Friday, November 19, 2021

MS 365 - Restrict creation of teams by modifying group creation permissions

You can restrict Microsoft 365 Group creation, for example, to the members of a particular security group.

To restrict the creation of new teams, you need to modify the Microsoft 365 Groups creation permissions since all teams are based on Microsoft 365 Groups.

If you want to restrict the creation of new Teams to a subset of users, you need to create a security group and use the AzureAD PowerShell module to modify the AzureAD Directory Settings on a tenant basis. If you run the following script in your environment, you will stop users from creating new Microsoft 365 groups unless they are a member of the security group you specified in the first line of the script.

The script will perform the following actions:

  1. Run Connect-AzureAD to connect to the AzureAD PowerShell.
  2. Get the ObjectID of the Directory Setting for Microsoft 365 Groups (unified groups) using Get-AzureADDirectorySetting.
  3. Use New-AzureADDirectorySetting to create the setting from a template if it does not exist.
  4. Use Set-AzureADDirectorySetting to set the EnableGroupCreation setting to false and block the creation of Microsoft 365 groups.
  5. Allow a specific Security group to override the group creation restriction by modifying the Setting before applying it.
  6. Display the results of the change.

PowerShell:

$GroupName = "<Your_SecurityGroupName>"

$AllowGroupCreation = "False"

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

if(!$settingsObjectID){

$template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}

$settingsCopy = $template.CreateDirectorySetting()

New-AzureADDirectorySetting -DirectorySetting $settingsCopy

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id

}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID

$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)

{ $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid

}

Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

No comments:

Post a Comment

Windows Server 2019 - LAB08 Implementing storage solutions (Part3) Implement Storage Spaces Direct

Part 3:  Implement Storage Spaces Direct What is Storage Spaces Direct? Storage Spaces Direct is the evolution of Storage Spaces . It lever...