Home » Blog » Microsoft Teams: How to disable Teams Creation

Microsoft Teams: How to disable Teams Creation

September 2, 2023 Blog Microsoft Teams Governance
How to disable Teams creation

When enabling the Teams license in Office 365, every member within the organisation can create new teams. Giving your employees the possibility to create teams themselves and according to their needs increases acceptance of the newly introduced tool.

Join or create a team in Microsoft Teams.

Nevertheless, it can lead to problems if many employees have high permission levels for team creation. Often it is not clearly defined when it is necessary to create a team and when a channel or even just a chat is sufficient. It can also lead to duplicate teams with the same purpose being created more than once. Team creation can quickly cause uncontrolled growth that confuses your employees with too many teams without any real benefit.

To prevent uncontrolled growth of Teams, it is a best practice of Microsoft Teams Governance to disable the creation of teams. However, there are disadvantages to completely stopping users from creating teams. Strict restrictions can demotivate users or make them lose interest.

Instead, we recommend implementing a controlled version of teams creation with Teams Manager, offering a request and approval process for teams.

Ready to Control Team Creation? Start Here.

But for now, here is a step-by-step guide on how to disable teams creation completely!

How to disable teams creation in Microsoft Teams in 3 steps

Time needed: 10 minutes

Since the standard O365 UI does not provide the option to disable Teams creation, a Powershell script has to be used.

Note: The script will disable not just the creation of Teams but also the creation of groups in general, i.e. sites in SharePoint, sites/groups in Planner, groups in Outlook etc.

  1. Create security group

    Before you execute the script, you have to create a security group in your Office 365 Admin Centre. Click on ‘Groups’, add a new group and choose the type ‘Security’.

  2. Add member

    Add member to the group that should later still be able to create teams.

  3. Execute following script

    Execute the following script to disable the creation of Teams:
    (Replace ‘Name of your security group’ with your group name)

Connect-AzureAD
Get-AzureADGroup -SearchString "Name of your security group"

$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}

$Setting = $Template.CreateDirectorySetting()

New-AzureADDirectorySetting -DirectorySetting $Setting

$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString "Name of your security group").objectid

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting
(Get-AzureADDirectorySetting).Values

Note: In order to execute the script, you need the preview module for Powershell ‘AzureADPreview’. If you already have installed the AzureAD module, you need to uninstall it first.

Watch this video for a detailed step-by-step tutorial on how to deactivate teams creation in Microsoft Teams:

The creation of teams is now disabled for users. This AzureAD Security Group will be the only one that can later create teams. Note that Global Admin members can also still create Microsoft Teams.

Parking Zürich used Teams Manager to stop uncontrolled growth in Microsoft Teams. Felix Peider,​ Head of IT at Parking Zürich AG, says:

“Through Teams Manager, we implement structured guidelines and approval processes for the creation of teams.“

Read more about how Parking Zürich prevents uncontrolled teams creation with Teams Manager!

Download free ebook on Microsoft Teams governance!

Now you know how to disable teams creation. Teams Manager offers easy controls not just for team creation, but also for most admin problems in MS Teams. Check out our features or book a quick demo now!

Tags:
Blog
← Back to Blog
Comments

  • Hi,
    I wanted to disable Team creation based on ADGroup, but I’ts now disabled for all users.

    I tried to run it again with the $Setting[“EnableGroupCreation”] = $True but I still can’t create Teams.

    Can you please advise how can I revert back?

    Reply

    • Could you please try deleting the line

      $Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString “Name of your security group”).objectid

      from the script? Then it should work again!

      Reply

  • How can we disable only MS Teams creation? As this approach disables O365 group so users cannot create groups for Planner, Yammer, and SP Hub site? Any help would be helpful..

    Reply

    • Unfortunately, it is not possible at the moment to disable only Teams creation. For now you can only disable groups creation as a whole.
      We will gladly update you if this changes in the future!

      Reply

    • This permission can only be given to AD groups, so you need to add all admins to an AD group and then reference this group.

      Reply

  • New-AzureADDirectorySetting : Error occurred while executing NewDirectorySetting
    Code: Request_BadRequest
    Message: Another object with the same value for property templateId already exists.
    InnerError:
    RequestId: 5c73dd32-5e96-4a30-b00b-62f7d7261a9e
    DateTimeStamp: Sun, 16 Aug 2020 13:21:04 GMT
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed
    At line:8 char:1
    + New-AzureADDirectorySetting -DirectorySetting $Setting
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [New-AzureADDirectorySetting], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.New
    DirectorySetting

    Reply

    • This error means that your AzureAD already has such a setting and that you need to update it. Please try using
      Set-AzureADDirectorySetting
      instead of
      New-AzureADDirectorySetting
      in the script.

