Updated: 2026-05-15 – code update for PowerShell 7 and updated MgGraph API
If your company uses Microsoft 365, you may have experienced sprawl in Microsoft Teams and Microsoft 365 Groups. By default, all users can create teams and groups, which can lead to an abundance of poorly thought-out and named teams and groups, many of which may not be in use.
To manage this, you can restrict users from creating Teams and Groups in Microsoft 365 to a specific set of users. Unfortunately, Microsoft does not provide a straightforward way to do this through the admin center, so you will need to use PowerShell to accomplish this task.
Following these steps, you can effectively manage and control the creation of teams and groups in your Microsoft 365 environment, reducing sprawl and maintaining better organization.
These functions require the Microsoft Graph module. Ensure the module is installed and you have the proper permissions. See below.
Implementing restrictions on the creation of Teams and Groups in Microsoft 365 offers several key benefits. Firstly, it helps reduce clutter and sprawl by ensuring that only authorized users can create new teams and groups, leading to a more organized and manageable environment. This control prevents the proliferation of poorly named or redundant groups, making it easier for users to find and collaborate within the appropriate teams. Additionally, it enhances security and compliance by allowing administrators to monitor and manage group creation more effectively, ensuring that all groups adhere to organizational policies and standards. Overall, these restrictions contribute to a more streamlined, secure, and efficient Microsoft 365 environment.
Important impact note
This restriction applies to all Microsoft 365 services that rely on Microsoft 365 Groups, including:
- Microsoft Teams
- SharePoint Team Sites
- Outlook Groups
- Planner
- Viva Engage (Yammer)
This is a tenant‑wide setting and cannot be scoped per workload. With this change, users who are not members of the allowed security group cannot create Teams or Microsoft 365 Groups.
Licensing requirements
- The administrator configuring this setting must have Microsoft Entra ID P1 or P2
- Users allowed to create Teams/Groups must also have P1 or P2
- Users who are restricted do not need P1/P2
This approach may not be appropriate for:
- Very small tenants (<10 users)
- Highly autonomous engineering teams
- Organizations without Entra ID P1/P2
Propagation note:
Changes may take up to 24 hours to fully reflect across Teams, Outlook, and SharePoint user interfaces.
PowerShell function to Restrict users from creating Teams and Groups in Microsoft 365
This PowerShell function will handle the heavy lifting for you. You simply pass it the name of the Microsoft security group you want to create, which will contain the list of users allowed to create teams and groups. Additionally, you can optionally provide a list of users to be added as members of the security group. Later, you can manage the membership of the security group using standard methods, such as Microsoft Entra.
This PowerShell code will set two Microsoft 365 properties:
- “EnableGroupCreation”=”false” This restricts group creation.
- “GroupCreationAllowedGroupId” This is the guide for the group of users who are allowed to create groups.
<#
.SYNOPSIS
Creates a security group, adds members, and sets group creation restrictions in Microsoft 365.
.DESCRIPTION
This function creates a security group with the specified name, adds the specified users as members, and sets the group creation restrictions in Microsoft 365.
.PARAMETER GroupName
The name of the security group to be created.
.PARAMETER Users
An optional array of user object IDs to be added as members of the security group.
.EXAMPLE
Set-GroupCreationRestriction -GroupName "SG-Create Teams Groups SharePoint" -Users @("UserObjectId1", "UserObjectId2")
.NOTES
Author: Gary Herbstman, Byte Solutions
Date: 2026-05-14
This function requires the Microsoft.Graph module and an active connection to Microsoft Graph.
Ensure you have logged in to Microsoft Graph using Connect-MgGraph before running this function.
#>
# Requires the Microsoft.Graph module
#Requires -Modules Microsoft.Graph
function Set-GroupCreationRestriction {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[string]$GroupName,
[Parameter(Mandatory = $false)]
[string[]]$Users
)
try {
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.ReadWrite.All, Directory.ReadWrite.All"
# Create the security group
$Group = New-MgGroup -DisplayName $GroupName -MailEnabled:$false -SecurityEnabled:$true -MailNickname ($GroupName.Replace(" ", ""))
# Add members to the group if provided
if ($Users) {
foreach ($UserId in $Users) {
Add-MgGroupMember -GroupId $Group.Id -MemberId $UserId
}
}
# Set group creation restrictions
$settingId = (Get-MgGroupSetting | Where-Object { $_.DisplayName -eq "Group.Unified" }).Id
Set-MgGroupSetting -Id $settingId -Values @{"EnableGroupCreation"="false"; "GroupCreationAllowedGroupId"=$Group.Id}
Write-Host "Group creation restriction set successfully for group: $GroupName"
} catch {
Write-Error "An error occurred: $_"
}
}How to install the Microsoft Graph module
Note: The MgGraph modules, often Microsoft.Graph.Authentication, may be in use which prevents updates. It is recommended to close all PowerShell instances and open a fresh PowerShell window. If you are having a problem with “in-use”, check task manager for any running PowerShell.
- Open PowerShell: Launch PowerShell or PowerShell Core with administrator privileges. To do this, right-click on the PowerShell icon and select “Run as administrator”.
- Install the Microsoft Graph PowerShell SDK: Run the following commands in PowerShell to install the Microsoft Graph modules:
- Accept the Untrusted Repository: If prompted, type
Yto accept the installation from an untrusted repository.
