How to restrict Microsoft 365 users from creating new Teams

  • Post author:
  • Post category:Main
  • Post last modified:August 7, 2023
  • Reading time:8 mins read

Microsoft Teams can really get out of hand, especially as by default, any user in your organisation licensed to use Microsoft Teams can create a new Team without much control. 

Over time you may find yourself, as an administrator of your Microsoft 365 environment, with a completely bloated tenant, filled with Teams, Groups and hundreds of SharePoint sites. 

In this tutorial, I am going to show you how you can restrict the creation of Microsoft Teams to a specific group of users.

Pre-requisites

In this tutorial, we are going to use Microsoft Graph PowerShell to run the necessary script to block users from creating new Teams. If you haven’t installed the Microsoft Graph PowerShell module yet, see How to install the Microsoft Graph PowerShell module.

You must also ensure you have global administrator access to your Microsoft 365 tenant.

Create a group for users approved to create new Teams

The first thing you need to do is define who can create new Teams by creating a group and including the users approved to create Teams in that group. Of course is goes without saying that your Teams administrators will be able to create new Teams, so this just applies to any user without the Teams Administrator role (or a role that encompasses it, like Global Administrator).

Use the Microsoft 365 or Azure AD admin center to create a new group that contains your desired users.

Create a new group
Create a new group

Connect to Microsoft Graph PowerShell

Firstly open PowerShell and the use script below to connect to Microsoft Graph PowerShell. The script will import the necessary Groups and DirectoryManagement modules, select the beta graph profile and connect to Microsoft Graph with the following permissions:

  • Group.ReadWrite.All
  • GroupMember.ReadWrite.all
  • Directory.ReadWrite.all
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Identity.DirectoryManagement

Select-MgProfile -name beta

Connect-MgGraph -Scopes "Group.ReadWrite.All", "GroupMember.ReadWrite.All", "Directory.ReadWrite.All"

Block all users from creating new Teams

To implement the block to prevent all users from creating new teams will need to create a new directory settings that has the EnableGroupCreation parameter set to False. Let’s break down how we can use Microsoft Graph PowerShell to create a new directory setting which blocks users from creating new Teams and only allows a specific group of users to create new Teams.

Firstly, we have to define some parameters. Here we are defining the $groupname, this is the group that will be allowed to create new Teams. Then we have the $allowedgroupcreation variable, this will be either True or False and determines if by default, users can create new Teams.

$GroupName = "test"
$AllowGroupCreation = "False"

Once the variables are defined, we are now going to use Get-MgGroup to store the object id of the group into a variable called $groupid.  We then use an IF statement to check if that variable has any stored information, if it doesn’t then it will display to the users that the specified group does not exist.

$groupid = (Get-MgGroup | Where-Object {$_.DisplayName -match $GroupName}).id

If (!$groupid) {
    Write-host "The specified group '$groupname' does not exist" -ForegroundColor Yellow
    sleep 2
    Return
}

We are now going to do a similar task with the directory settings. Firstly we are going to define if there are any existing directory settings which target unified groups. We will then store that result in the $settingsObjectID variable. If this is the first time completing this task, this variable will be returned empty, which is expected.

$settingsObjectID = (Get-MgDirectorySetting | `
Where-object -Property Displayname -Value "Group.Unified" -EQ).id

Here we are checking if the variable is empty and if it is, then we are going to store the ID of the directory settings template for unified groups in the $templateid variable. Then we will define some parameters to create our new directory settings with the template id, then run New-MgDirectorySetting to create a new setting based on the template. The last thing we do here is to store the ID of the new directory setting into the $settingsobjectID variable using Get-MgDirectorySetting.

if (!$SettingsObjectID) {
$templateid = (Get-MgDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}).id
$params = @{
	TemplateId = $templateid
}
New-MgDirectorySetting -BodyParameter $params
$settingsObjectID = (Get-MgDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

Now that we have either created a new directory setting or understand that there is an existing directory setting already in place, we need to update it with our desired information. Here we define out new parameters using the variables we defined earlier.

$params = @{
	Values = @(
		@{
			Name = "EnableGroupCreation"
			Value = $AllowGroupCreation
		}
        @{
			Name = "GroupCreationAllowedGroupId"
			Value = $groupid
		}
	)
}

Then we use the Update-MgDirectorySetting cmdlet to update the new directory setting with the information stored in our $params variable.

Update-MgDirectorySetting -DirectorySettingId $settingsObjectID `
-BodyParameter $params

The last step of the script to to alert the user that the settings have been update and display the new settings on the screen.

Write-host "Group settings have been updated" -ForegroundColor Green

(Get-MgDirectorySetting -DirectorySettingId $settingsObjectID).values

Here is what the expected output will look like.

Update group settings with Microsoft Graph PowerShell
Update group settings with Microsoft Graph PowerShell

The full Microsoft Graph PowerShell script to block users from creating Teams

Here is the full script for you to copy and paste. It is also available on my public GitHub repository here.

$GroupName = "test" #Specify the allowed Teams creators group name
$AllowGroupCreation = "False" #Specify True or False

Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Select-MgProfile -name beta
Connect-MgGraph -Scopes "Group.ReadWrite.All", "GroupMember.ReadWrite.All", "Directory.ReadWrite.All"
 
$groupid = (Get-MgGroup | Where-Object {$_.DisplayName -match $GroupName}).id
 
If (!$groupid) {
    Write-host "The specified group '$groupname' does not exist" -ForegroundColor Yellow
}
 
$settingsObjectID = (Get-MgDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
 
if (!$SettingsObjectID) {
    $templateid = (Get-MgDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}).id
    $params = @{
    	TemplateId = $templateid
    }
    New-MgDirectorySetting -BodyParameter $params
    $settingsObjectID = (Get-MgDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
 
$params = @{
	Values = @(
		@{
			Name = "EnableGroupCreation"
			Value = "false"
		}
        @{
			Name = "GroupCreationAllowedGroupId"
			Value = $groupid
		}
	)
}
 
Update-MgDirectorySetting -DirectorySettingId $settingsObjectID `
-BodyParameter $params
 
Write-host "Group settings have been updated" -ForegroundColor Green
(Get-MgDirectorySetting -DirectorySettingId $settingsObjectID).values

The end user experience after Teams creation is blocked

After you have implemented the block, when a user opens their Teams client and clicks Join or create a team, they will be missing the Create team option.

No create team option
No create team option

However, if that user is then added to the team creators group the Create team option is now available.

Create team option available
Create team option available

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply