Group

In Microsoft 365, everyone can create groups by default, which enables seamless collaboration across Teams, Outlook, SharePoint, and more. However, organizations may want to limit this to specific users, such as team leads or trained staff, to manage resources and maintain compliance. In this guide, we’ll configure permissions so that only selected users can create Microsoft 365 Groups and Teams. (Image – 1 showing the message received when a restricted user attempts to create a team.) Why Enable Group Creation for Specific Users? By limiting group creation permissions to a designated set of users, you gain greater control over the Teams environment and avoid unnecessary or non-compliant teams being created. This setup allows only approved users to create groups across various services, like Microsoft Teams, while keeping everyone else’s permissions restricted. Note: These restrictions impact various Microsoft services, including Outlook, SharePoint, Viva Engage, and Planner, along with Teams. Key Roles That Retain Group Creation Abilities Certain admin roles retain permissions to create Microsoft 365 Groups, even if general creation permissions are restricted: Global Admins: Can create groups in the Microsoft 365 admin center, Exchange, SharePoint Teams Service Admins: Can create groups in the Teams admin center, Microsoft Entra ID SharePoint Admins: Can create groups in SharePoint admin center, Microsoft Entra ID Admins in these roles can create groups for restricted users and assign them as group owners. Steps to Enable Group Creation for a Specific Group of Users Let’s go through the process of allowing only members of a designated group to create Microsoft 365 Groups, particularly in Teams. Step 1: Create a Group to Control Permissions Begin by creating a group in Microsoft 365 for the users who should be able to create Microsoft 365 Groups: Open the Microsoft 365 Admin Center and go to Groups. Click Add a Group and choose the group type. Name your group (e.g., “Group Creators”) and add the people you want to allow group creation as members (not as owners). Tip: You can add multiple people or even nest other groups under this main group for more flexible control.   (Image – 2 Created Group) Step 2: Run PowerShell Commands to Apply Settings Next, we’ll use PowerShell to update settings and allow only the users in your newly created group to create Microsoft 365 Groups: Install the Microsoft Graph PowerShell Beta module if you haven’t already. Run Update-Module Microsoft.Graph.Beta to ensure it’s up to date. Copy the following script into a text editor, replacing <GroupName> with the name of the group created in Step 1. Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement Import-Module Microsoft.Graph.Beta.Groups Connect-MgGraph -Scopes “Directory.ReadWrite.All”, “Group.Read.All” $GroupName = “” $AllowGroupCreation = “False” $settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id if(!$settingsObjectID) { $params = @{ templateId = “62375ab9-6b52-47ed-826b-58e47e0e304b” values = @( @{ name = “EnableMSStandardBlockedWords” value = “true” } ) } New-MgBetaDirectorySetting -BodyParameter $params $settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).Id } $groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq $GroupName}).Id $params = @{ templateId = “62375ab9-6b52-47ed-826b-58e47e0e304b” values = @( @{ name = “EnableGroupCreation” value = $AllowGroupCreation } @{ name = “GroupCreationAllowedGroupId” value = $groupId } ) } Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter $params (Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values   Important If you want to switch to a different group in the future, update $GroupName in the script with the new group name and rerun the script. Save the file as GroupCreators.ps1. Open PowerShell, navigate to the file location, and run:   .GroupCreators.ps1 (Image – 3 Result After executing the Script) Step 3: Verify the Changes After updating, allow about 30 minutes for the changes to take effect. Here’s how to verify: Log in with a user account that is not a member of the “Group Creators” group. Open Microsoft Teams and attempt to create a new team. You should see a message indicating that team creation is disabled. Now, try the same with a user who is a member of the “Group Creators” group. They should be able to create a team successfully Suggested Articles     1. Getting Started with Conditional Access Policies in Azure Entra: Enable MFA with Microsoft’s Default Policies     2. Use Case Scenario: Adding Multiple Users to Calendar Access     3. How to Silently Synchronize SharePoint Site Library to File Explorer using Intune Reference https://learn.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide