Microsoft Teams – Check who can create Microsoft 365 Groups / Team and Channels

Hi there Today I’m walking you through the Microsoft Teams script to check who can create Microsoft 365 Groups We use security groups (Azure AD synced) or Azure AD dynamic groups (cloud based) to control who can create a Team on Microsoft Teams That doesn’t mean a user can’t join a Team clicking on a request or with a code. You should use this as part of any deployment where you have a controlled environment. Otherwise, you’ll find hundreds of Teams and Office 365 Groups created in your M365 tenant.  

################################################################
# Author Thiago Beier thiago.beier@gmail.com
# Version: 1.0 – 2020-09-21
#
# Check which Group members can create team on Microsoft based on article https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide
# Exports log to %workdir% .log extension
# Exports group members (users and nested group names) to csv
# Toronto, CANADA
# Email: thiago.beier@gmail.com
# https://www.linkedin.com/in/tbeier/
# https://twitter.com/thiagobeier
# https://thiagobeier.wordpress.com
################################################################
#CLIENT-NAME Teams data collection
#Connect-AzureAD
#create working dir change the directory if you need to change the output directory for .log and .csv files
$workdir = “c:\temp\teams\”
mkdir $workdir
$dt=get-date -format yyyy-MM-dd-hhmmss
Start-Transcript $workdir\CLIENT-NAME-Teams-log-$dt.log
$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value “Group.Unified” -EQ).id
(Get-AzureADDirectorySetting -Id $settingsObjectID).Values
#retrieve if CLIENT-NAME has a specific security group in use to control who can create Team/Channel on Teams
$findazureadgroup = ((Get-AzureADDirectorySetting -Id $settingsObjectID).Values| where {$_.name -like “GroupCreationAllowedGroupId”}).value
#retrieve azure ad group info Get-AzureADGroup -ObjectId $findazureadgroup #export users who have access to create Team and Channels
Get-AzureADGroupMember -ObjectId $findazureadgroup | select displayname,userprincipalname | export-csv $workdir\teams-lockdown-$dt.csv
stop-transcript
################################################################

  Expected output

  • GroupCreationAllowedGroupId = Azure AD Group ID 
  • EnableGroupCreation = False (default is True)

 

References

https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide

Check my Github repository

Thanks,

Thiago Beier TwitterLinkedInFacebookRSS