elitego logo dark

M365

Managing Microsoft 365 Group Creation Permissions: Allowing Specific Users to Create Teams

Leave a Comment / Group, M365, Powershell /

In Microsoft 365, everyone can create groups by default, which enables seamless collaboration across Teams, Outlook, SharePoint, and more. However, organizations may want to limit this to specific users, such as team leads or trained staff, to manage resources and maintain compliance. In this guide, we’ll configure permissions so that only selected users can create Microsoft 365 Groups and Teams. (Image – 1 showing the message received when a restricted user attempts to create a team.) Why Enable Group Creation for Specific Users? By limiting group creation permissions to a designated set of users, you gain greater control over the Teams environment and avoid unnecessary or non-compliant teams being created. This setup allows only approved users to create groups across various services, like Microsoft Teams, while keeping everyone else’s permissions restricted. Note: These restrictions impact various Microsoft services, including Outlook, SharePoint, Viva Engage, and Planner, along with Teams. Key Roles That Retain Group Creation Abilities Certain admin roles retain permissions to create Microsoft 365 Groups, even if general creation permissions are restricted: Global Admins: Can create groups in the Microsoft 365 admin center, Exchange, SharePoint Teams Service Admins: Can create groups in the Teams admin center, Microsoft Entra ID SharePoint Admins: Can create groups in SharePoint admin center, Microsoft Entra ID Admins in these roles can create groups for restricted users and assign them as group owners. Steps to Enable Group Creation for a Specific Group of Users Let’s go through the process of allowing only members of a designated group to create Microsoft 365 Groups, particularly in Teams. Step 1: Create a Group to Control Permissions Begin by creating a group in Microsoft 365 for the users who should be able to create Microsoft 365 Groups: Open the Microsoft 365 Admin Center and go to Groups. Click Add a Group and choose the group type. Name your group (e.g., “Group Creators”) and add the people you want to allow group creation as members (not as owners). Tip: You can add multiple people or even nest other groups under this main group for more flexible control.   (Image – 2 Created Group) Step 2: Run PowerShell Commands to Apply Settings Next, we’ll use PowerShell to update settings and allow only the users in your newly created group to create Microsoft 365 Groups: Install the Microsoft Graph PowerShell Beta module if you haven’t already. Run Update-Module Microsoft.Graph.Beta to ensure it’s up to date. Copy the following script into a text editor, replacing <GroupName> with the name of the group created in Step 1. Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement Import-Module Microsoft.Graph.Beta.Groups Connect-MgGraph -Scopes “Directory.ReadWrite.All”, “Group.Read.All” $GroupName = “” $AllowGroupCreation = “False” $settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id if(!$settingsObjectID) { $params = @{ templateId = “62375ab9-6b52-47ed-826b-58e47e0e304b” values = @( @{ name = “EnableMSStandardBlockedWords” value = “true” } ) } New-MgBetaDirectorySetting -BodyParameter $params $settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).Id } $groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq $GroupName}).Id $params = @{ templateId = “62375ab9-6b52-47ed-826b-58e47e0e304b” values = @( @{ name = “EnableGroupCreation” value = $AllowGroupCreation } @{ name = “GroupCreationAllowedGroupId” value = $groupId } ) } Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter $params (Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values   Important If you want to switch to a different group in the future, update $GroupName in the script with the new group name and rerun the script. Save the file as GroupCreators.ps1. Open PowerShell, navigate to the file location, and run:   .GroupCreators.ps1 (Image – 3 Result After executing the Script) Step 3: Verify the Changes After updating, allow about 30 minutes for the changes to take effect. Here’s how to verify: Log in with a user account that is not a member of the “Group Creators” group. Open Microsoft Teams and attempt to create a new team. You should see a message indicating that team creation is disabled. Now, try the same with a user who is a member of the “Group Creators” group. They should be able to create a team successfully Suggested Articles     1. Getting Started with Conditional Access Policies in Azure Entra: Enable MFA with Microsoft’s Default Policies     2. Use Case Scenario: Adding Multiple Users to Calendar Access     3. How to Silently Synchronize SharePoint Site Library to File Explorer using Intune Reference https://learn.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide

