBy default, all users can create Microsoft 365 groups. This is the recommended approach to allow users to collaborate without needing assistance from IT. However, some companies require more strict permissions around who can create groups. You can restrict Microsoft 365 Group creation to members of a particular security group. Limiting this permission affects all services that rely on groups for access, including:

To configure this, you must first have access to Windows Powershell. In this article, we will walk you through the needed steps. 

the following steps do not prevent members of roles like the Office 365 Global admins from creating groups. Other roles can also create Groups via limited means, seen below.

To manage who can create groups, the following people need AD Premium licenses or Azure AD Basic EDU licenses assigned to them:

The following people don't need Azure AD Premium or Azure AD Basic EDU licenses assigned to them:

The steps we will cover in this article are:

Step 1: Create a security group for users who are permitted to create Microsoft 365 groups

Step 2: Run PowerShell commands
Step 3: Verify that it works


Step 1: Create a security group for users who need to create Microsoft 365 groups.

Only one security group can control who has the permissions to create groups. But, you can create nested groups within this parent group. IMPORTANT. Be sure to use a security group to restrict who can create groups. Using a Microsoft 365 group is not supported.

  1. In the admin center, go to the Groups page.
  2. Click on Add a Group.
  3. Choose Security as a group type. Remember the name of the group! You'll need it later.
  4. Finish setting up the security group, adding people or other security groups who you want to create groups in your org.


Step 2: Run PowerShell commands.

Open the preview version of Azure Active Directory PowerShell for Graph (AzureAD), module name AzureADPreview. To change the group-level guest access setting:

Copy the script below into a text editor, replace <SecurityGroupName> with the name of the security group that you created in step 1. For example:

$GroupName = "Group Creators"

Save the file as In the PowerShell window, navigate to the location where you saved the file (type “CD”). Run the script by typing


and sign in with your administrator account when prompted.

$GroupName = "<SecurityGroupName>"
$AllowGroupCreation = $False


$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id if(!$settingsObjectID)

$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"} $settingsCopy = $template.CreateDirectorySetting() New-AzureADDirectorySetting -DirectorySetting $settingsCopy $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id


$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName) { $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid } else { $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName } Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

The last line of the script will display the updated settings:

PowerShell Microsoft365 Group Script

If in the future you want to change which security group is used, you can rerun the script with the name of the new security group.

If you want to turn off the group creation restriction, set $GroupName to “” and $AllowGroupCreation to “True” and rerun the script.


Step 3: Verify that it works.

Changes can take thirty minutes or more to take effect. You can verify the new settings by doing the following:

  1. Sign in to Microsoft 365 with a user account of someone who should NOT have the ability to create groups. That is, they are not a member of the security group you created or an administrator.
  2. Select the Planner tile.
  3. In Planner, select New Plan in the left navigation to create a plan.
  4. You should get a message that plan and group creation is disabled.

Try the same procedure again with a member of the security group.

And then you have successfully set up a system that only allows specified members from creating Microsoft 365.

For more information, see the official Microsoft documentation on this feature here.