Microsoft Teams - Restricting Team Creation - PowerShell & UI
Do you have a requirement to restrict the creation of new Teams in Microsoft Teams to a specific group of people? Have you inherited an environment where there is already this restriction in place, but you have no idea how it has been set up?
Problem
How does a Microsoft Teams administrator restrict who can create new Microsoft Teams?
Solution
1. Begin by creating a security group in Microsoft Entra ID.
- i) Navigate to Microsoft Entra ID > Go to All groups > select New Group.
- ii) Fill out the group information, but make sure the Group type is set to Security. In this example, we will use the group name O365GroupsCreators.
Open PowerShell
2. Now that we have a group, open up PowerShell as an Administrator on your device. Run the following commands:
Install-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Install-Module Microsoft.Graph.Beta.Groups
Install-Module Microsoft.Graph.Groups
3. Now, run the following command next and make sure you fill in your group name:
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"
# Enter your name of your security group by replacing O365GroupsCreators
$GroupName = "O365GroupsCreators"
$AllowGroupCreation = "False"
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
values = @(
@{
name = "EnableMSStandardBlockedWords"
value = "true"
}
)
}
New-MgBetaDirectorySetting -BodyParameter $params
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).Id
}
$groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq $GroupName}).Id
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
values = @(
@{
name = "EnableGroupCreation"
value = $AllowGroupCreation
}
@{
name = "GroupCreationAllowedGroupId"
value = $groupId
}
)
}
Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter $params
(Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values
The code above is cited from the the following Microsoft support document.
Troubleshoot or find creation group
1. If you are having issues finding what group has already been set up, use the following code to find the group:
Import-Module Microsoft.Graph.Beta.Groups
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
(Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values
Sample Output
2. Now use the GroupCreationAllowedGroupId to find out what the name of the group is by using the following PowerShell command:
Import-Module Microsoft.Graph.Groups
$groupId = "GroupCreationAllowedGroupId"
Get-MgGroup -GroupId $groupId
Sample Output
You should now have the group name that has the ability to create new groups. You can either add yourself to this group or use the script found earlier to change it to a new security group.
Summary
When taking over some other person's environment, it can be tough to piece together configurations (especially if there is a lack of documentation). Hopefully this walkthrough helps you to restrict creating new groups within your Office 365/Microsoft Teams environment or guides you to find the group that has been set up in the past.