Microsoft Teams: How to disable Teams Creation
When enabling the Teams license in Microsoft 365, every member within the organisation can create new teams. Giving your employees the possibility to create teams themselves and according to their needs increases acceptance of the newly introduced tool.
Nevertheless, it can lead to problems if many employees have high permission levels for team creation. Often it is not clearly defined when it is necessary to create a team and when a channel or even just a chat is sufficient. It can also lead to duplicate teams with the same purpose being created more than once.
Team creation can quickly cause uncontrolled growth that confuses your employees with too many teams without any real benefit.
Find out how Parking Zürich solved this problem – read our case study.
To prevent uncontrolled growth of Teams, it is a best practice of Microsoft Teams Governance to disable the creation of teams. However, there are disadvantages to completely stopping users from creating teams. Strict restrictions can demotivate users or make them lose interest.
Why should IT admins control team creation in Microsoft Teams?
If you manage a Microsoft 365 tenant, you have probably seen this pattern: after a few months, there are hundreds of teams with overlapping names, unclear owners and abandoned channels. Users cannot find the right place for their work, and support tickets pile up.
Many IT admins start searching for ways to “disable team creation Microsoft 365” just to stop this growth. But completely blocking team creation often shifts the problem elsewhere: shadow IT, private tools or manual workarounds.
This is where a Microsoft Teams Governance Tool can help. Instead of simply turning team creation off, you can guide it: clear rules, standard templates, and transparent ownership for every new team.
What is a controlled version of team creation in Microsoft Teams?
Instead, to prevent users from creating teams in an unsupervised way, we recommend implementing a controlled version of teams creation with Teams Manager, offering a request and approval process for teams.
With Teams Manager, every new workspace starts with a Teams creation approval workflow. Users request a new team with a short form, approvers check the purpose and sensitivity, and the Team is then created from a standard template with the right naming, settings and lifecycle.
For IT admins this means:
- fewer unnecessary teams,
- clear ownership,
- consistent governance without manual scripts every time.
Curious to see how Teams Manager controls Team creation?
How to disable teams creation in Microsoft Teams in 3 steps
Time needed: 10 minutes
Here is a step-by-step guide on how to disable teams creation completely. Since the standard M365 UI does not provide the option to disable Teams creation, a Powershell script has to be used.
Note: The script will disable not just the creation of Teams but also the creation of groups in general, i.e. sites in SharePoint, sites/groups in Planner, groups in Outlook etc.
- Create security group
Before you execute the script, you have to create a security group in your Microsoft 365 Admin Centre. Click on ‘Groups’, add a new group and choose the type ‘Security’.
- Add member
Add one or more members to the group that should later still be able to create teams.
- Execute following script
Execute the following script to disable the creation of Teams:
(Replace <YourGroupName> with your group name)
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"
$GroupName = "<YourGroupName>"
$AllowGroupCreation = "False"
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
values = @(
@{
name = "EnableMSStandardBlockedWords"
value = "true"
}
)
}
New-MgBetaDirectorySetting -BodyParameter $params
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).Id
}
$groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq $GroupName}).Id
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
values = @(
@{
name = "EnableGroupCreation"
value = $AllowGroupCreation
}
@{
name = "GroupCreationAllowedGroupId"
value = $groupId
}
)
}
Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter $params
(Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).ValuesNote: In order to execute the script, you need the preview module for Powershell ‘AzureADPreview’. If you already have installed the AzureAD module, you need to uninstall it first.
Watch this video for a detailed step-by-step tutorial on how to deactivate teams creation in Microsoft Teams:
The creation of teams is now disabled for users. This AzureAD Security Group will be the only one that can later create teams. Note that Global Admin members can also still create Microsoft Teams.
Overview of the 3 steps
| Step | Action | Result | Notes |
| 1 | Create security group | Defines who is still allowed to create groups and teams | Use a clear name, e.g. “TeamCreationAdmins” |
| 2 | Add members | Grants selected admins permission to create new groups and teams | Add only admins or power users |
| 3 | Execute the PowerShell script | Disables group and team creation for all users outside this group | Requires sufficient directory permissions |
Example: how Parking Zürich stopped uncontrolled team growth
Parking Zürich used Teams Manager to stop uncontrolled growth in Microsoft Teams. Felix Peider, Head of IT at Parking Zürich AG, says:
“Through Teams Manager, we implement structured guidelines and approval processes for the creation of teams.“
Read more about how Parking Zürich prevents uncontrolled teams creation with Teams Manager!
In this project, simply running the script to disable teams creation would not have been enough. They needed an approval process, templates, naming conventions and lifecycle rules. All of that was implemented with Teams Manager as a central Microsoft Teams governance tool on top of the technical configuration.
FAQ: disabling Team creation in Microsoft Teams
Can I disable only Microsoft Teams creation without affecting other groups?
At the moment, this script disables the creation of Microsoft 365 groups in general. That also affects connected resources such as SharePoint sites and Outlook groups. If you need more granular control focused on Microsoft Teams only, a governance solution with a Teams creation approval workflow like Teams Manager is the better approach.
How can I undo the change if something goes wrong?
You can reverse the setting by running an adjusted version of the script. Set AllowGroupCreation back to True and delete the following lines from the script, thus removing the reference to the security group:$Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString “Name of your security group”).objectid
Which permissions are required to run the script?
You need sufficient directory permissions (for example Azure AD Directory Administrator rights) in the tenant, as the script updates directory settings related to group creation.
How long does it take until the change is active?
