Internal 500 Server Error after trying to Manage who can create Office 365 Groups

Author by Craig Jahnke

I came across an unexpected error after trying to manage who could create Office 365 Groups by using a Security group called “SharePoint Admins”

I followed the instructions here:
and ran the PowerShell scripts needed:

Install-Module AzureADPreview
Get-AzureADGroup -SearchString "SharePoint Admins"
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "SharePoint Admins").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

I tested it by trying to create a new Plan in Planner and by creating a new Team collaboration site in SharePoint.  In Planner I got a message that I couldn’t create a new Plan because the creation of Groups is restricted.  In the SharePoint app the +Create site button disappeared.  This is expected, so I thought “Awesome!”

When I added my test user as an member to the group, I could create a new plan in Planner (“Great!”), and the + Create site button showed back up in SharePoint (“Cool!”):

sharePoint login

But if I clicked + Create site, I received a pop up asking “Are you sure you want to leave?”


If I clicked either Leave or Stay, I get prompted again, and eventually I end up with this “500 Internal Server Error”:

Network Error

The Global admins could still create them, so it must be some kind of permissions error that I didn’t know about.   I did some searching and found this post:  One of the replies said that you had to add the person to the Site Collection Administrators permissions group in the root site collection of the tenants.  I did that::

Site Collection Admins.pngand it started working again!


Hope this helps!