Produce to disable end users to create SharePoint online site and groups

Most companies will establish a SharePoint online site governance policy and provide a self provisioning process for sites and groups. So the question is how to disable end users to create site and groups? 

Microsoft provided the following two procedures.

1. Manage site creation in SharePoint Online
2. Manage who can create Office 365 Groups

Since the first step is straightforward, you can apply this quickly. The second step is tedious and I've modify the Microsoft PowerShell to make it easy. You will create the security group as instructed first. Then pass the group name to the PowerShell. The script will either print the configuration successfully completed or failed. Here is the modified script.

# You might need to set up your environemnt before running this script

#Install-Module AzureADPreview

#Import-Module AzureADPreview

# Input Arguments

param([string]$mySecurityGroupName)

Set-ExecutionPolicy -Scope Process -Confirm:$False -ExecutionPolicy Bypass -Force

[System.Net.ServicePointManager]::SecurityProtocol =[System.Net.SecurityProtocolType]::Tls12

Connect-AzureAD

$mySecurityGroup = $mySecurityGroupName #"SPCreator"

$myGroup = Get-AzureADGroup -SearchString $mySecurityGroup

$Id = $myGroup.ObjectId

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}

$Setting = $Template.CreateDirectorySetting()

$newSetting = Get-AzureADDirectorySetting

if ($newSetting -eq $null){

    New-AzureADDirectorySetting -DirectorySetting $Setting

    $newSetting = Get-AzureADDirectorySetting

}

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id

$flag = $Setting["EnableGroupCreation"]

Write-Output "Group created enabled before = $flag"

$Setting["EnableGroupCreation"] = $False

$flag = $Setting["EnableGroupCreation"]

Write-Output "Group created enabled after = $flag"

#$Setting["EnableGroupCreation"] = $True

$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $mySecurityGroup).objectid

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

$newSetting = Get-AzureADDirectorySetting 

#$newSetting.Values

foreach ($value in $newSetting.Values)

{

     if($value.Name -eq "GroupCreationAllowedGroupId"){

        if($Id -eq $value.Value){

            Write-Output "Only membesr of group named $mySecurityGroup can create groups now!"

        }

        else{

            Write-Output "Group named $mySecurityGroup not configured correct!"

        }

      }

}

If you need to disable users to create Yammer, planner or anything that would create SharePoint groups or site, you could further disable their license and restrict the creation.