How to restrict Group and Teams Creation with MSGraph

-

 You're right! Since AzureAD and MSOnline modules are deprecated, you need to use the Microsoft Graph PowerShell SDK to retrieve the group ID.

Solution Using Microsoft Graph PowerShell

You must have a M365 group created first and define the membership : Allowed Group Creators.

1. Install and Connect to Microsoft Graph PowerShell

If you haven't installed it yet, run:

Install-Module Microsoft.Graph -Scope CurrentUser

Then, sign in with an Admin account:

Connect-MgGraph -Scopes "Group.Read.All", "Directory.ReadWrite.All"

If prompted, grant admin consent for the required permissions.

2. Get the Security Group ID

Since Get-AzureADGroup no longer works, use this instead:

Get-MgGroup -Filter "displayName eq 'Allowed Group Creators'"

Copy the Id from the output (this is the Object ID needed for the restriction).

3. Apply Group Creation Restriction

Run the following PowerShell commands to modify the Microsoft 365 Group Creation Policy:

$GroupID = "<Paste-the-Group-Id-Here>", like 95e69920-xyz-4960-8899-ee1f12345

# Retrieve existing directory settings
$Settings = Get-MgBetaDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}

# If no settings exist, create one
if (-not $Settings) {
    $Template = Get-MgBetaDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
    $Settings = New-MgBetaDirectorySetting -TemplateId $Template.Id
}

# Update settings to restrict group creation
Update-MgBetaDirectorySetting -DirectorySettingId $Settings.Id -Values @{'EnableGroupCreation'='false'; 'GroupCreationAllowedGroupId'=$GroupID}

4. Verify the Restriction

Now, test:
Admins & the specific user → Should be able to create Teams & Groups.
Other users → Should be blocked from creating Groups/Teams.

This method ensures that only the designated users can create Teams, Planner workspaces, and SharePoint Team sites.

Or simply use the Admin Center in Entra AD:




Comments

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modif...
Read more

Exchange x500 address x500:/o=ExchangeLabs

-
Image
 You have Exchange Hybrid in place. Now you wonder about an address with you see on-premises with all users. This address has the following format: x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOxxxxxx)/cn=Recipients/cn=234xxxx This address is now found in the Exchange proxyAddresses in On-Premises as well as in Entra ID. Additionally you will see them in msExchShadowProxyAddresses The ExchangeLabs is Microsoft internal Exchange Online Organization and therefore needed. This x500 address is created in Exchange Online and sync'ed via Azure AD Connect (Entra ID Connect) back on-premises. If you delete this address on-premises, the connection between will sync this Cloud leading attribute back to on-premisses. If you have multiple Domains and Active Directories connected to your Tenant, this x500 address from your tenant will be added to ALL users. Also to users which are from an local AD without Exchange / Exchange Hybrid. As long AAD Connect/ Entra ID Connect will...
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more