Managed IT Services Boca Raton logo

How to restrict users from creating Teams and Groups in Microsoft 365

If your company uses Microsoft 365, you may have experienced sprawl in Microsoft Teams and Microsoft 365 Groups. By default, all users can create teams and groups, which can lead to an abundance of poorly thought-out and named teams and groups, many of which may not be in use.

To manage this, you can restrict users from creating Teams and Groups in Microsoft 365 to a specific set of users. Unfortunately, Microsoft does not provide a straightforward way to do this through the admin center, so you will need to use PowerShell to accomplish this task.

Following these steps, you can effectively manage and control the creation of teams and groups in your Microsoft 365 environment, reducing sprawl and maintaining better organization.

These functions require the Microsoft Graph module. Ensure the module is installed and you have the proper permissions. See below.

Implementing restrictions on the creation of Teams and Groups in Microsoft 365 offers several key benefits. Firstly, it helps reduce clutter and sprawl by ensuring that only authorized users can create new teams and groups, leading to a more organized and manageable environment. This control prevents the proliferation of poorly named or redundant groups, making it easier for users to find and collaborate within the appropriate teams. Additionally, it enhances security and compliance by allowing administrators to monitor and manage group creation more effectively, ensuring that all groups adhere to organizational policies and standards. Overall, these restrictions contribute to a more streamlined, secure, and efficient Microsoft 365 environment.

PowerShell function to Restrict users from creating Teams and Groups in Microsoft 365

This PowerShell function will handle the heavy lifting for you. You simply pass it the name of the Microsoft security group you want to create, which will contain the list of users allowed to create teams and groups. Additionally, you can optionally provide a list of users to be added as members of the security group. Later, you can manage the membership of the security group using standard methods, such as Microsoft Entra.

This PowerShell code will set two Microsoft 365 properties:

  • “EnableGroupCreation”=”false” This restricts group creation.
  • “GroupCreationAllowedGroupId” This is the guide for the group of users who are allowed to create groups.
<#
.SYNOPSIS
    Creates a security group, adds members, and sets group creation restrictions in Microsoft 365.

.DESCRIPTION
    This function creates a security group with the specified name, adds the specified users as members, and sets the group creation restrictions in Microsoft 365.

.PARAMETER GroupName
    The name of the security group to be created.

.PARAMETER Users
    An optional array of user object IDs to be added as members of the security group.

.EXAMPLE
    Set-GroupCreationRestriction -GroupName "SG-Create Teams Groups SharePoint" -Users @("UserObjectId1", "UserObjectId2")

.NOTES
    Author: Gary Herbstman, Byte Solutions
    Date: 2025-01-14
    This function requires the Microsoft.Graph module and an active connection to Microsoft Graph.
    Ensure you have logged in to Microsoft Graph using Connect-MgGraph before running this function.
#>

# Requires the Microsoft.Graph module
#Requires -Modules Microsoft.Graph

function Set-GroupCreationRestriction {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]$GroupName,

        [Parameter(Mandatory = $false)]
        [string[]]$Users
    )

    try {
        # Connect to Microsoft Graph
        Connect-MgGraph -Scopes "Group.ReadWrite.All, Directory.ReadWrite.All"

        # Create the security group
        $Group = New-MgGroup -DisplayName $GroupName -MailEnabled $false -SecurityEnabled $true -MailNickname $GroupName.Replace(" ", "")

        # Add members to the group if provided
        if ($Users) {
            foreach ($UserId in $Users) {
                Add-MgGroupMember -GroupId $Group.Id -MemberId $UserId
            }
        }

        # Set group creation restrictions
        $settingId = (Get-MgGroupSetting | Where-Object { $_.DisplayName -eq "Group.Unified" }).Id
        Set-MgGroupSetting -Id $settingId -Values @{"EnableGroupCreation"="false"; "GroupCreationAllowedGroupId"=$Group.Id}

        Write-Host "Group creation restriction set successfully for group: $GroupName"
    } catch {
        Write-Error "An error occurred: $_"
    }
}

# Example usage
Set-GroupCreationRestriction -GroupName "SG-Create Teams Groups SharePoint" -Users @("UserObjectId1", "UserObjectId2")

PowerShell function to retrieve the settings

This PowerShell function will retrieve the settings for the restriction. If found, it will return the name of the security group used to control the restriction and a list of members currently in the group.

<#
.SYNOPSIS
    Checks if group creation is restricted and retrieves the group name and members if it is.

.DESCRIPTION
    This function checks if group creation is restricted in Microsoft 365. If it is, it retrieves the group name and members of the group allowed to create groups.

.PARAMETER None
    This function does not take any parameters.

