Post
Ask Question

Implement Governance To Restrict MS Teams Creation

Overview

 
Microsoft Teams is your hub for teamwork, which brings together everything a team needs including chat, threaded conversations, meetings, video conferencing, and many more. Employees benefit by collaborating through MS Teams. However, over  time there will be a huge number of teams. The obvious questions will be: Does the organization need that many teams? Is there any way to set up governance around this?
 
In this article, we will explore how we can govern MS Teams creation to a certain security group.
 

The Problem Statement

 
When the MS Teams license is enabled in Office 365, everyone within an organization can create a Team. Eventually everyone will start creating Teams as they need and there will be lots of Teams. This uncontrolled growth of Teams will confuse employees instead of having any real benefit of Teams. 
 

Prevent uncontrolled growth of MS Teams

 
One of the options is to disable the option of MS Teams creation for everyone and have some kind of centralized mechanism for Teams creation for certain users. The MS Teams desktop client or MS Teams admin center does not provide any option on UI for this.
 
One option is to restrict the group creation, which will prohibit the group creation in MS Teams. Please note this will be also applicable to other group connected services like Planner, SharePoint, Stream, etc.
 

Create Security Group

 
We will start by defining a security group for the users who needs to create Microsoft 365 groups.
 
Follow the below steps to set up a security group,
  1. Open Microsoft 365 admin center.
  2. From left menu, click Groups.
  3. Click Add a group > Security.

    Implement Governance To Restrict MS Teams Creation

  4. Click Next.
  5. Set up the basics by providing the group name and option description.Implement Governance To Restrict MS Teams Creation
  6. Click Next.
  7. Click Create group.

Execute PowerShell

 
Install the AzureADPreview module to change the group-level guest access setting.
  1. # Uninstall Azure AD PowerShell module (AzureAD), if installed already  
  2. Uninstall-Module AzureAD  
  3.   
  4. # Install latest version of AzureADPreview  
  5. Install-Module AzureADPreview  
Run the below script:
  1. $GroupName = "Allow Group Creation"  
  2. $AllowGroupCreation = "False"  
  3.   
  4. Connect-AzureAD  
  5.   
  6. $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id  
  7. if(!$settingsObjectID)  
  8. {  
  9.     $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}  
  10.     $settingsCopy = $template.CreateDirectorySetting()  
  11.     New-AzureADDirectorySetting -DirectorySetting $settingsCopy  
  12.     $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id  
  13. }  
  14.   
  15. $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID  
  16. $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation  
  17.   
  18. if($GroupName)  
  19. {  
  20.     $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -Filter "DisplayName eq '$GroupName'").objectId  
  21. }  
  22. else {  
  23.     $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName  
  24. }  
  25. Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy  
  26.   
  27. (Get-AzureADDirectorySetting -Id $settingsObjectID).Values  
The Teams creation now will be disabled to all users, except one in our security group.
 
Turn off group creation restriction
 
To turn off group creation restriction and again allow all users to create groups, set $GroupName to "" and $AllowGroupCreation to "True" and rerun the script.
 

Summary

 
When the MS Teams license is enabled in Office 365, everyone within an organization can create a Team. We explored one option to restrict the group creation, which will prohibit the group creation in MS Teams. Since MS Teams desktop client or Microsoft 365 Admin center does not provide any option in UI for this, this can be achieved with PowerShell by installing AzureADPreview module.


Similar Articles