Take control of your Microsoft Teams environment

So, you introduced Microsoft Teams in your organization without a plan? Or perhaps you’re still planning your rollout, and want to learn how to take control? Well, you’ve come to the right place.

In a few blog posts my goal is to help you take control of your Teams environment, and first up is limiting who’s allowed to create teams.

teams_whit_lock

One of the first things we need to decide, before giving users access to Teams, is whether or not they should be allowed to create teams. Microsoft generally recommend that they should, which is why they are allowed using the default settings, and in many cases that makes perfect sense.

Let’s say you’re a small law firm, maybe ten lawyers and a couple of secretaries. You would most likely choose to allow anyone to provision new teams, not to get in the way of their productivity.

bad_students

But what if you’re a municipality, with a mix of employees in healthcare, education etc., as well as thousands of young students. You would most likely want to get in front of that, right, to make sure that new teams are appropriate, and to maintain in control?

Well, we lock down the provisioning of new teams by limiting group creation.

Keep in mind that disabling group creation also affect other services relying on Groups, like Planner, StaffHub etc.

To limit group creation we first need to create a security group, and then add users who should still be allowed to create groups, and thereby teams.

All members of this security group must be licensed with Azure AD Premium or Azure AD Basic EDU. Microsoft currently does not enforce this, so it will work perfectly fine without assigning such licenses, but you need to acquire them to be properly licensed.

Allowedtocreategroups

The next step is to connect to Azure AD using the Azure AD Preview PowerShell module, and run the following script.

$GroupName = "Allowedtocreategroups"
$AllowGroupCreation = "False"

Connect-AzureAD # Need to be using the Azure AD Preview module

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

if(!$settingsObjectID)
{
    $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
    $settingsCopy = $template.CreateDirectorySetting()
    New-AzureADDirectorySetting -DirectorySetting $settingsCopy
    $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
    $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}

Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

 

We’ve now effectively disabled teams creation for all users that are not a member of the security group, causing the Create a team option to disappear from the Join or create a team page.

CreateTeam

Some admin roles will still be able to create groups and teams, like the Global Admin, Teams Service Admin etc.

For more information about limiting group creation please have a look at the official documentation, which was also my source for this blog post.

Also, stay tuned for more on the topic of controlling your Teams environment, next up is how to create a request form with manager approval!

1 thought on “Take control of your Microsoft Teams environment

  1. Pingback: Take control of your Microsoft Teams environment part 2 | Teams.rocks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s