# 1) Ensure the Graph modules are present
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Install-Module Microsoft.Graph.Beta -Scope CurrentUser -Force
# 2) Import ONLY what you need (avoid repeated broad imports)
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagementHow to run the code
- Paste in the function code Set-GroupCreationRestriction from above.
- Connect-MgGraph. You will need the correct permissions and may be prompted for administrative approval.
- Update the $Users variable.
- Run Set-GroupCreationRestriction -GroupName $GroupName -Users $Users
Connect-MgGraph -Scopes "Directory.ReadWrite.All,Group.ReadWrite.All,User.Read.All,GroupMember.ReadWrite.All"
$GroupName = "SG-Create Teams Groups SharePoint"
$Users = @("[email protected]", "[email protected]")
Set-GroupCreationRestriction -GroupName $GroupName -Users $UsersWhat success looks like
On success you should see output like this:
Set-GroupCreationRestriction -GroupName $GroupName -Users $Users
Timestamp : 2026-05-14T17:39:52
Stage : CreateGroup
Level : Info
Message : Group created.
Data : {[DisplayName, SG-Create Teams Groups SharePoint], [GroupId, ********-****-****-****-************]}
Timestamp : 2026-05-14T17:39:53
Stage : Members
Level : Info
Message : Membership processing complete.
Data : {[AddedCount, 2], [SkippedCount, 0]}
Timestamp : 2026-05-14T17:39:53
Stage : DirectorySetting
Level : Info
Message : Group creation restriction applied.
Data : {[GroupCreationAllowedGroupId, ********-****-****-****-************], [EnableGroupCreation, false], [SettingId, ********-****-****-****-************]}
Timestamp : 2026-05-14T17:39:53
Stage : Result
Level : Info
Message : Completed successfully.
Data : {[MembersSkipped, ], [GroupId, ********-****-****-****-************], [GroupName, SG-Create Teams Groups SharePoint], [MembersAdded, ]}Verification / Validation step
Run the following code to confirm the setting was properly set.
(Get-MgBetaDirectorySetting | Where-Object DisplayName -eq "Group.Unified").Values
# Expected Results - Look for EnableGroupCreation = False
<#
Name Value
---- -----
NewUnifiedGroupWritebackDefault true
EnableMIPLabels false
CustomBlockedWordsList
EnableMSStandardBlockedWords false
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner false
AllowGuestsToAccessGroups true
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId ********-****-****-****-************
AllowToAddGuests true
UsageGuidelinesUrl
ClassificationList
EnableGroupCreation false
#>Entra AD and Microsoft Graph Permissions
To run the tasks for restricting the creation of Teams and Groups using PowerShell and the Microsoft Graph module, you need specific permissions. Here are the key permissions required:
- Entra (Azure AD Directory) Role: The user running the PowerShell commands should have one of the following roles:
- Global Administrator: This role has full access to all administrative features in Azure AD.
- Privileged Role Administrator: This role can manage role assignments in Azure AD, including assigning the necessary permissions for managing groups.
- Groups Administrator: This role can manage all aspects of groups and group settings, including creating and deleting groups.
- Microsoft Graph Permissions: When using the Microsoft Graph module, ensure the following permissions are granted:
- Group.ReadWrite.All: Allows the app to create, read, update, and delete all groups.
- Directory.ReadWrite.All: Allows the app to read and write directory data.
- User.Read.All: Allows the app to read the profile of signed-in users.
- GroupMember.ReadWrite.All: Allows updating group membership.
Additional Tips
- Testing: Test the changes by attempting to create a group with a user who is not in the allowed security group. They should receive an error message indicating that they do not have permission to create groups.
- Monitoring: Regularly monitor the group creation settings to ensure they remain in place, as updates or changes in your environment might revert these settings.
Byte Solutions implements this control as part of our Microsoft 365 governance baseline to reduce sprawl, improve security, and keep environments manageable as organizations grow.
If you need assistance managing your Microsoft 365 environment or have other business IT needs, our team at Byte Solutions is here to help. As a trusted managed service provider, we offer comprehensive support and solutions tailored to your specific requirements. Reach out to us today to learn how we can help optimize your IT infrastructure and ensure your business runs smoothly.
Our services include:
- Managed Computer Services: We provide proactive monitoring, regular maintenance, and timely upgrades to ensure your IT infrastructure runs smoothly and efficiently.
- Professional IT Services: Our experienced technicians offer a wide range of services, including network management, data backup, cybersecurity, and cloud solutions.
- Backup and Disaster Recovery: We partner with Veeam® to deliver cutting-edge data management solutions, ensuring your business data is always protected and easily recoverable.
- Cloud Solutions: Our cloud solutions enable you to harness the power of scalable and flexible computing resources to drive innovation and growth.
- Voice Communications: We offer tailored voice technology solutions, from traditional systems to advanced VoIP, enhancing collaboration and productivity.
- Networking: Our certified engineers use leading technology for seamless connectivity, enhancing data transfer, collaboration, and resource sharing.
Reach out to us today to learn how we can help optimize your IT infrastructure and ensure your business runs smoothly. 561-556-2000
Are you interested in more articles? Check out How to send encrypted email in Microsoft 365