In many tenants the change is applied shortly after the script runs. In some cases Microsoft states that it can take up to 48 hours until the setting is effective everywhere.
Now you know how to disable teams creation. Teams Manager offers easy controls not just for team creation, but also for most admin problems in MS Teams.
If you want to see a request-based process in action, book a Teams Manager Demo!
Walk through the full workflow for controlled team creation, templates and lifecycle policies together with one of our experts.
Chief Commercial Officer and Governance Specialist at Solutions2Share
Florian Pflanz has more than 8 years of experience with Microsoft 365 and has supported over 250 workshops on Teams governance.
His focus lies on lifecycle management, provisioning, and compliance requirements in regulated industries.
He shares best practices with IT admins and decision-makers to reduce complexity and strengthen secure collaboration in Teams.
Hi,
I wanted to disable Team creation based on ADGroup, but I’ts now disabled for all users.
I tried to run it again with the $Setting[“EnableGroupCreation”] = $True but I still can’t create Teams.
Can you please advise how can I revert back?
Could you please try deleting the line
$Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString “Name of your security group”).objectid
from the script? Then it should work again!
How can we disable only MS Teams creation? As this approach disables O365 group so users cannot create groups for Planner, Yammer, and SP Hub site? Any help would be helpful..
Unfortunately, it is not possible at the moment to disable only Teams creation. For now you can only disable groups creation as a whole.
We will gladly update you if this changes in the future!
how to restrict in ms team that without permission of global admin no one can make a group
This permission can only be given to AD groups, so you need to add all admins to an AD group and then reference this group.
New-AzureADDirectorySetting : Error occurred while executing NewDirectorySetting
Code: Request_BadRequest
Message: Another object with the same value for property templateId already exists.
InnerError:
RequestId: 5c73dd32-5e96-4a30-b00b-62f7d7261a9e
DateTimeStamp: Sun, 16 Aug 2020 13:21:04 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:8 char:1
+ New-AzureADDirectorySetting -DirectorySetting $Setting
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADDirectorySetting], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
DirectorySetting
This error means that your AzureAD already has such a setting and that you need to update it. Please try using
Set-AzureADDirectorySetting
instead of
New-AzureADDirectorySetting
in the script.
after setting how much time to take effect?
The effect should be more or less immediate. However, according to Microsoft, it may take up to 48 hours in some cases.
Hi i want to know what rights or permission is required to Run this script. Can you help?
You need to have Azure AD Directory Administrator rights, as that is where you change the settings. The error below means that you do not have the necessary rights.
because while running this script I am getting below error.
New-AzureADDirectorySetting : Error occurred while executing NewDirectorySetting
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
InnerError:
RequestId: 7b792b59-1566-45b8-9201-78c3ae133817
DateTimeStamp: Mon, 14 Sep 2020 15:04:21 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADDirectorySetting -DirectorySetting $Setting
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADDirectorySetting], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.NewDirectorySetting
Will this script work for GCC High tenants?
Hi There,
yes the Powershell Script should also work for GCC Tenants.
you should mention that running this scripts will prevent users who are not member of the security group the creation of sites in sharepoint, plans in planner, etc,,,
You are right, thank you for pointing this out! I have adapted the blog post to clarify that the script will disable not just the creation of Teams but also the creation of groups in general, i.e. sites in SharePoint, sites/groups in Planner, groups in Outlook etc.
(Users will still be able to create new plans in Planner, as that is separate from group creation.)
How to enable that function again, incase something goes wrong? Is that redo that script?
My account cannot open team app one website. When $AllowGroupCreation = “True” or False
Exactly, just delete the following lines from the script:
$Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString “Name of your security group”).objectid
and set AllowGroupCreation to “True” to reverse it.
Hii, am getting these problems
Connect-AzureAD : The ‘Connect-AzureAD’ command was found in the module ‘AzureAD’, but the module could not be
loaded. For more information, run ‘Import-Module AzureAD’.
At line:1 char:1
+ Connect-AzureAD
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Connect-AzureAD:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
Get-AzureADGroup : The ‘Get-AzureADGroup’ command was found in the module ‘AzureAD’, but the module could not be
loaded. For more information, run ‘Import-Module AzureAD’.
At line:2 char:1
+ Get-AzureADGroup -SearchString “Admin Group”
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADGroup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
Get-AzureADDirectorySettingTemplate : The term ‘Get-AzureADDirectorySettingTemplate’ is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At line:4 char:13
+ $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayNa …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySettingTemplate:String) [], CommandNotFoundExcept
ion
+ FullyQualifiedErrorId : CommandNotFoundException
You cannot call a method on a null-valued expression.
At line:6 char:1
+ $Setting = $Template.CreateDirectorySetting()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
New-AzureADDirectorySetting : The term ‘New-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:8 char:1
+ New-AzureADDirectorySetting -DirectorySetting $Setting
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (New-AzureADDirectorySetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:10 char:45
+ … Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Cannot index into a null array.
At line:11 char:1
+ $Setting[“EnableGroupCreation”] = $False
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : NullArray
Get-AzureADGroup : The ‘Get-AzureADGroup’ command was found in the module ‘AzureAD’, but the module could not be
loaded. For more information, run ‘Import-Module AzureAD’.
At line:12 char:44
+ $Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchSt …
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADGroup:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:14 char:34
+ Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:15 char:2
+ (Get-AzureADDirectorySetting).Values
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Hello Deeksha Dhuny,
We would be happy to help you with your request. Simply book a free appointment at the following page:
https://www.solutions2share.com/book-a-demo/
Best regards,
Solutions2Share team