By default, any user from your Azure tenant can create Microsoft 365 groups. When a user creates a new Microsoft 365 group, additional resources are automatically created: a Teams group, a shared mailbox and calendar in Exchange Online, a site and document library in SharePoint Online, a Yammer group, and so on.
This article covers the ways to prevent common (non-admin) users from creating new groups in Microsoft 365 (Teams/Outlook and others). The first thing you need to do is to restrict the permissions to create Unified Groups in AzureAD. Note that it’s not currently possible to prevent users from creating Teams groups only. The prohibition on creating new groups will apply to all Microsoft 365 services, including SharePoint, Exchange, OneNote, Yammer, Planner, PowerBI, etc.
In this screenshot, you can see that the user can create a new group (team) or join an existing group from the Teams interface.
In this case, we will prevent regular users from creating new Microsoft 365 groups. Once that’s done, we’ll use the GroupCreationAllowedGroupId
parameter to allow only administrators to create new groups.
Install the AzureADPreview and AzureAD PowerShell modules on the computer (the Set-AzureADDirectorySetting
cmdlet that we need is currently only available in AzureADPreview).
Install-Module AzureAD
Install-module AzureADPreview -AllowClobber –Force
Connect to your Azure tenant:
AzureADPreview\Connect-AzureAD
Now let’s create a group of Azure administrators who can create Unified Groups:
New-AzureADGroup -MailNickName "TeamsAdmins" -DisplayName "TeamsAdmins" -MailEnabled $false -SecurityEnabled $true -Description "Members can create new Unified Groups (including Teams)"
And add Teams administrator accounts to the group:
$Group = "TeamsAdmins"
$User = "[email protected]"
$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -ObjectId $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId
Let’s see the current permissions to create Teams groups:
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
Here, EnableGroupCreation = true
and GroupCreationAllowedGroupID = not set
, which means that users can create Teams (Microsoft 365) groups.
Get-AzureADDirectorySetting : Cannot bind argument to parameter 'Id' because it is null
), you first need to configure the settings as described in the guide https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-cmdlets (Steps 1 to 6):$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId –EQ
$Setting = $Template.CreateDirectorySetting()
$Setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $Setting
Now let’s allow the creation of new groups in Microsoft 365 only for the TeamsAdmins group:
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "TeamsAdmins").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
And check that the group creation permissions have been changed:
(Get-AzureADDirectorySetting).Values
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $True
$Setting["GroupCreationAllowedGroupId"] = $null
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
Now run Teams as a normal (non-admin) user to check that the option to create a new Teams group is no longer available. The user can now only connect to the existing Teams groups.
To allow a user to create groups in Microsoft 365 (including Teams), you need to add the user account to the TeamsAdmins group.
2 comments
Before “current permissions to create Teams groups” you need to create settings at the directory level which apply to all Microsoft 365 groups.
1) List templates:
Get-AzureADDirectorySettingTemplate
2) Create a new settings object:
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting
Followed the said steps and it worked partially. Checked from a regular user using Teams desktop app and they get the option Create a team then when clicked they get the option of ‘Which group would you like to use for your team?’. Am I missing any steps?