In many of my Office 365 projects customer want to limit the self-service of Office 365 groups creation. Gladly, this is possible in Office 365, with the definition that just specific users are able to create Office 365 groups. Since the launch of Microsoft Teams in March 2017 customers asked me several times if this policy also affect the creation of Microsoft teams? Well, let's take a look.
In a previous blog post, we described how to setup Office 365 Groups policies, check out Management capabilities for Office 365 Groups. Since Microsoft Teams depend on Office 365 groups, we document this scenario step-by-step.
So the question is if the Office 365 policy is valid for Microsoft Teams as well. It is.
The goal
For that scenario, we use an Office 365 test tenant. The idea is that two users are Group Admins: Alan (alans) and Christa (christag). Both shall be able to create new Office 365 groups (and by that, Microsoft teams). All other users (except Office 365 administrators) shall not be able to create Office 365 groups and Microsoft teams. This setup must be done with PowerShell.
Preparations
After connecting with Connect-MsolService
and the Global Admin user (admin) - we get all groups with Get-MsolGroup
. We will use the (existing) "GroupAdmins" security group. You can get the default values of that specific group with Get-MsolGroup -SearchString "GroupAdmins"
.
In our tenant, the ObjectId of GroupAdmins is "0b32caea-525a-4988-a208-b23014991594". We need this Office 365 Group Id later.
So, in the Office 36 portal we add Alan and Christa as members to Security Group "GroupAdmins".
Set the policies
Setting the Group Policy is straight forward as described in Management capabilities for Office 365 Groups, so here's the short form.
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq "Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting.Values | ft
Now we change that so that only members of "GroupAdmins" can create groups.
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = "0b32caea-525a-4988-a208-b23014991594"
New-MsolSettings -SettingsObject $setting
Test it with a user
Now login with another user who is not member of the "GroupAdmins" groups. Here, we use Dan (danj). As we see, that user is not able to create a new group in Outlook - the policy works.
Ok, so now we try to create a new team site with the App Launcher.
"Teams" open a new website https://teams.microsoft.com .
Here it depends, if there are already teams existing or not. If teams are existing, https://teams.microsoft.com/_#/discover is loaded with a list of the teams. If not, a form follows where we need to name the new Teams site and set the privacy level.
After clicking "Create a team", a message appears as follows.
The team site says: "Sorry, you can't create a team. Your IT department has disabled this Microsoft Teams feature for you. Please contact them for help."
Well, fine. So that user cannot create a new team - as expected. Only members of the "GroupAdmins" group are able to create a new Microsoft team. Let's try that out as well.
Vice versa - Test it with an admin
Now we use a member of the "GroupAdmins" group and try to do the same with user Alan (alans). This user is able to create a new Office 365 group.
Ok, so now we try to create a new team as before.
Again, we fill out the team site properties, this time with a team named "HR".
This time, it works...
...and we can pick members of the "HR" team, as for example, Dan and other users in the Office 365 tenant. Users can be "member" or "owner" of a Microsoft team which can be selected here optionally. by default the role is "member" in a Microsoft team. It's a good hint that you can add people, groups, and distribution lists from your organization.
Ok, here we go. The team "HR" has been created and can be used instantly.
Teams functionality for standard users
Let's look back to a standard user and what they can do with teams.
Just to clarify: In our scenario, Dan is member of the HR team. So he can collaborate in that team. If that user wants to create a new team in here, he gets the "Sorry, you can't create a team." message instantly (without the need to fill out the creation form).
For existing teams, the user can work with the familiar functions as follows.
Just to ensure: Standard users can join public Microsoft teams as well. The user can join (and leave) a Microsoft team himself.
Private Microsoft teams
Private Microsoft teams do not show up as long the signed-in user is not a member of that Microsoft team.
So the group policy just is relevant for the creation of Office 365 groups and Microsoft teams.
Test with another standard user
If a user is member of a Microsoft team, the first experience shows the membership. In our sample, we open https://teams.microsoft.com as user Molly (mollyc).
In here, we get the same experience if we click "Create a team" as in the beginning above, if no group is existing. Otherwise, the Microsoft teams "app" is loaded, showing the Microsoft teams-portal with all Microsoft teams where the user is entitled.
Remove the policy
If you need to remove the policy, because you decided to go self-service, remove it with the policy's Object ID as follows. First, get the ObjectId, the remove that setting.
Get-MsolAllSettings -TargetType Groups
Remove-MsolSettings -SettingId '86692932-37e6-4797-b076-94a5c42a0561'
To check the "EnableGroupCreation" property, use the query as in the beginning:
$template = Get-MsolAllSettingTemplate | where-object {$_.displayname -eq "Group.Unified"}
$setting = $template.CreateSettingsObject()
$setting.Values | ft
Then wait for some minutes that the policy takes effect and re-test the Office 365 groups and Microsoft teams creation with a standard user (in my case for user Dan or Molly). Then, it should work again as this is the default behavior in an Office 365 tenant.
Warning
If an owner deletes a team, this currently is no soft-deletion. All the content is deleted without backup. This feature of soft-delete is on the roadmap.
So, take care not to delete a team site if you are not sure. The underlying group is deleted.
Summary
As we saw in this example, the Office 365 group policies that restrict that standard users create a new Office 365 group prevent the creation of a new Microsoft team site as well. This works as expected. IT Admins can specify, if users are able to create new Office 365 groups and Microsoft teams. This is especially business relevant in medium to large organizations to debar a "wild growth" of groups and teams in your organization's Office 365 tenant.
I hope this article helps to configure your Office 365 tenant as needed for your organization.