Managing Microsoft 365 Group Creation Permissions: Allowing Specific Users to Create Teams Read More »

Getting Started with Conditional Access Policies in Azure Entra: Enable MFA with Microsoft’s Default Policies

Leave a Comment / Azure, Azure Entra, Azure MFA, Cloud Security, Conditional Access Policy, Entra ID, Identity and Access Management, M365, Microsoft 365 Security, Microsoft Security, Multi-Factor Authentication /

With modern security requirements, organizations need to secure user identities and access beyond the traditional network. Microsoft Entra Conditional Access helps organizations implement strong security controls, enforcing policies based on user identity, device compliance, and network location. In this article, we’ll walk through the steps to enable Conditional Access policies with Microsoft’s default policy templates to enforce Multi-Factor Authentication (MFA) and safeguard your organization. What is Conditional Access? As organizational security extends beyond physical networks, protecting access with identity-driven policies has become crucial. Microsoft Entra Conditional Access is a Zero Trust policy engine that combines signals (like user location and device compliance) to make intelligent access control decisions. It’s a powerful way to enforce if-then conditions on access—if a user wants to access a resource, then they must complete an action, like verifying identity with MFA. Example of Conditional Access Policy: If a user attempts to access Microsoft 365, they must complete Multi-Factor Authentication to gain access. This security model ensures that only verified users can access your organization’s resources, providing greater protection against unauthorized access. Conditional Access Policies and Their Benefits Conditional Access is a key feature for tenants with Microsoft Entra ID P1 or P2 licenses, designed to enable stronger identity and access management controls. With Conditional Access policies, you can enforce various security measures, like MFA, for specific scenarios based on conditions like device, location, or identity type. These policies play a significant role in protecting cloud resources, especially when users connect from outside secure networks. Enforcing MFA with Conditional Access is particularly useful for securing Microsoft 365 and Azure resources, providing additional layers of verification to prevent unauthorized access. In this guide, we’ll configure Microsoft’s four default policy templates to simplify the setup and enhance overall security. Step-by-Step Guide to Enabling Conditional Access Policies in Azure Entra In this guide, we’ll enable Microsoft’s default Conditional Access policies for MFA, covering the essential steps to set up these policies for the first time in a new tenant. Step 1: Disable Security Defaults By default, new tenants in Microsoft Entra come with Security Defaults enabled. Security Defaults provide baseline protection, but to use Conditional Access, you’ll first need to disable these settings. Method 1: Disabling Security Defaults in Entra Admin Center Open Entra Admin Center. Navigate to Identity → Overview → Properties. Select Manage Security Defaults and toggle off the security defaults. (Image-1: Disabling Security Defaults in Entra Admin Center) Method 2: Disabling Security Defaults via Conditional Access Policy Setup Go to Entra Admin Center. Navigate to Protection → Conditional Access. Access Security Defaults and toggle off the option to disable security defaults. (Image-2: Disabling Security Defaults from Conditional Access Policy Setup) Step 2: Enable Microsoft’s Default Conditional Access Policies for MFA Once Security Defaults are disabled, you can use Microsoft’s default Conditional Access policy templates to quickly set up MFA across your organization. The four default policies available are: Block Legacy Authentication: Prevents access using outdated protocols that don’t support MFA, reducing security risks. Multi-Factor Authentication for Azure Management: Enforces MFA for users managing Azure resources to protect critical administrative actions. Multi-Factor Authentication for Admins: Applies MFA to admin accounts to secure these highly privileged roles. Multi-Factor Authentication for All Users: Enforces MFA for all users in the organization to secure general access. How to Enable Default Policy Templates In Conditional Access, while disabling Security Defaults, an additional option will appear: replace Security Defaults by enabling Conditional Access policies. Make sure to select this option, as it will enable all four of Microsoft’s default policy templates for MFA. (Image-3: Enabling Microsoft’s Default Conditional Access Policy Templates) Important: Ensure you select the option to replace Security Defaults with Conditional Access policies. This option will allow you to use Microsoft’s pre-configured policy templates effectively. Now, we have successfully enabled Microsoft’s four Conditional Access policy templates. (Image-4: Successfully Enabled the Four MFA Policies through Conditional Access) Step 3: Exclude Global Admin Account to Prevent Lockouts After enabling the Conditional Access policies, make sure to exclude your Global Admin account from MFA requirements within these policies. Excluding the Global Admin account is essential to prevent potential lockouts during login. To do this: Go to each policy you’ve enabled and select Assignments. In Users and groups, select Exclude and choose your Global Admin account. (Image-5: Configuring Exclusions for Global Admin Account in Conditional Access Policy) Conclusion Congratulations! You have successfully enabled Conditional Access policies in Azure Entra and enforced MFA for added security. With these policies in place, your organization is better protected against unauthorized access. Remember to periodically review and update your policies as your security needs evolve. By following this guide, you’re taking important steps toward a Zero Trust security model, ensuring that only verified and compliant users can access sensitive resources. Suggested Posts Use Case Scenario: Adding Multiple Users to Calendar Access How to Configure OneDrive Files On-Demand Sync: Mastering Configuration for Intune Administrators Easily Copy Group Memberships Between Users in Microsoft 365 Using PowerShell These posts can further enhance your understanding of tools and methods that improve productivity in your organization.

