Prevent users from creating new groups in Microsoft 365 (Teams/Outlook) |

By default, any user in your Azure tenant can create a Microsoft 365 Group. When a user creates a new Microsoft 365 Group, additional resources are automatically created: a team group, a shared mailbox and calendar in Exchange Online, a site and document library in SharePoint Online, a Yammer group, and so on. .

This article covers ways to prevent normal (non-administrator) users from creating new groups in Microsoft 365 (Teams/Outlook and others). The first thing you need to do is to restrict permissions to create integrated groups in AzureAD. Note that currently it is not possible to simply prevent users from creating team groups. The restriction on creating new groups will apply to all Microsoft 365 services, including SharePoint, Exchange, OneNote, Yammer, Planner, PowerBI, and more.

In this screenshot, you can see that a user can create a new group (team) or join an existing group from the Teams interface.

Create new teams and Microsoft 365 Groups

In this case, we will prevent regular users from creating new Microsoft 365 Groups. Once this is done, we will use GroupCreationAllowedGroupId parameter to allow only administrators to create new groups.

Install AzureADPreview and AzureAD PowerShell modules on the computer ( Set-AzureADDirectorySetting The cmdlet we need is currently only available in AzureADPreview).

Install-Module AzureAD
Install-module AzureADPreview -AllowClobber –Force

Connect to your Azure tenant:


Now let’s create a group of Azure administrators who can create integrated groups:

New-AzureADGroup -MailNickName "TeamsAdmins" -DisplayName "TeamsAdmins" -MailEnabled $false -SecurityEnabled $true -Description "Members can create new Unified Groups (including Teams)"


And add team admin accounts to the group:

$Group = "TeamsAdmins"
$User = "[email protected]"
$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -ObjectId $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

Let’s look at the current permissions for creating Teams groups:

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Here, EnableGroupCreation = true And GroupCreationAllowedGroupID = not setWhich means users can create Teams (Microsoft 365) groups.

If the Get-AzureADDirectorySetting cmdlet returns an empty array ( Get-AzureADDirectorySetting : Cannot bind argument to parameter 'Id' because it is null ), you need to configure the settings described in the first guide (Steps 1 to 6):

$TemplateId = (Get-AzureADDirectorySettingTemplate | where { $_.DisplayName -eq "Group.Unified" }).Id
$Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId –EQ
$Setting = $Template.CreateDirectorySetting()
$Setting["EnableMIPLabels"] = "True"
New-AzureADDirectorySetting -DirectorySetting $Setting

Let’s now allow the creation of new groups in Microsoft 365 only for the TeamsAdmins group:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "TeamsAdmins").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

and check that the group creation permissions have been changed:


Get-AzureADDirectorySetting -GroupCreationAllowedGroupId

If you want to reset the configuration to the default and allow all users to create Microsoft 365 groups, run the following command:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $True
$Setting["GroupCreationAllowedGroupId"] = $null
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

Now run Teams as a normal (non-administrator) user to check that the option to create a new Teams group is no longer available. User can now only join existing team groups.

Prevent users from creating Microsoft 365 Groups

To allow a user to create groups in Microsoft 365 (including Teams), you must add the user account to the TeamsAdmins group.

Leave a Comment