Restrict Users from Creating new teams in Microsoft Teams and Office 365 Groups

Microsoft Teams is becoming the Modern workspace and more companies, groups, and individuals are adopting it as collaboration tools while the features are becoming better by the day, but imagine every user of your organization or tenant being able to create their own teams group at will with no form of control or restrictions.

Creating the group in itself might not be much of a problem if all ends on Microsoft Teams alone, but every teams group created will create an Office 365 group on the backend which in turn create other Office 365 services

When a team is created in Microsoft Teams it created the following.

• A new Microsoft 365 group
• A SharePoint Online site and document library to store team files
• An Exchange Online shared mailbox and calendar
• A OneNote notebook

It will be a good idea to control who can create a teams group in Microsoft Teams better say who can create Office 365 group. By default, all Microsoft Teams users can create a teams group and in turn create multiple and unwanted Office 365 groups.

Users can Navigate to Teams >> Join or create team >> Create Team button to create a teams group, in this article I will describe how to disable this option for end-user.

Note: The steps will disable the ability to create Office 365 groups in all Microsoft 365 services that use groups, including:

• Outlook
• SharePoint
• Yammer
• Microsoft Teams
• Microsoft Stream
• Planner
• PowerBI
• Project for the web

These steps will not prevent members of certain Administrator roles from creating Groups.

STEP 1 — CREATE SECURITY GROUP FOR USERS WHO CAN CREATE OFFICE 365 GROUP

Note: it is important that you use a Security Group and not Office 365 Group

• In the admin center, go to the Groups > Groups page.
• Click on Add a Group.
• Choose Security as the group type. Remember the name of the group!, I will use “AllowedToCreateOffice365Group” in my example.
• Finish setting up the security group, adding people or other security groups who you want to be able to create groups in your tenant

STEP 2: RUN POWERSHELL COMMANDS

• Open PowerShell and run as Administrator (I prefer the PowerShell ISE) In case the script pane not showing, Click “View” on the menu bar and check “show script pane”

# Install the Azure AD Module (make sure you have the latest version)
Install-Module AzureADPreview

You can run Uninstall-Module AzureADPreview to uninstall 2.0 general availability version of the Azure AD PowerShell module (AzureAD) installed, then run Install-Module AzureADPreview

Run the PowerShell below, you can run it in two ways, save the PowerShell to a file e.g AllowedToCreateOffice365Group.ps1 and run it from the path like C:\Users\UserAccount\Desktop\AllowedToCreateOffice365Group.ps1 or copy and past the PowerShell into the script pane and make the necessary modification.

$GroupName = "<SecurityGroupName>"
$AllowGroupCreation = "False"
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
      $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
    $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -Filter "DisplayName eq '$GroupName'").objectId
}
 else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Modifications

You will need to modify the $GroupName of the script to your Office 365 security group name.

Once you run the script, it will request for Admin logon then you see output like below

Licensing requirements

To manage who creates Groups, Admin who configures these group creation settings and members of the security group who are allowed to create groups need Azure AD Premium licenses or Azure AD Basic EDU licenses assigned

The recent update as announced Here, Microsoft has shipped Azure Active Directory Premium P1 with Microsoft 365 Business Premium, other SKUs might need to purchase standalone Active Directory Premium P1, Active Directory Premium P2 or Enterprise Mobility + Security.

After running the PowerShell cmdlet, we have below

Any user that is not a member of the Security group will not be able to create Microsoft teams group or Office 365 group, which gives the Admin control over Office 365 group creation on the tenant.

If in the future you want to change which security group is used, you can rerun the script with the name of the new security group and if you decided to change you mind the following day to allow everyone to start creating groups, modify the cmdlet as below and run it again

$GroupName = “”
$AllowGroupCreation = “True”

When you run the will have below result

See Microsoft article for reference

If you have any doubt, Please email me on olusola@exabyte.com.ng or use the comment section