Lockdown Microsoft Teams Creation
How do you deal inside your organization with the wild creation of all kind of Teams? Having doubles, separate Teams for guest access, Teams without a owner because the original created user already left the company.
Instead of moving further lockdown Teams creation and decide who will need to create Teams (your stakeholders or key users for example). Train the specific group how to create Teams and how to make use of templates.
/
Create a Security Group
Create a security group for users who need to create a Team. (i.e. Group Creators) Add the members who need to create Teams to the security group.
Download PowerShell Script
Download the powershell script and change the variable to your created Group name. Now run PowerShell as Administrator and go to your download location and Run:
.\GroupCreators.ps1
If in the future you want to change which security group is being used, you can rerun the script with the name of the new security group.
Check if everyting works
No Access
Access
Turn Off the Restriction
If you want to turn off the group creation restriction and again allow all users to create (Teams) groups, set $GroupName to "" and $AllowGroupCreation to “True” and rerun the Powershell script.
Powershell Script
# Check if any AzureAD module is installed, remove
# Install AzureADPreview modules
if (Get-Module -ListAvailable -Name AzureAD) {
Write-Host "Module exists"
Write-Host "Uninstalling module.."
Uninstall-Module AzureAD -Force -Confirm
} else {
Write-Host "AzureAD Module does not exist"
}
if (Get-Module -ListAvailable -Name AzureADPreview) {
Write-Host "Module exists"
Write-Host "Uninstalling module.."
Uninstall-Module AzureADPreview -Force
} else {
Write-Host "AzureAD Module does not exist"
}
if (Get-Module -ListAvailable -Name AzureAD*) {
Write-Host "Module exists"
} else {
Write-Host "AzureAD Module does not exist"
Write-Host "Installing Module"
Install-Module AzureADPreview
}
## VARIABLES
$GroupName = "Group Creators"
$AllowGroupCreation = "False"
# If in the future you want to change which security group is used,
# you can rerun the script with the name of the new security group.
#
# If you want to turn off the group creation restriction and again allow all users to create groups,
# set $GroupName to "" and $AllowGroupCreation to "True" and rerun the script.
## DO NOT CHANGE BELOW THIS LINE
Connect-AzureAD
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
$settingsCopy = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $settingsCopy
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}
$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation
if($GroupName)
{
$settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
/