This blog is part of a series on Teams. For more articles, check back often.
Written: 10/07/2019 | Updated: N/A
Controlling who can create Teams is based upon who can create Office 365 Groups. Whether this is right or wrong is a matter for debate and opinion – some believe this is necessary for reasons such as Teams sprawl; others believe it limits productivity, agility and pushes others back into the use of Shadow IT.
WHY WOULD WE DO IT?
- To prevent Teams sprawl
- To control the Teams creation process
PREREQUISITES
The following is required
- Both the Admin who configures this as well as the members of the security group who are allowed to create Office 365 Groups need to be assigned an Azure AD Premium Licence or Azure AD Basic EDU license
The admin who configures this also needs the ability to run Windows Powershell as an Administrator and the ability to run scripts
HOW
1.) Login to https://portal.azure.com. Select Active Directory, then Groups
2.) Select New Group
3.) Add the information required. Recommended to have a Group Name which clearly distinguishes as Group to control Office 365 Group creation. Add group owners and the members who will be able to create Office 365 Groups and Teams. Select Create
4. Confirm that the Security Group is created
5. Copy the following script onto Notepad, replacing <SecurityGroupName> with the name of the Security Group you created in the Azure Portal
$GroupName = “<SecurityGroupName>”
$AllowGroupCreation = “False”
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq “group.unified”}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy[“EnableGroupCreation”] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
6. Save the file on your local machine as <SecurityGroupName>.ps1 in the C: Drive
7. Run Windows Powershell as Administrator
8. If the Shell session is not already set to C: type CD C:\
9. Install the latest version of Azure AD Preview by running the command
Install-Module AzureADPreview
If this is a first time install of the module you will be asked to proceed with the install. Select (Y) Yes. If asked to install from an untrusted repository also select (Y) Yes
10. Run the script by typing .\ <SecurityGroupName>.ps1. Login with Global Admin
11. Having executed, the result should now show that EnableGroupCreation is set to a value of False. The ID of the Security Group which is allowed to create Office 365 Groups should be specified under GroupCreationAllowedGroupID
Our work here is done.
Check a user which is not in the security group to see if they can create a Team. As shown below the user cannot create a Team having clicked on the Join or Create Team on the bottom left of the Teams client
CAVEATS
The steps in this article doesn’t prevent members of certain roles from creating Office 365 Groups,
- Exchange Administrator: Exchange Admin centre, AAD
- Partner Tier 1 Support: M365 Admin centre, Exchange Admin centre, AAD
- Partner Tier 2 Support: M365 Admin centre, Exchange Admin centre, AAD
- Directory Writers: AAD
- SharePoint Administrator: SharePoint Admin centre, AAD
- Teams Service Administrator: Teams Admin centre, AAD
- User Management Administrator: M365 Admin centre, AAD
