So, you introduced Microsoft Teams in your organization without a plan? Or perhaps you’re still planning your rollout, and want to learn how to take control? Well, you’ve come to the right place.
In a few blog posts my goal is to help you take control of your Teams environment, and first up is limiting who’s allowed to create teams.
One of the first things we need to decide, before giving users access to Teams, is whether or not they should be allowed to create teams. Microsoft generally recommend that they should, which is why they are allowed using the default settings, and in many cases that makes perfect sense.
Let’s say you’re a small law firm, maybe ten lawyers and a couple of secretaries. You would most likely choose to allow anyone to provision new teams, not to get in the way of their productivity.
But what if you’re a municipality, with a mix of employees in healthcare, education etc., as well as thousands of young students. You would most likely want to get in front of that, right, to make sure that new teams are appropriate, and to maintain in control?
Well, we lock down the provisioning of new teams by limiting group creation.
Keep in mind that disabling group creation also affect other services relying on Groups, like Planner, StaffHub etc.
To limit group creation we first need to create a security group, and then add users who should still be allowed to create groups, and thereby teams.
All members of this security group must be licensed with Azure AD Premium or Azure AD Basic EDU. Microsoft currently does not enforce this, so it will work perfectly fine without assigning such licenses, but you need to acquire them to be properly licensed.
The next step is to connect to Azure AD using the Azure AD Preview PowerShell module, and run the following script.
$GroupName = "Allowedtocreategroups"
$AllowGroupCreation = "False"
Connect-AzureAD # Need to be using the Azure AD Preview module
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
Some admin roles will still be able to create groups and teams, like the Global Admin, Teams Service Admin etc.
For more information about limiting group creation please have a look at the official documentation, which was also my source for this blog post.
Also, stay tuned for more on the topic of controlling your Teams environment, next up is how to create a request form with manager approval!
About the Author:
Magnus Sandtorv is a Microsoft MVP in Office Apps & Services, working as a Digital Workplace Solution Architect at Atea in Norway.He is a Microsoft Teams Evangelist, Enterprise Mobility Professional, PowerShell automation enthusiast and has his head in the cloud.
Reference:
Sandtorv, M. (2019). Take control of your Microsoft Teams environment part 1. Available at: https://teams.rocks/2019/06/01/take-control-of-your-microsoft-teams-environment-part1/ [Accessed: February 6th 2020].
Check out more great Microsoft Teams content here or join our mailing list to stay up to date.
