Microsoft Teams: How to disable Teams Creation

r

When enabling the Teams license in Office 365, every member within the organisation can create new Teams. Giving your employees the possibility to create Teams themselves and according to their needs increases acceptance of the newly introduced tool. Nevertheless, it can lead to problems if many employees have high permission levels. Often it is not clearly defined when it is necessary to create a Team and when a channel or even just a chat is sufficient. It can also lead to Teams with the same purpose being created more than once. It can quickly cause uncontrolled growth that confuses your employees with many Teams without any real benefit. To prevent uncontrolled growth of Teams, it is a best practice to disable the creation of Teams and put in place a provisioning engine like Collaboration Manager 365 or the new Teams Manager instead. If you are still unsure about how to handle the creation of Teams, read on here.

Since the standard O365 UI does not provide the option to disable Teams creation, a Powershell script has to be used.

Before you execute the script, you have to create a security group in your Office 365 Admin Centre. Click on ‘Groups’, add a new group and choose the type ‘Security’. Add member to the group that should later still be able to create teams.

Note: In order to execute the script, you need the preview module for Powershell ‘AzureADPreview’. If you already have installed the AzureAD module, you need to uninstall it first.

Execute the following script to disable the creation of Teams:

(Replace ‘Name of your security group’ with your group name)

Connect-AzureAD
Get-AzureADGroup -SearchString "Name of your security group"

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}

$Setting = $Template.CreateDirectorySetting()

New-AzureADDirectorySetting -DirectorySetting $Setting

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Name of your security group").objectid

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
(Get-AzureADDirectorySetting).Values

The creation of Teams is now disabled for users.

This AzureAD Security Group will be the only one that can later create teams.

Note that Global Admin members can also create Microsoft Teams.

Comments
  • Hi,
    I wanted to disable Team creation based on ADGroup, but I’ts now disabled for all users.

    I tried to run it again with the $Setting[“EnableGroupCreation”] = $True but I still can’t create Teams.

    Can you please advise how can I revert back?

    • Could you please try deleting the line

      $Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString “Name of your security group”).objectid

      from the script? Then it should work again!

  • How can we disable only MS Teams creation? As this approach disables O365 group so users cannot create groups for Planner, Yammer, and SP Hub site? Any help would be helpful..

    • Unfortunately, it is not possible at the moment to disable only Teams creation. For now you can only disable groups creation as a whole.
      We will gladly update you if this changes in the future!

  • New-AzureADDirectorySetting : Error occurred while executing NewDirectorySetting
    Code: Request_BadRequest
    Message: Another object with the same value for property templateId already exists.
    InnerError:
    RequestId: 5c73dd32-5e96-4a30-b00b-62f7d7261a9e
    DateTimeStamp: Sun, 16 Aug 2020 13:21:04 GMT
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:8 char:1
    + New-AzureADDirectorySetting -DirectorySetting $Setting
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [New-AzureADDirectorySetting], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
    DirectorySetting

  • because while running this script I am getting below error.

    New-AzureADDirectorySetting : Error occurred while executing NewDirectorySetting
    Code: Authorization_RequestDenied
    Message: Insufficient privileges to complete the operation.
    InnerError:
    RequestId: 7b792b59-1566-45b8-9201-78c3ae133817
    DateTimeStamp: Mon, 14 Sep 2020 15:04:21 GMT
    HttpStatusCode: Forbidden
    HttpStatusDescription: Forbidden
    HttpResponseStatus: Completed
    At line:1 char:1
    + New-AzureADDirectorySetting -DirectorySetting $Setting
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [New-AzureADDirectorySetting], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.NewDirectorySetting

Leave a Reply

Your email address will not be published. Required fields are marked *