Prevent users from creating new groups in Microsoft 365 (Teams/Outlook) | Ranjan.info

By default, any user in your Azure tenant can create a Microsoft 365 Group. When a user creates a new Microsoft 365 Group, additional resources are automatically created: a team group, a shared mailbox and calendar in Exchange Online, a site and document library in SharePoint Online, a Yammer group, and so on. .

This article covers ways to prevent normal (non-administrator) users from creating new groups in Microsoft 365 (Teams/Outlook and others). The first thing you need to do is to restrict permissions to create integrated groups in AzureAD. Note that currently it is not possible to simply prevent users from creating team groups. The restriction on creating new groups will apply to all Microsoft 365 services, including SharePoint, Exchange, OneNote, Yammer, Planner, PowerBI, and more.

In this screenshot, you can see that a user can create a new group (team) or join an existing group from the Teams interface.

In this case, we will prevent regular users from creating new Microsoft 365 Groups. Once this is done, we will use GroupCreationAllowedGroupId parameter to allow only administrators to create new groups.

Install AzureADPreview and AzureAD PowerShell modules on the computer ( Set-AzureADDirectorySetting The cmdlet we need is currently only available in AzureADPreview).

Install-Module AzureAD
Install-module AzureADPreview -AllowClobber –Force

Connect to your Azure tenant:

AzureADPreview\Connect-AzureAD

Now let’s create a group of Azure administrators who can create integrated groups:

New-AzureADGroup -MailNickName "TeamsAdmins" -DisplayName "TeamsAdmins" -MailEnabled $false -SecurityEnabled $true -Description "Members can create new Unified Groups (including Teams)"

And add team admin accounts to the group:

$Group = "TeamsAdmins"
$User = "[email protected]"
$GroupObj = Get-AzureADGroup -SearchString $Group
$UserObj = Get-AzureADUser -ObjectId $User
Add-AzureADGroupMember -ObjectId $GroupObj.ObjectId -RefObjectId $UserObj.ObjectId

Let’s look at the current permissions for creating Teams groups:

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Here, EnableGroupCreation = true And GroupCreationAllowedGroupID = not setWhich means users can create Teams (Microsoft 365) groups.

Let’s now allow the creation of new groups in Microsoft 365 only for the TeamsAdmins group:

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "TeamsAdmins").objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

and check that the group creation permissions have been changed:

(Get-AzureADDirectorySetting).Values

Now run Teams as a normal (non-administrator) user to check that the option to create a new Teams group is no longer available. User can now only join existing team groups.

To allow a user to create groups in Microsoft 365 (including Teams), you must add the user account to the TeamsAdmins group.