blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

Restrict Office 365 Groups and Microsoft Teams creation in organizations

In many of my Office 365 projects customer want to limit the self-service of Office 365 groups creation. Gladly, this is possible in Office 365, with the definition that just specific users are able to create Office 365 groups. Since the launch of Microsoft Teams in March 2017 customers asked me several times if this policy also affect the creation of Microsoft teams? Well, let's take a look.

In a previous blog post, we described how to setup Office 365 Groups policies, check out Management capabilities for Office 365 Groups. Since Microsoft Teams depend on Office 365 groups, we document this scenario step-by-step.

So the question is if the Office 365 policy is valid for Microsoft Teams as well. It is. Smile

The goal

For that scenario, we use an Office 365 test tenant. The idea is that two users are Group Admins: Alan (alans) and Christa (christag). Both shall be able to create new Office 365 groups (and by that, Microsoft teams). All other users (except Office 365 administrators) shall not be able to create Office 365 groups and Microsoft teams. This setup must be done with PowerShell.

Preparations

After connecting with Connect-MsolService and the Global Admin user (admin) - we get all groups with Get-MsolGroup. We will use the (existing) "GroupAdmins" security group. You can get the default values of that specific group with Get-MsolGroup -SearchString "GroupAdmins".

image

In our tenant, the ObjectId of GroupAdmins is "0b32caea-525a-4988-a208-b23014991594". We need this Office 365 Group Id later.

So, in the Office 36 portal we add Alan and Christa as members to Security Group "GroupAdmins".

image

Set the policies

Setting the Group Policy is straight forward as described in Management capabilities for Office 365 Groups, so here's the short form.

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq "Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting.Values | ft

image

Now we change that so that only members of "GroupAdmins" can create groups.

$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = "0b32caea-525a-4988-a208-b23014991594"
New-MsolSettings -SettingsObject $setting

image

Test it with a user

Now login with another user who is not member of the "GroupAdmins" groups. Here, we use Dan (danj). As we see, that user is not able to create a new group in Outlook - the policy works.

image

Ok, so now we try to create a new team site with the App Launcher.

image

"Teams" open a new website https://teams.microsoft.com .

Here it depends, if there are already teams existing or not. If teams are existing, https://teams.microsoft.com/_#/discover is loaded with a list of the teams. If not, a form follows where we need to name the new Teams site and set the privacy level.

image

After clicking "Create a team", a message appears as follows.

image

The team site says: "Sorry, you can't create a team. Your IT department has disabled this Microsoft Teams feature for you. Please contact them for help."

Well, fine. So that user cannot create a new team - as expected. Only members of the "GroupAdmins" group are able to create a new Microsoft team. Let's try that out as well.

Vice versa - Test it with an admin

Now we use a member of the "GroupAdmins" group and try to do the same with user Alan (alans). This user is able to create a new Office 365 group.

image

Ok, so now we try to create a new team as before.

image

Again, we fill out the team site properties, this time with a team named "HR".

image

This time, it works...

image

...and we can pick members of the "HR" team, as for example, Dan and other users in the Office 365 tenant. Users can be "member" or "owner" of a Microsoft team which can be selected here optionally. by default the role is "member" in a Microsoft team. It's a good hint that you can add people, groups, and distribution lists from your organization.

image

Ok, here we go. The team "HR" has been created and can be used instantly.

image

Teams functionality for standard users

Let's look back to a standard user and what they can do with teams.

Just to clarify: In our scenario, Dan is member of the HR team. So he can collaborate in that team. If that user wants to create a new team in here, he gets the "Sorry, you can't create a team." message instantly (without the need to fill out the creation form).

image

For existing teams, the user can work with the familiar functions as follows.

image

Just to ensure: Standard users can join public Microsoft teams as well. The user can join (and leave) a Microsoft team himself.

image

Private Microsoft teams

Private Microsoft teams do not show up as long the signed-in user is not a member of that Microsoft team.

So the group policy just is relevant for the creation of Office 365 groups and Microsoft teams.

Test with another standard user

If a user is member of a Microsoft team, the first experience shows the membership. In our sample, we open https://teams.microsoft.com as user Molly (mollyc).

image

In here, we get the same experience if we click "Create a team" as in the beginning above, if no group is existing. Otherwise, the Microsoft teams "app" is loaded, showing the Microsoft teams-portal with all Microsoft teams where the user is entitled.

Remove the policy

If you need to remove the policy, because you decided to go self-service, remove it with the policy's Object ID as follows. First, get the ObjectId, the remove that setting.

Get-MsolAllSettings -TargetType Groups
Remove-MsolSettings -SettingId '86692932-37e6-4797-b076-94a5c42a0561'

image

To check the "EnableGroupCreation" property, use the query as in the beginning:

$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq "Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting.Values | ft

image

Then wait for some minutes that the policy takes effect and re-test the Office 365 groups and Microsoft teams creation with a standard user (in my case for user Dan or Molly). Then, it should work again as this is the default behavior in an Office 365 tenant.

SNAGHTMLa8398c4

Warning

If an owner deletes a team, this currently is no soft-deletion. All the content is deleted without backup. This feature of soft-delete is on the roadmap. Smile

image

So, take care not to delete a team site if you are not sure. The underlying group is deleted.

Summary

As we saw in this example, the Office 365 group policies that restrict that standard users create a new Office 365 group prevent the creation of a new Microsoft team site as well. This works as expected. IT Admins can specify, if users are able to create new Office 365 groups and Microsoft teams. This is especially business relevant in medium to large organizations to debar a "wild growth" of groups and teams in your organization's Office 365 tenant.

I hope this article helps to configure your Office 365 tenant as needed for your organization.

Comments (1) -

  • Taniya Khan

    9/18/2020 4:55:15 AM |

    Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking.
    http://www.divyanka.in/

Loading