Do you have a requirement to restrict the creation of new Teams in Microsoft Teams to a specific group of people? Have you inherited an environment where there is already this restriction in place, but you have no idea how it has been set up?

Problem

How does a Microsoft Teams administrator restrict who can create new Microsoft Teams?

Solution

1. Begin by creating a security group in Microsoft Entra ID.

    i) Navigate to Microsoft Entra ID > Go to All groups > select New Group.

    ii) Fill out the group information, but make sure the Group type is set to Security. In this example, we will use the group name O365GroupsCreators.

Open PowerShell

2. Now that we have a group, open up PowerShell as an Administrator on your device. Run the following commands:

Code sample by Cloudaen
Install-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Install-Module Microsoft.Graph.Beta.Groups
Install-Module Microsoft.Graph.Groups

3. Now, run the following command next and make sure you fill in your group name:

Code sample by Microsoft
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups

Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"

# Enter your name of your security group by replacing O365GroupsCreators
$GroupName = "O365GroupsCreators"
$AllowGroupCreation = "False"

$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

if(!$settingsObjectID)
{
    $params = @{
	  templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
	  values = @(
		    @{
			       name = "EnableMSStandardBlockedWords"
			       value = "true"
		     }
	 	     )
	     }
	
    New-MgBetaDirectorySetting -BodyParameter $params
	
    $settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).Id
}

 
$groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq $GroupName}).Id

$params = @{
	templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
	values = @(
		@{
			name = "EnableGroupCreation"
			value = $AllowGroupCreation
		}
		@{
			name = "GroupCreationAllowedGroupId"
			value = $groupId
		}
	)
}

Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter $params

(Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values

The code above is cited from the the following Microsoft support document.

Troubleshoot or find creation group

1. If you are having issues finding what group has already been set up, use the following code to find the group:

Code sample by Cloudaen
Import-Module Microsoft.Graph.Beta.Groups
									
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"

$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

(Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values
Sample Output

2. Now use the GroupCreationAllowedGroupId to find out what the name of the group is by using the following PowerShell command:

Code sample by Cloudaen
Import-Module Microsoft.Graph.Groups
									
$groupId = "GroupCreationAllowedGroupId"

Get-MgGroup -GroupId $groupId
Sample Output

You should now have the group name that has the ability to create new groups. You can either add yourself to this group or use the script found earlier to change it to a new security group.

Summary

When taking over some other person's environment, it can be tough to piece together configurations (especially if there is a lack of documentation). Hopefully this walkthrough helps you to restrict creating new groups within your Office 365/Microsoft Teams environment or guides you to find the group that has been set up in the past.

Related Documentation

Manage who can create Microsoft 365 Groups

Graph: Create groups

Graph: Get groups