In Microsoft Teams, a Team is a space where people can come together to collaborate and work on a shared topic. How you create and use teams may vary from organisation to organisation and there isn’t a prescriptive statement on when to create one. Microsoft Teams creation is by default set to all users having the ability to create new teams. The number of Teams can get out of hand quickly in a company so sometimes, we want a way to limit how and when they are created to make sure we’re keeping on course. We don’t want to stop people from collaborating: we just want to make sure they are doing it in a way that meets the meets of the business and any security and governance concerns we might have along the way.
When we create a Team through Microsoft Teams we are actually creating an Office 365 Group behind the scenes. An Office 365 Group is a special kind of group that exists in Azure AD and the Microsoft 365 suite. Once created, an Office 365 Group spawns other sub-elements such as a SharePoint Team Site, an Exchange Online Mailbox, a OneNote Notebook, a Planner Board, and a Power BI Workspace.
You can actually create an Office 365 Group from many places within Microsoft 365 such as Outlook, SharePoint, Planner, Microsoft Stream, and more. The fact that they can be created in so many ways is one of the reasons that we may opt to restrict Teams creation.
How do we restrict Teams creation?
The restriction process itself is actually far less complicated than deciding who to restrict it to. There are two simple steps, the second of which requires you to have the Azure AD PowerShell module available.
The complete steps can be found at https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide.
Step 1: Create a security group for users who need to create Microsoft 365 groups
Only one security group in your organization can be used to control who is able to create Groups. But, you can nest other security groups as members of this group.
Admins in the roles listed above do not need to be members of this group: they retain their ability to create groups.
Important
Be sure to use a security group to restrict who can create groups. Using a Microsoft 365 group is not supported.
- In the admin centre, go to the Groups page.
- Click on Add a Group.
- Choose Security as the group type. Remember the name of the group! You’ll need it later.
- Finish setting up the security group, adding people or other security groups who you want to be able to create groups in your org.
Step 2: Run PowerShell commands
You must use the preview version of Azure Active Directory PowerShell for Graph (AzureAD) (module name AzureADPreview) to change the group-level guest access setting:
- If you haven’t installed any version of the Azure AD PowerShell module before, see Installing the Azure AD Module and follow the instructions to install the public preview release.
- If you have the 2.0 general availability version of the Azure AD PowerShell module (AzureAD) installed, you must uninstall it by running
Uninstall-Module AzureADin your PowerShell session, and then install the preview version by runningInstall-Module AzureADPreview. - If you have already installed the preview version, run
Install-Module AzureADPreviewto make sure it’s the latest version of this module.
Copy the script below into a text editor, such as Notepad, or the Windows PowerShell ISE.
Replace <SecurityGroupName> with the name of the security group that you created. For example:
$GroupName = "Group Creators"
Save the file as GroupCreators.ps1.
In the PowerShell window, navigate to the location where you saved the file (type “CD “).
Run the script by typing:
.\GroupCreators.ps1
and sign in with your administrator account when prompted.PowerShellCopy
$GroupName = "<SecurityGroupName>"
$AllowGroupCreation = "False"
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
The last line of the script will display the updated settings:
If in the future you want to change which security group is used, you can rerun the script with the name of the new security group.
If you want to turn off the group creation restriction and again allow all users to create groups, set $GroupName to “” and $AllowGroupCreation to “True” and rerun the script.
Step 3: Verify that it works
Changes can take thirty minutes or more to take effect. You can verify the new settings by doing the following:
- Sign in to Microsoft 365 with a user account of someone who should NOT have the ability to create groups. That is, they are not a member of the security group you created or an administrator.
- Select the Planner tile.
- In Planner, select New Plan in the left navigation to create a plan.
- You should get a message that plan and group creation is disabled.
Try the same procedure again with a member of the security group.
