Locking down the creation of Microsoft 365 SharePoint sites, Teams, and Groups can be a very tool in a tech administrator’s toolbox. There could be several reasons why you might want to block users from creating new Microsoft Teams. Some of the common reasons are:
1. Control over Team creation: If you are an administrator or owner of a Microsoft Teams account, you may want to control who can create new teams in order to maintain consistency and organization across the account.
2. Compliance: In some organizations, there may be compliance or regulatory requirements that restrict who can create new teams. For example, in industries such as finance and healthcare, data privacy laws may require strict control over data access and sharing.
3. Security: Allowing users to create new teams can increase the risk of security breaches, such as unauthorized access to confidential information. By limiting the ability to create new teams, you can better manage the security of your Microsoft Teams account.
4. Resource allocation: Creating new teams can consume resources such as storage and bandwidth. By limiting the ability to create new teams, you can manage these resources more effectively and avoid unnecessary costs.
To help you out we are including a PowerShell script below that will block the creations of groups expect for specified users in a group.
————————————————————————————————-
Note that this script requires the Azure Active Directory PowerShell module. You can install the module by running the following command:
Install–Module AzureAD
Here’s the PowerShell script that blocks the creation of Microsoft 365 groups except for a specified security group (please note you will need to create the group first and add in your desired users).
# Connect to the Microsoft 365 admin center
Connect-MsolService
# Specify the security group that should be allowed to create Microsoft 365 groups
$allowedGroup = “Allowed Group Name”
# Get the ID of the allowed security group
$allowedGroupId = (Get-MsolGroup -SearchString $allowedGroup).ObjectId
# Get the settings for group creation in the Microsoft 365 tenant
$settings = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq “Group.Unified”}).Id
# If the settings haven’t been created yet, create them
if (!$settings) {
$template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq “Group.Unified”}
$settings = $template.CreateDirectorySetting()
}
# Set the group creation settings to block group creation for all except the allowed security group
$settings["EnableGroupCreation"] = $false
$settings["GroupCreationAllowedGroupId"] = $allowedGroupId
Set-AzureADDirectorySetting -Id $settings.Id -DirectorySetting $settings
Here’s how the script works:
- The script connects to the Microsoft 365 admin center using the
Connect-MsolServicecmdlet. - The script specifies the security group that should be allowed to create Microsoft 365 groups.
- The script retrieves the ID of the allowed security group using the
Get-MsolGroupcmdlet. - The script retrieves the settings for group creation in the Microsoft 365 tenant using the
Get-AzureADDirectorySettingcmdlet. - If the settings haven’t been created yet, the script creates them using the
Get-AzureADDirectorySettingTemplatecmdlet and theCreateDirectorySetting()method. - The script sets the
EnableGroupCreationsetting to$false, which blocks group creation for all users. - The script sets the
GroupCreationAllowedGroupIdsetting to the ID of the allowed security group, which allows members of that group to create groups. - The script saves the updated settings using the
Set-AzureADDirectorySettingcmdlet.