One of the most common problems in most companies, especially SMBs, is the misconfiguration and the lack of security controls on Microsoft 365 Applications. A great example of this situation, which is also a security gap, is the ability for every employee to create new Teams and use them in an unmanaged way.

Even if Microsoft says that Teams is created for collaboration purposes and by restricting Teams creation for end-user could demotivate users or lead them to lose their interest, it’s my proposal to keep a balance, at least at the Teams adoption phase, by allowing only certain people to create new Teams. When Teams usage inside the company reaches a certain level, the introduction of a Request-a-Team application could be useful and can help you to control the Teams growth.

Let’s see in action how you can limit new Teams creation in your organization.

Step 1. Create a new Group for people that are allowed to create new Teams.

1. In the Groups Page of M365 Admin Center create a new Security Group.

2. Click on Add a Group.

3. Choose the group type you want. Remember the name of the group!

4. Add people to this new group since only members of this group and admin will be able to create new Teams.

*Licensing Tip* All users that will be members of this group should have Azure AD Premium license. If you don’t have such licenses or you need only company admin to be able to create new Teams you can skip the first step.

In this point, we must mention that when you limit who can create Teams, basically you limit who can create new groups, that it also affects all services that rely on groups for access, including:

  • Outlook
  • SharePoint
  • Yammer
  • Microsoft Stream
  • Planner
  • Power BI

Step 2. Restrict Teams creation with PowerShell Commands.

Unfortunately, the only way to restrict the Teams creation is through PowerShell commands. If you are not familiar with PowerShell you don’t have to worry since you can use the script below as is by just replacing the “Group Name” with the name with your newly created security group. 

$GroupName = "<GroupName>"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
 else {
$settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

If you get an error like the following during PowerShell script execution, it's not such a big deal! Just close the PowerShell session, start a fresh one and use Uninstall-Module AzureAD and Install-Module AzureADPreview in your PowerShell session to get rid of the old AzureAD package install the preview version.

After the successful execution of Powershell script, you will get the following result.

The creation of Teams is now disabled for users except the members of "Teams Owners" group.

Microsoft states that this change may need up to 48 hours to incur but my experience is that the effect is immediate to your tenant.