Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Azure and Microsoft 365 / Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

March 17, 2024 Azure and Microsoft 365PowerShell

Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

By default, any user from your Azure tenant can create Microsoft 365 groups. When a user creates a new Microsoft 365 group, additional resources are automatically created: a Teams group, a shared mailbox and calendar in Exchange Online, a site and document library in SharePoint Online, a Yammer group, and so on.

This article covers the ways to prevent common (non-admin) users from creating new groups in Microsoft 365 (Teams/Outlook and others). The first thing you need to do is to restrict the permissions to create Unified Groups in AzureAD. Note that it’s not currently possible to prevent users from creating Teams groups only. The prohibition on creating new groups will apply to all Microsoft 365 services, including SharePoint, Exchange, OneNote, Yammer, Planner, PowerBI, etc.

In this screenshot, you can see that the user can create a new group (team) or join an existing group from the Teams interface.

Create new team and microsoft 365 group

In this case, we will prevent regular users from creating new Microsoft 365 groups. Once that’s done, we’ll use the GroupCreationAllowedGroupId parameter to allow only administrators to create new groups.

Install the AzureADPreview and AzureAD PowerShell modules on the computer (the Set-AzureADDirectorySetting cmdlet that we need is currently only available in AzureADPreview).

Install-Module AzureAD
Install-module AzureADPreview -AllowClobber –Force

Connect to your Azure tenant:

AzureADPreview\Connect-AzureAD

Now let’s create a group of Azure administrators who can create Unified Groups:

New-AzureADGroup -MailNickName "TeamsAdmins" -DisplayName "TeamsAdmins" -MailEnabled $false -SecurityEnabled $true -Description "Members can create new Unified Groups (including Teams)"

New-AzureADGroup

And add Teams administrator accounts to the group:

$Group = "TeamsAdmins"
$User = "[email protected]"
$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -ObjectId $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

Let’s see the current permissions to create Teams groups:

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Here, EnableGroupCreation = true and GroupCreationAllowedGroupID = not set, which means that users can create Teams (Microsoft 365) groups.

If the Get-AzureADDirectorySetting cmdlet returns an empty array ( Get-AzureADDirectorySetting : Cannot bind argument to parameter 'Id' because it is null ), you first need to configure the settings as described in the guide https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-settings-cmdlets (Steps 1 to 6):

$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId –EQ
$Setting = $Template.CreateDirectorySetting()
$Setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $Setting

Now let’s allow the creation of new groups in Microsoft 365 only for the TeamsAdmins group:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "TeamsAdmins").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

And check that the group creation permissions have been changed:

(Get-AzureADDirectorySetting).Values

Get-AzureADDirectorySetting - GroupCreationAllowedGroupId

If you want to reset the configuration to the defaults and allow all users to create Microsoft 365 groups, run the following commands:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $True
$Setting["GroupCreationAllowedGroupId"] = $null
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Now run Teams as a normal (non-admin) user to check that the option to create a new Teams group is no longer available. The user can now only connect to the existing Teams groups.

Prevent users from creating microsoft 365 groups

To allow a user to create groups in Microsoft 365 (including Teams), you need to add the user account to the TeamsAdmins group.

2 comments
4
Facebook Twitter Google + Pinterest
previous post
Internet Time Synchronization Failed on Windows
next post
Clear Cache and Temp Files in User Profiles on Windows (RDS) with PowerShell and GPO

Related Reading

View Windows Update History with PowerShell (CMD)

April 30, 2025

Uninstalling Windows Updates via CMD/PowerShell

April 18, 2025

Allowing Ping (ICMP Echo) Responses in Windows Firewall

April 15, 2025

How to Pause (Delay) Update Installation on Windows...

April 11, 2025

How to Write Logs to the Windows Event...

March 3, 2025

2 comments

serg June 28, 2023 - 8:44 am

Before “current permissions to create Teams groups” you need to create settings at the directory level which apply to all Microsoft 365 groups.
1) List templates:
Get-AzureADDirectorySettingTemplate
2) Create a new settings object:
$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq “Group.Unified” }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting

Reply
VonZ August 8, 2023 - 4:43 pm

Followed the said steps and it worked partially. Checked from a regular user using Teams desktop app and they get the option Create a team then when clicked they get the option of ‘Which group would you like to use for your team?’. Am I missing any steps?

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMware
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025
  • How to Write Logs to the Windows Event Viewer from PowerShell/CMD

    March 3, 2025
  • How to Hide (Block) a Specific Windows Update

    February 25, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Outlook Keeps Asking for Password on Windows
  • Checking User Sign-in Logs in Entra ID (Microsoft 365)
  • How to Manually Configure Exchange or Microsoft 365 Account in Outlook 365/2019/2016
  • Search and Delete Emails from User Mailboxes on Exchange Server (Microsoft 365) with PowerShell
  • Fix: Microsoft Outlook Search Not Working on Windows 10/11
  • Blank Sign-in Screen in Office 365 Apps (Outlook, Teams, etc.)
  • Removing Built-in Teams Chat in Windows 11
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top