Why Enable Group Creation for Specific Users?
By limiting group creation permissions to a designated set of users, you gain greater control over the Teams environment and avoid unnecessary or non-compliant teams being created. This setup allows only approved users to create groups across various services, like Microsoft Teams, while keeping everyone else’s permissions restricted.
Note: These restrictions impact various Microsoft services, including Outlook, SharePoint, Viva Engage, and Planner, along with Teams.
Key Roles That Retain Group Creation Abilities
Certain admin roles retain permissions to create Microsoft 365 Groups, even if general creation permissions are restricted:
- Global Admins: Can create groups in the Microsoft 365 admin center, Exchange, SharePoint
- Teams Service Admins: Can create groups in the Teams admin center, Microsoft Entra ID
- SharePoint Admins: Can create groups in SharePoint admin center, Microsoft Entra ID
Admins in these roles can create groups for restricted users and assign them as group owners.
Steps to Enable Group Creation for a Specific Group of Users
Let’s go through the process of allowing only members of a designated group to create Microsoft 365 Groups, particularly in Teams.
Step 1: Create a Group to Control Permissions
Begin by creating a group in Microsoft 365 for the users who should be able to create Microsoft 365 Groups:
- Open the Microsoft 365 Admin Center and go to Groups.
- Click Add a Group and choose the group type.
- Name your group (e.g., “Group Creators”) and add the people you want to allow group creation as members (not as owners).
Tip: You can add multiple people or even nest other groups under this main group for more flexible control.
Step 2: Run PowerShell Commands to Apply Settings
Next, we’ll use PowerShell to update settings and allow only the users in your newly created group to create Microsoft 365 Groups:
- Install the Microsoft Graph PowerShell Beta module if you haven’t already. Run
Update-Module Microsoft.Graph.Betato ensure it’s up to date. - Copy the following script into a text editor, replacing
<GroupName>with the name of the group created in Step 1.
Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Beta.Groups
Connect-MgGraph -Scopes "Directory.ReadWrite.All", "Group.Read.All"
$GroupName = ""
$AllowGroupCreation = "False"
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
values = @(
@{
name = "EnableMSStandardBlockedWords"
value = "true"
}
)
}
New-MgBetaDirectorySetting -BodyParameter $params
$settingsObjectID = (Get-MgBetaDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).Id
}
$groupId = (Get-MgBetaGroup | Where-object {$_.displayname -eq $GroupName}).Id
$params = @{
templateId = "62375ab9-6b52-47ed-826b-58e47e0e304b"
values = @(
@{
name = "EnableGroupCreation"
value = $AllowGroupCreation
}
@{
name = "GroupCreationAllowedGroupId"
value = $groupId
}
)
}
Update-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID -BodyParameter $params
(Get-MgBetaDirectorySetting -DirectorySettingId $settingsObjectID).Values
Important If you want to switch to a different group in the future, update
$GroupNamein the script with the new group name and rerun the script.
- Save the file as GroupCreators.ps1.
- Open PowerShell, navigate to the file location, and run:
.GroupCreators.ps1
Step 3: Verify the Changes
After updating, allow about 30 minutes for the changes to take effect. Here’s how to verify:
- Log in with a user account that is not a member of the “Group Creators” group.
- Open Microsoft Teams and attempt to create a new team. You should see a message indicating that team creation is disabled.
- Now, try the same with a user who is a member of the “Group Creators” group. They should be able to create a team successfully
