You can help support this website by buying me a coffee!
2 minutes reading time
(397 words)
Stop users from being able to create Microsoft Teams
How to block users from being able to create Teams by restricting who can create Microsoft 365 groups using PowerShell Set-AzureADDirectorySetting
- Teams use Microsoft 365 groups, and by default all users can create Microsoft 365 groups.
- Access to create Teams can be controlled by restricting who can create Microsoft 365 unified groups.
In the next steps, we will use Azure AD PowerShell to change the Azure AD directory setting to restrict access to create unified groups to a group called "Teams Admins".
Install Azure AD PowerShell Modules
You'll need to install both the Azure AD PowerShell general availability module and the public preview module because the Get-AzureDirectorySetting cmdlet is available in the Azure AD preview module.
# Install Azure AD PowerShell Modules Install-Module AzureAD Install-module AzureADPreview -AllowClobber -Force
Create Azure AD security group for Teams Admins
Users in this group will have permissions to create Teams
# Connect to Azure AD Preview Powershell AzureADPreview\Connect-AzureAD # Create Azure AD group New-AzureADGroup -Description "Members of this group can create Teams" -DisplayName "Teams Admins" -MailEnabled $false -SecurityEnabled $true -MailNickName "teamsadmins"
Get existing group creation settings using PowerShell Get-AzureADDirectorySetting
Before we begin, lets check what the existing settings are for creating M365 groups
# Get Azure AD directory settings for unified groups $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id (Get-AzureADDirectorySetting -Id $settingsObjectID).Values
EnableGroupCreation is true, and GroupCreationAllowedGroupID is blank. This means that currently, users are allowed to create Teams
Change AzureADDirectorySetting to restrict creating Teams
The following PowerShell will restrict creation of Teams to members of the group "Teams Admins"
$GroupName = "Teams Admins"
$AllowGroupCreation = $False
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
} else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
EnableGroupCreation is false, and GroupCreationAllowedGroupID is the GUID of the M365 group "Teams Admins"
Check that users can't create Teams
The option to create a Team is no longer available. Users can only join existing Teams
References:
Manage who can create Microsoft 365 Groups
https://docs.microsoft.com/en-gb/microsoft-365/solutions/manage-creation-of-groupsManage security groups with PowerShell
by Author
https://docs.microsoft.com/en-us/microsoft-365/enterprise/manage-security-groups-with-microsoft-365-powershell
Comments