      Reply

    • The effect should be more or less immediate. However, according to Microsoft, it may take up to 48 hours in some cases.

      Reply

    • You need to have Azure AD Directory Administrator rights, as that is where you change the settings. The error below means that you do not have the necessary rights.

      Reply

  • because while running this script I am getting below error.

    New-AzureADDirectorySetting : Error occurred while executing NewDirectorySetting
    Code: Authorization_RequestDenied
    Message: Insufficient privileges to complete the operation.
    InnerError:
    RequestId: 7b792b59-1566-45b8-9201-78c3ae133817
    DateTimeStamp: Mon, 14 Sep 2020 15:04:21 GMT
    HttpStatusCode: Forbidden
    HttpStatusDescription: Forbidden
    HttpResponseStatus: Completed
    At line:1 char:1
    + New-AzureADDirectorySetting -DirectorySetting $Setting
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [New-AzureADDirectorySetting], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.NewDirectorySetting

    Reply

  • you should mention that running this scripts will prevent users who are not member of the security group the creation of sites in sharepoint, plans in planner, etc,,,

    Reply

    • You are right, thank you for pointing this out! I have adapted the blog post to clarify that the script will disable not just the creation of Teams but also the creation of groups in general, i.e. sites in SharePoint, sites/groups in Planner, groups in Outlook etc.
      (Users will still be able to create new plans in Planner, as that is separate from group creation.)

      Reply

  • How to enable that function again, incase something goes wrong? Is that redo that script?
    My account cannot open team app one website. When $AllowGroupCreation = “True” or False

    Reply

    • Exactly, just delete the following lines from the script:
      $Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchString “Name of your security group”).objectid
      and set AllowGroupCreation to “True” to reverse it.

      Reply

  • Hii, am getting these problems

    Connect-AzureAD : The ‘Connect-AzureAD’ command was found in the module ‘AzureAD’, but the module could not be
    loaded. For more information, run ‘Import-Module AzureAD’.
    At line:1 char:1
    + Connect-AzureAD
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Connect-AzureAD:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

    Get-AzureADGroup : The ‘Get-AzureADGroup’ command was found in the module ‘AzureAD’, but the module could not be
    loaded. For more information, run ‘Import-Module AzureAD’.
    At line:2 char:1
    + Get-AzureADGroup -SearchString “Admin Group”
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-AzureADGroup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

    Get-AzureADDirectorySettingTemplate : The term ‘Get-AzureADDirectorySettingTemplate’ is not recognized as the name
    of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included,
    verify that the path is correct and try again.
    At line:4 char:13
    + $Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayNa …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySettingTemplate:String) [], CommandNotFoundExcept
    ion
    + FullyQualifiedErrorId : CommandNotFoundException

    You cannot call a method on a null-valued expression.
    At line:6 char:1
    + $Setting = $Template.CreateDirectorySetting()
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    New-AzureADDirectorySetting : The term ‘New-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
    function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
    the path is correct and try again.
    At line:8 char:1
    + New-AzureADDirectorySetting -DirectorySetting $Setting
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (New-AzureADDirectorySetting:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
    function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
    the path is correct and try again.
    At line:10 char:45
    + … Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Cannot index into a null array.
    At line:11 char:1
    + $Setting[“EnableGroupCreation”] = $False
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : NullArray

    Get-AzureADGroup : The ‘Get-AzureADGroup’ command was found in the module ‘AzureAD’, but the module could not be
    loaded. For more information, run ‘Import-Module AzureAD’.
    At line:12 char:44
    + $Setting[“GroupCreationAllowedGroupId”] = (Get-AzureADGroup -SearchSt …
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-AzureADGroup:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

    Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
    function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
    the path is correct and try again.
    At line:14 char:34
    + Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Get-AzureADDirectorySetting : The term ‘Get-AzureADDirectorySetting’ is not recognized as the name of a cmdlet,
    function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that
    the path is correct and try again.
    At line:15 char:2
    + (Get-AzureADDirectorySetting).Values
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-AzureADDirectorySetting:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Dies könnte Ihnen auch gefallen

Copyright 2021 © Solutions2Share GmbH

Terms and conditions Privacy policy Cookie Policy Imprint

Send this to a friend