Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

By default, any user from your Azure tenant can create Microsoft 365 groups. When a user creates a new Microsoft 365 group, additional resources are automatically created: a Teams group, a shared mailbox and calendar in Exchange Online, a site and document library in SharePoint Online, a Yammer group, and so on.

This article covers the ways to prevent common (non-admin) users from creating new groups in Microsoft 365 (Teams/Outlook and others). The first thing you need to do is to restrict the permissions to create Unified Groups in AzureAD. Note that it’s not currently possible to prevent users from creating Teams groups only. The prohibition on creating new groups will apply to all Microsoft 365 services, including SharePoint, Exchange, OneNote, Yammer, Planner, PowerBI, etc.

In this screenshot, you can see that the user can create a new group (team) or join an existing group from the Teams interface.

In this case, we will prevent regular users from creating new Microsoft 365 groups. Once that’s done, we’ll use the GroupCreationAllowedGroupId parameter to allow only administrators to create new groups.

Install the AzureADPreview and AzureAD PowerShell modules on the computer (the Set-AzureADDirectorySetting cmdlet that we need is currently only available in AzureADPreview).

Install-Module AzureAD
Install-module AzureADPreview -AllowClobber –Force

Connect to your Azure tenant:

AzureADPreview\Connect-AzureAD

Now let’s create a group of Azure administrators who can create Unified Groups:

New-AzureADGroup -MailNickName "TeamsAdmins" -DisplayName "TeamsAdmins" -MailEnabled $false -SecurityEnabled $true -Description "Members can create new Unified Groups (including Teams)"

And add Teams administrator accounts to the group:

$Group = "TeamsAdmins"
$User = "[email protected]"
$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -ObjectId $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

Let’s see the current permissions to create Teams groups:

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Here, EnableGroupCreation = true and GroupCreationAllowedGroupID = not set, which means that users can create Teams (Microsoft 365) groups.

Now let’s allow the creation of new groups in Microsoft 365 only for the TeamsAdmins group:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "TeamsAdmins").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

And check that the group creation permissions have been changed:

(Get-AzureADDirectorySetting).Values

Now run Teams as a normal (non-admin) user to check that the option to create a new Teams group is no longer available. The user can now only connect to the existing Teams groups.

To allow a user to create groups in Microsoft 365 (including Teams), you need to add the user account to the TeamsAdmins group.