.EXAMPLE
    Connect-MgGraph -Scopes "User.Read.All, Group.Read.All"
    Get-GroupCreationRestriction

.NOTES
    Author: Gary Herbstman, Byte Solutions
    Date: 2025-01-14
    This function requires the Microsoft.Graph module and an active connection to Microsoft Graph.
    Ensure you have logged in to Microsoft Graph using Connect-MgGraph before running this function.
#>

# Requires the Microsoft.Graph module
#Requires -Modules Microsoft.Graph

function Get-GroupCreationRestriction {
    try {
        # Check if group creation is restricted
        $groupCreationRestricted = ((Get-MgGroupSetting | Where-Object { $_.DisplayName -eq "Group.Unified" }).Values | Where-Object { $_.Name -eq "EnableGroupCreation" }).Value

        if ($groupCreationRestricted -eq $false) {
            Write-Host "Group creation is restricted"

            # Get the group ID allowed to create groups
            $groupId = ((Get-MgGroupSetting | Where-Object { $_.DisplayName -eq "Group.Unified" }).Values | Where-Object { $_.Name -eq "GroupCreationAllowedGroupId" }).Value

            # Retrieve the group details
            $group = Get-MgGroup -GroupId $groupId
            $groupName = $group.DisplayName

            # Retrieve the group members
            $members = Get-MgGroupMember -GroupId $groupId

            # Extract display names and user principal names from AdditionalProperties
            $memberDetails = $members | ForEach-Object {
                [PSCustomObject]@{
                    DisplayName = $_.AdditionalProperties['displayName']
                    UserPrincipalName = $_.AdditionalProperties['userPrincipalName']
                }
            }

            # Display the group name and members
            Write-Host "Group Name: $groupName"
            $memberDetails | Format-Table -AutoSize
        } else {
            Write-Host "Group creation is not restricted"
        }
    } catch {
        Write-Error "An error occurred: $_"
    }
}

# Call the function
Get-GroupCreationRestriction

How to install the Microsoft Graph module

  1. Open PowerShell: Launch PowerShell or PowerShell Core with administrator privileges. To do this, right-click on the PowerShell icon and select “Run as administrator”.
  2. Install the Microsoft Graph PowerShell SDK: Run the following command in PowerShell to install the Microsoft Graph module:
  3. Accept the Untrusted Repository: If prompted, type Y to accept the installation from an untrusted repository.
  4. Verify the Installation: After the installation is complete, you can verify it by running:
# Install the module
Install-Module Microsoft.Graph -Scope [CurrentUser or AllUsers]

# Verify the installation
Get-InstalledModule -Name Microsoft.Graph

Updating the Microsoft Graph Module

To update the Microsoft Graph module to the latest version, use:

Update-Module Microsoft.Graph

Uninstalling the Microsoft Graph Module

If you need to uninstall the module, use:

Uninstall-Module Microsoft.Graph

Entra AD and Microsoft Graph Permissions

To run the tasks for restricting the creation of Teams and Groups using PowerShell and the Microsoft Graph module, you need specific permissions. Here are the key permissions required:

  1. Entra (Azure AD Directory) Role: The user running the PowerShell commands should have one of the following roles:
    • Global Administrator: This role has full access to all administrative features in Azure AD.
    • Privileged Role Administrator: This role can manage role assignments in Azure AD, including assigning the necessary permissions for managing groups.
    • Groups Administrator: This role can manage all aspects of groups and group settings, including creating and deleting groups.
  2. Microsoft Graph Permissions: When using the Microsoft Graph module, ensure the following permissions are granted:
    • Group.ReadWrite.All: Allows the app to create, read, update, and delete all groups.
    • Directory.ReadWrite.All: Allows the app to read and write directory data.
    • User.Read.All: Allows the app to read the profile of signed-in users.

Additional Tips

  • Testing: Test the changes by attempting to create a group with a user who is not in the allowed security group. They should receive an error message indicating that they do not have permission to create groups.
  • Monitoring: Regularly monitor the group creation settings to ensure they remain in place, as updates or changes in your environment might revert these settings.

If you need assistance managing your Microsoft 365 environment or have other business IT needs, our team at Byte Solutions is here to help. As a trusted managed service provider, we offer comprehensive support and solutions tailored to your specific requirements. Reach out to us today to learn how we can help optimize your IT infrastructure and ensure your business runs smoothly.

Our services include:

  • Managed Computer Services: We provide proactive monitoring, regular maintenance, and timely upgrades to ensure your IT infrastructure runs smoothly and efficiently.
  • Professional IT Services: Our experienced technicians offer a wide range of services, including network management, data backup, cybersecurity, and cloud solutions.
  • Backup and Disaster Recovery: We partner with Veeam® to deliver cutting-edge data management solutions, ensuring your business data is always protected and easily recoverable.
  • Cloud Solutions: Our cloud solutions enable you to harness the power of scalable and flexible computing resources to drive innovation and growth.
  • Voice Communications: We offer tailored voice technology solutions, from traditional systems to advanced VoIP, enhancing collaboration and productivity.
  • Networking: Our certified engineers use leading technology for seamless connectivity, enhancing data transfer, collaboration, and resource sharing.

Reach out to us today to learn how we can help optimize your IT infrastructure and ensure your business runs smoothly. 561-556-2000

Are you interested in more articles? Check out How to send encrypted email in Microsoft 365

Leave a Comment

Require assistance?

Support from our knowledgeable help desk staff ensures your team stays productive by swiftly and accurately resolving issues.

Book A Consultation

Need help? Call our award-winning support team 24/7 at
+1 (561) 556-2000

Phone and address:

services

About

Support

Policy