Microsoft Teams – Allow Team Creation

Hi there

In this article I’m demonstrating how to lockdown Teams creation to a specific Security Group member.

This will allow you to keep your deployment clean once by default every user enabled on Microsoft Teams has team’s creation access.

WARNING: Checking if your organization already has this implemented

#Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

$allgroupinfo = (Get-AzureADDirectorySetting -Id $settingsObjectID).Values
$groupid = $allgroupinfo[9].Value
Get-AzureADGroup -ObjectId $groupid | fl displayname

Output

check the following
- EnableGroupCreation
- GroupCreationAllowedGroupId
  (try to copy and paste this group in Azure AD group – check the result)

Fresh Setup

Go to Office 365 Home \ Groups and create a new security group (that can be done under Azure AD Groups)

type: security

click next

Give the group a Name and a Description

name: AllowCreateTeams
description: member users can teams & channels at Microsoft Teams

click next

at Review and finish group adding, select create group

wait for the group to be created and filter for its name under groups

add all users that will be able to create teams & channels to this group

edit the group
search for the users and click add then save then close

check the group members

run the following powershell logged on Office365, Teams, Azure AD

$GroupName = "AllowCreateTeam"
$AllowGroupCreation = "False"

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Testing

log with a user that is not member of this group
you should not be able to see the option to create Team

TIP: by default teams & channels has no CODE then you cannot join or guess its codes.

Thanks,

Thiago Beier