In Microsoft Teams everyone can create a new Teams by default. It makes sense in terms of collaboration. But often companies want to prevent this cause nobody wants to clean up afterwords. The admins are left in chaos and can see there are a lot of groups, teams und exchange mailboxes but usage is almost zero. That’s why companies often disable the option. In this post i will show you how you can prevent users from creating new Teams while you define a AD Group whose members exceptionally can create Teams.
Microsoft Teams provides by default everyone the possibility to create a Team. Simple click on the Join or create a Team button:
If you disable the ability to create groups, it will have impact on other services:
- SharePoint
- Yammer
- Microsoft Teams
- Microsoft Stream
- Planner
- PowerBI
- Project for the web
Administrators will still be able to create Groups, but the normal user will not be able to create a Planner if you disable Group creation. You should consider this in your plan.
Step 1 Create an AD-Group for those who are allowed to create a Teams
You can create a Security Group “MayCreateO365Group”. Then you can define people in your organization who are allowed to create O365 Groups.
Admin Center -> Groups -> Add a Group -> Choose Security Group -> Finish
Step 2: Prevent all other users from Creating Teams / Groups
Now we have to enable the creation of groups for a particular securyty group. The one we created in step 1 above. And we disable group creation for default. We are using the following script therefor.
# Install the Azure AD Module (make sure you have the latest version) In this case you need the AzureADPreview
Install-Module AzureADPreview
#Security Group in Azure AD for users who can create Office 365 Groups!
$GroupName = "MayCreateM365Group" #Change the Name of the group to your needs
$AllowGroupCreation = "False"
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -Filter "DisplayName eq '$GroupName'").objectId
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy(Get-AzureADDirectorySetting -Id $settingsObjectID).ValuesUsers who are not members of this group will not be able to create a Microsoft Teams or Offic 365 Group and related services. I found this pretty cool idea and script from this post.
It should look afterwords like this:
You should think about creating a self-service or a process, so that users know a way to request a teams or planner or whatever they need to get their work done.
If you like to change this group you can rerun this script with new groupname.