Erwin Bierens

Knowledge is Power

Lockdown Microsoft Teams Creation

2019-10-03 3 min read Microsoft Teams     "Erwin Bierens"

How do you deal inside your organization with the wild creation of all kind of Teams? Having doubles, separate Teams for guest access, Teams without a owner because the original created user already left the company.

Instead of moving further lockdown Teams creation and decide who will need to create Teams (your stakeholders or key users for example). Train the specific group how to create Teams and how to make use of templates.

/

Create a Security Group

Create a security group for users who need to create a Team. (i.e. Group Creators) Add the members who need to create Teams to the security group.

Office365 Security Group

Download PowerShell Script

Download the powershell script and change the variable to your created Group name. Now run PowerShell as Administrator and go to your download location and Run:

    .\GroupCreators.ps1

If in the future you want to change which security group is being used, you can rerun the script with the name of the new security group.

Check if everyting works

Member of Security Group No Access

Member of Security Group Access

Turn Off the Restriction

If you want to turn off the group creation restriction and again allow all users to create (Teams) groups, set $GroupName to "" and $AllowGroupCreation to “True” and rerun the Powershell script.

Powershell Script

            # Check if any AzureAD module is installed, remove
            # Install AzureADPreview modules

            if (Get-Module -ListAvailable -Name AzureAD) {
            Write-Host "Module exists"
            Write-Host "Uninstalling module.."
            Uninstall-Module AzureAD -Force -Confirm
            } else {
            Write-Host "AzureAD Module does not exist"
            }

            if (Get-Module -ListAvailable -Name AzureADPreview) {
            Write-Host "Module exists"
            Write-Host "Uninstalling module.."
            Uninstall-Module AzureADPreview -Force
            } else {
            Write-Host "AzureAD Module does not exist"
            }

            if (Get-Module -ListAvailable -Name AzureAD*) {
            Write-Host "Module exists"
            } else {
            Write-Host "AzureAD Module does not exist"
            Write-Host "Installing Module"
            Install-Module AzureADPreview
            }

            ## VARIABLES

            $GroupName = "Group Creators"
            $AllowGroupCreation = "False"

            # If in the future you want to change which security group is used, 
            # you can rerun the script with the name of the new security group.
            #
            # If you want to turn off the group creation restriction and again allow all users to create groups, 
            # set $GroupName to "" and $AllowGroupCreation to "True" and rerun the script.

            ## DO NOT CHANGE BELOW THIS LINE
            Connect-AzureAD

            $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
            if(!$settingsObjectID)
            {
                    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
            $settingsCopy = $template.CreateDirectorySetting()
            New-AzureADDirectorySetting -DirectorySetting $settingsCopy
            $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
            }

            $settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
            $settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

            if($GroupName)
            {
                    $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
            }

            Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

            (Get-AzureADDirectorySetting -Id $settingsObjectID).Values

/

comments powered by Disqus