Getting Started with Conditional Access Policies in Azure Entra: Enable MFA with Microsoft’s Default Policies Read More »

Easily Copy Group Memberships Between Users in Microsoft 365 Using PowerShell

Leave a Comment / Automation, Azure, Entra, Exchange, M365, Powershell /

 Managing users and their group memberships is a critical task in any IT environment. In Microsoft 365 (M365), this often involves Azure Active Directory (Azure AD) and Exchange Online. Admins frequently need to copy group memberships from one user to another. While this task is relatively simple in traditional on-premises Active Directory, the process in M365, particularly for Azure AD and Exchange distribution lists, requires more steps. This blog will introduce a PowerShell script that automates the process of copying Azure AD group memberships and Exchange distribution lists from one user to another. Whether you’re onboarding a new employee, handling a role change, or transferring permissions, this script will save time and reduce errors. (Image-1: for the line that needs to change) Why Would You Need to Copy Group Memberships? In various scenarios, copying a user’s group memberships becomes a vital part of user management: Onboarding and Role Transition: When a new user joins or an existing employee changes roles, they may need to inherit group memberships from another user. User Offboarding: Transferring permissions and group memberships to another user ensures continued access to resources without manual intervention. Standardization: Assigning consistent permissions and access rights by copying group memberships from a template user to new users can standardize access across the organization. In on-premises Active Directory, copying group memberships between users can be easily done through PowerShell or even GUI-based tools. However, in the cloud-based M365 environment, this becomes more complex as it involves Azure AD and Exchange Online, which manage both security groups and distribution lists. Why Not Use GUI Tools? While Microsoft 365 Admin Center provides tools for managing users and groups, there is no out-of-the-box feature to easily copy group memberships between users. The process becomes tedious if you manually go through each group for one user, especially when dealing with a large number of groups or distribution lists. Using a PowerShell script helps streamline the process, making it faster, more accurate, and more repeatable. Plus, it can log each action taken, providing admins with visibility into what’s been done. Introducing the PowerShell Script This PowerShell script is designed to: Copy all Azure AD security group memberships from one user to another. Copy all Exchange Online distribution lists from the source user to the target user. Log the results (both successes and failures) to a CSV file for easy review. By the end of this process, the target user will have the same group memberships as the source user, ensuring consistent access across Azure AD and Exchange Online environments. Pre-requisites: Before running the script, make sure: You have PowerShell installed on your machine. You have administrative credentials for Azure AD and Exchange Online. You’re familiar with the users whose memberships you need to copy. Customization: Based on your requirements, update the following lines in the script: Line 23: Connect-ExchangeOnline -UserPrincipalName [email protected] – Replace with the admin email you use for Exchange Online. Lines 26-27: sourceUser and targetUser – Replace these with the email addresses of the users you’re working with. You can change these variables to suit your needs and copy memberships between any users in your tenant. For more clarification check the Image-1 above  The Script: Here’s the full PowerShell script for copying group memberships from a source user to a target user, along with logging and module checks: # Script created by Nifan for copying Azure AD and Exchange Online group memberships # This script connects to Azure AD and Exchange