Microsoft Teams: How to limit who can create Teams?

Limit who can create Teams

By default, in Microsoft Teams, all users are allowed to create Teams. Microsoft recommends this approach because they believe that his allows users to start collaboration without requiring assistance from IT department.

It make sense, but it could be also a big headache for IT admins and the management.

Note: To manage Entra ID (Azure) groups, you will need to have Microsoft Entra ID P1 or P2 licenses or Microsoft Entra Basic EDU

The question is, how do you limit this to only certain people?

  1. Set up a Security Group and add members (users) that you want to be able to create a Teams. In my case, I created a group called “AllowToCreateTeams” and added members to it.
  1. After creating a Security Group, you will need to use PowerShell to connect to your tenant.

Open PowerShell as Administrator. First, Install the module.

install-module azureadpreview

Note: you might want to uninstall-module azuread before running install-module azureadpreview

Now, run the script.

Note: Replace <group name>, with the Security group name.

$GroupName = "<group name>"
$AllowGroupCreation = "False"

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
} else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

To run the script, you must log in as an administrator. Follow the instructions below.

That should be it.

Let’s take a look at how Microsoft Teams looks for non-members and if they are able to create new Teams vs those who are members.

Before implementation.

After implementation.

Can I go back and allow all users to create?

Yes, you can go back and set as it used to be. Run the same script, but instead $AllowGroupCreation = “False” set to “True”.

$AllowGroupCreation = "True"

Good luck. Please, as always, feel free to reach out.

Resources:

Official Microsoft documentation about this topic you can find here.

Latest Posts

5 Comments

  1. This is very useful. Well done! Is there a way to prevent users/members to create/start 1:many chat room?

    Thanks,
    Rusmir

    1. Hi Rusmir, unfortunately this is not possible. You can only disable chat all together from Messaging policies. I hope Microsoft add the feature soon.

  2. Hi Adin, Please add a note about licensing as per Microsoft, not all businesses have Premium AD even though they should.

  3. Pretty nice post. I just stumbled upon your blog and wanted to
    say that I’ve truly enjoyed browsing your blog posts.
    After all I’ll be subscribing to your feed and I hope you write again very soon!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.