Teams Real Simple with Pictures – Controlling who can create Teams

This blog is part of a series on Teams. For more articles, check back often. 

Written: 10/07/2019 | Updated: N/A

Controlling who can create Teams is based upon who can create Office 365 Groups. Whether this is right or wrong is a matter for debate and opinion – some believe this is necessary for reasons such as Teams sprawl; others believe it limits productivity, agility and pushes others back into the use of Shadow IT.

WHY WOULD WE DO IT?

  • To prevent Teams sprawl
  • To control the Teams creation process

PREREQUISITES

The following is required

  • Both the Admin who configures this as well as the members of the security group who are allowed to create Office 365 Groups need to be assigned an Azure AD Premium Licence or Azure AD Basic EDU license

The admin who configures this also needs the ability to run Windows Powershell as an Administrator and the ability to run scripts

HOW

1.) Login to https://portal.azure.com. Select Active Directory, then Groups

TBlogGroups1

2.) Select New Group

TBlogGroups2

3.) Add the information required. Recommended to have a Group Name which clearly distinguishes as Group to control Office 365 Group creation. Add group owners and the members who will be able to create Office 365 Groups and Teams. Select Create

TBlogGroups3

4. Confirm that the Security Group is created

TBlogGroups4

5. Copy the following script onto Notepad, replacing <SecurityGroupName> with the name of the Security Group you created in the Azure Portal

$GroupName = “<SecurityGroupName>”
$AllowGroupCreation = “False”

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq “group.unified”}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy[“EnableGroupCreation”] = $AllowGroupCreation

if($GroupName)
{
$settingsCopy[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString $GroupName).objectid
}

Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

TBlogGroups5

6. Save the file on your local machine as <SecurityGroupName>.ps1 in the C: Drive

TBlogGroups6

7. Run Windows Powershell as Administrator

TBlogGroups7

8. If the Shell session is not already set to C: type CD C:\

TBlogGroups9

9. Install the latest version of Azure AD Preview by running the command

Install-Module AzureADPreview

If this is a first time install of the module you will be asked to proceed with the install. Select (Y) Yes. If asked to install from an untrusted repository also select (Y) Yes

TBlogGroups10

10. Run the script by typing .\ <SecurityGroupName>.ps1. Login with Global Admin

TBlogGroups11

11. Having executed, the result should now show that EnableGroupCreation is set to a value of False. The ID of the Security Group which is allowed to create Office 365 Groups should be specified under GroupCreationAllowedGroupID

TBlogGroups12

Our work here is done.

Check a user which is not in the security group to see if they can create a Team. As shown below the user cannot create a Team having clicked on the Join or Create Team on the bottom left of the Teams client

TBlogGroups13

CAVEATS

The steps in this article doesn’t prevent members of certain roles from creating Office 365 Groups,

  • Exchange Administrator: Exchange Admin centre, AAD
  • Partner Tier 1 Support: M365 Admin centre, Exchange Admin centre, AAD
  • Partner Tier 2 Support: M365 Admin centre, Exchange Admin centre, AAD
  • Directory Writers: AAD
  • SharePoint Administrator: SharePoint Admin centre, AAD
  • Teams Service Administrator: Teams Admin centre, AAD
  • User Management Administrator: M365 Admin centre, AAD