Online, copying group memberships # and logging the results. # Check and install the AzureAD module if not already installed if (-not (Get-Module -ListAvailable -Name AzureAD)) { Install-Module -Name AzureAD -Force -AllowClobber } # Check and install the Exchange Online module if not already installed if (-not (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) { Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber } # Import the installed modules Import-Module AzureAD Import-Module ExchangeOnlineManagement # Connect to Azure AD (will prompt for credentials) Connect-AzureAD # Connect to Exchange Online (will prompt for credentials again) Connect-ExchangeOnline -UserPrincipalName [email protected] # Enter your admin user for Exchange Online # Define the source and target users $sourceUser = “[email protected]” $targetUser = “[email protected]” # Output file for logging results $logFile = “C:GroupCopyResults.csv” # Initialize the log file with headers and credit “Created by: Nifan`nGroup Name,Type,Status” | Out-File $logFile # Step 1: Get the Azure AD group memberships of the source user $groups = Get-AzureADUserMembership -ObjectId (Get-AzureADUser -ObjectId $sourceUser).ObjectId # Add the target user to each of the Azure AD groups the source user is a member of foreach ($group in $groups) { try { # Add the target user to the Azure AD group Add-AzureADGroupMember -ObjectId $group.ObjectId -RefObjectId (Get-AzureADUser -ObjectId $targetUser).ObjectId # Log success “$($group.DisplayName),Azure AD Group,Success” | Out-File $logFile -Append } catch { # Log failure with error message “$($group.DisplayName),Azure AD Group,Failed – $($_.Exception.Message)” | Out-File $logFile -Append } } # Step 2: Now handle distribution lists (DLs) in Exchange Online # Get the list of distribution groups the source user is a member of $dlGroups = Get-DistributionGroup | Where-Object { (Get-DistributionGroupMember -Identity $_.Identity).PrimarySmtpAddress -contains $sourceUser } # Add the target user to each distribution list foreach ($dl in $dlGroups) { try { # Add the target user to the distribution list Add-DistributionGroupMember -Identity $dl.Identity -Member $targetUser # Log success “$($dl.DisplayName),Distribution List,Success” | Out-File $logFile -Append } catch { # Log failure with error message “$($dl.DisplayName),Distribution List,Failed – $($_.Exception.Message)” | Out-File $logFile -Append } } # Notify the user where the results are saved Write-Host “Results saved to $logFile” # Disconnect from Azure AD and Exchange Online Disconnect-AzureAD Disconnect-ExchangeOnline -Confirm:$false # Use -Confirm:$false to suppress confirmation prompt Key Components of the Script Azure AD Group Membership: This part of the script copies Azure AD security groups using the Get-AzureADUserMembership and Add-AzureADGroupMember cmdlets. The source user’s groups are fetched and the target user is added to each group. Exchange Distribution Groups: Exchange Online’s distribution groups are handled using the Get-DistributionGroup and Add-DistributionGroupMember cmdlets. The script checks if the source user is part of a distribution

Easily Copy Group Memberships Between Users in Microsoft 365 Using PowerShell Read More »

Partner with Us for Comprehensive IT
 

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Whatsapp us at: +94 777 64 62 11
Your benefits:
  • Client-oriented
  • Independent
  • Competent
  • Results-driven
  • Problem-solving
  • Transparent
What happens next?
1

We Schedule a call at your convenience 

2

We do a discovery and consulting meting 

3

We prepare a proposal 

Schedule a Free Consultation

Your Trusted Partner for IT Support, Freelancing, and On-Demand Solutions

Facebook-f X-twitter Linkedin

Service

Managed IT Services

Cloud Solutions

Web Development & Support

Remote IT Support

Useful Links

Terms of Service

Privacy Policy

Disclosures

Colombo, Sri Lanka

[email protected]

+94 76 77 27 137

© 2024 EliteGo IT. All rights reserved.

Get A Quote
Get A Quote