Disable Power BI Workspace or group creation for certain users or groups

One of the questions that I get asked sometimes is how to prevent users from creating groups / workspaces in Power BI. I recently found out this is actually possible and we’ll in this blog on how you can set that up. But before we continue it is good understand how workspaces in PowerBI currently work. Whenever you create a workspace it automatically creates a group in Azure AD and Office 365 with the same name. This makes sure you can use the Office 365 things like using files in the document library, calendar, conversations:

By default all users in Office 365 have the permission to create Office 365 Groups and Power BI follow this. By design Office 365 Groups are intended to be created and managed by both admins and end users, to inculcate better collaboration among the team members of a project or students and staffs. However in some organizations, they practice strong security policy, as a result they require Office 365 Group creation to be controlled only by specific users. The theme here is ofcourse that workspaces and groups in Power BI are based on Azure AD and Office 365. That means you can also use those management tools to manage the security around it, similar as you would for Office 365.  Let’s look at how you can do this and what it does to your Power BI. I used these two great blog posts to make it work:

https://drewmadelung.com/managing-office-365-group-creation-via-azure-ad/

http://www.jijitechnologies.com/blogs/disable-office365-group-creation-in-azureAD

I mostly used code from the top one to get it up and running, this is completly based on PowerShell commands that makes changes to your Azure AD instance, there is no UI for it today.

Just one word of warning, please do not immediately run this in production and make sure you get advise from your Azure AD/PowerShell specialist as I am neither.

Here is the code to make it happen, I took those form the blog posts above that cover the actual PowerShell commands in more details.

'Install the AzureAD Preview if needed
Save-Module -Name AzureADPreview -Path C:\temp\ad
Install-Module -Name AzureADPreview
'Install AD http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
'from this download get the Azure Active Directory PowerShell V1  Preview
$username = "YOURUSERNAME"
$password =  ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force
'These are your AD credentials, it should be a user who is AD admin
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
'Connect to Azure AD
Connect-MsolService -Credential $cred
'Check all the setting
Get-MsolAllSettings | ForEach Values
'Does it return any value? then get the group ID you want here
Get-MsolGroup
'If no value is returned go to Azure AD and get the ID from the group  you want to enable there from the Azure AD UI.
'Now finally Run this to disable group creation and then enable it for the group we picked up above. 
'If you leave the groupid empty creating groups will only be possible for admins not for groups, you can change this later, one of the blog posts above describes how.
$Gpmodify = Get-MsolSettingTemplate | where-object {$_.displayname -eq “Group.Unified”}
$Setobj = $Gpmodify.CreateSettingsObject()
$Setobj[“EnableGroupCreation”] = “false”
$Setobj[“GroupCreationAllowedGroupId”] = "GROUPID"
New-MsolSettings –SettingsObject $Setobj
'Check if it is set correctly:
Get-MsolAllSettings | ForEach Values

Now we can see that the Group Creation is turned off expect for

Now let’s see what this does do for one of my users. I now log into Power BI as my non admin user and try to create a group:

This results in:

Which is exactly what we want.

Now I go back to Power BI and add the user to the “PBIGroupUsers” group that I gave access to create groups:

And when we now try again, it works and the group\workspace gets created:

So that is it. It is pretty cool that this just works .