Microsoft Teams Governance Part 1: Microsoft Teams Permissions

Microsoft Teams is one of the fastest-growing products in Microsoft’s history. Two years ago, when Teams became available, there was an across-the-board suspicion about its future. Not without reason: Microsoft’s attempts in social collaboration were not always successful. They would frequently try a lot of different things to see what worked. SharePoint got its social features in 2013, which were soon made redundant by acquiring Yammer. Slack even wrote a“open letter” to Microsoft (https://slackhq.com/dear-microsoft), teasingly explaining to them how to collaborate 

Soon it became clear that Microsoft would place all its bets on Teams. Luckily, I had the privilege of being in the preview program right from the start. Microsoft was listening to its partners, customers, and us MVPs from day one. With collective voice, structured chat with bots and integrations, and a completely new concept of tabs, where users could configure their custom applications within the teams, it was a winning idea from the start.

There are some things even today, which don’t work as they should (khmkhm.. switching identities based on multiple identities and tenants based on those identities), but in general, the direction was good. Now they have a better integration of Teams with SharePoint, Power Apps, and Planner. Information workers now have a powerful “cockpit” where they can do a good portion of their work. Soon – way sooner than anyone would have expected – Slack was regretting that open letter. 

Why we need Microsoft Teams governance 

However, with products and services that get adopted that easily, customers will eventually need to think about governance. How many Teams do we have in the company? Who created them in the past, and who can create them now? The files are stored in SharePoint Online, but how do Teams permissions work with SharePoint permissions? What happens when a user shares a file from SharePoint, and how is it different from sharing using Teams? How do you handle external users?  

This blog post series will tackle those and other questions related to Microsoft Teams governance. In this first blog, we will discuss who is allowed to create Teams within your environment.

Who can create a new team in Microsoft Teams? 

The answer to the first question – who can create Teams in your environment is easy, and not always a satisfactory one: everyone can. I know companies who stopped their Teams rollout in only a few weeks after they got a few thousand Teams in their environment. This is the moment when we can clearly see that we need a governance plan from day one when rolling out Microsoft Teams. “Adding” governance later is possible, but more difficult.  

Microsoft Teams and Office 365 groups are complimentary, and whoever can create a group in Office 365 Groups, can also create Teams. Giving everyone permission to create Office 365 groups is a generally bad idea in the first place (which also means creating all the other Group-based Office 365 services, such as Microsoft Planner), so the best way would be limiting the number of users who can create Office 365 groups 

Making changes in Azure Active Directory

However, Office 365 Groups are just representations of the Azure Active Directory groups inside the Azure Portal, and this is where we need to make some changes.  

Microsoft Teams in Azure Active Directory

When we open the Azure Active Directory in the Azure Portal and select the “Groups” option, we get the list of ALL groups in the environment. The groups that are created through Office 365 and have related interfaces (such as when creating new Teams, Plans, etc.) will be marked with the “Office” group type.

All groups in Azure Active Directory

Please see the “GroupAdmins” group above, which is marked as a “Security” group: this is the group which we have created either in Azure AD within the Azure Portal, or Groups within the Microsoft 365 Admin Portal.

Limit access for creating Microsoft Teams

We are going to use that group to limit access for creating groups only to members of the “GroupAdmins” group. There is no visual setting for that, so we will need to use PowerShell for this.  

Please note: this procedure will work with Azure AD basic; the premium license is not necessary for this purpose.

To make this work, we will use PowerShell to create an Azure Active Directory Setting for that. We will need an AzureADPreview module to do this: 

#If not already installed...
Install-Module AzureADPreview
Import-Module AzureADPreview

Note: up to the date of writing this article, it is still necessary to use the “AzureADPreview” PowerShell module, since the “AzureAD” module still does not provide cmdlets to work with AAD Templates. 

Next up is connecting to Azure AD 

Connect-AzureAD

This action will open the login window for Microsoft Accounts, where we can log into our Azure portal.  

Next, we need to check if our “GroupAdmins” is already there 

Get-AzureADGroup -SearchString "GroupAdmins"

If it is, we should be getting the group info, like this: 

Get Group info in Azure Active Directory

If the PowerShell cmdlet does not return something, please check the group name and if the group has been created through the Azure portal (Azure Active Directory) or through the Microsoft 365 Admin Portal (Groups).  

Using Azure Active Directory templates

To start, we are going to use Azure Active Directory templates. You can configure different AAD options using AAD templates. Two of those templates – “Group.Unified” and “Group.Unified.Guest” are meant to work with the Groups within Azure Active Directory.  

So we are going to use the “Group. Unified” template to create a new Azure Active Directory Setting based on that template, limiting the group creation capabilities only to the members of our “GroupAdmins” group. 

It is a good idea to first check if a setting based on the “Group.Unified” AAD template already exists there, and to see if that setting may already contain some of the values which indicate that the group creation has been limited.

(Get-AzureADDirectorySetting) .Values

Create a new Azure Active Directory Setting

In the case above, we see that there are no AAD settings at all, so it is safe for us to create a new one. 

The first step will be to retrieve the “Group. Unified” template from Azure AD.  We will then create a new setting based on that template, and then add it to the AAD settings collection: 

$Template = Get-AzureADDirectorySettingTemplate | where {"_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectory Setting()
New-AzureADDirectorySetting -DirectorySetting $Setting

Disabling Office 365 Groups and Microsoft Teams creation

The next step will change the “EnableGroupCreation” and “GroupCreationAllowedGroupId” properties of this setting. We will set the “EnableGroupCreation” to false. This tells the Azure Active Directory to disable the creation of Office 365 Groups. We will then make an exception to that rule by setting the “GroupCreationAllowedGroupId” property to the ID of our security group. This says to the Azure Active Directory that the people who are members of that group can still create groups.

$Setting["EnableGroupCreation"] = $False
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup - SearchString "GroupAdmins") . objectidc

In the end, we will “save” this setting back to the Azure Active Directory.  

Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ) .id - DirectorySetting $Setting

Now, if we get the applied AAD settings with the same command from above again: 

(Get-AzureADDirectorySetting) .Values

We will see that we do have settings applied to AAD now. Besides the settings that we have set (“EnableGroupCreation” and “GroupCreationAllowedGroupId”), you can notice some more interesting settings. These include controlling what guests can do and which states they can have, blocked words, etc.

Setting applied to Azure Active Directory

Testing Microsoft Teams permissions limits

So, let’s try to create a team now with a user who’s not a member of the abovementioned group. While that user will still see the “Create team” button for the next 30-60 minutes (it takes some time for Teams to propagate those settings from the Azure Active Directory), they will not be able to create it: 

Microsoft Teams Permissions Limitations

Soon, the button “Create team” will disappear from the user interface for that user. Users will not have this option available.

If we try to create a group-based SharePoint Site, or a Plan in Planner, or any other Group-based Microsoft 365 service, you will be getting the appropriate – sometimes nice, sometimes less nice – error messages. 

For example, here I am trying to create a “TestPlan” Plan in Planner, with a user who’s not member of the GroupAdmins group:

No Microsoft Teams permissions

In this article, I’ve shown you how to limit the Office 365 Groups creation – and thus Microsoft Teams Creation – only to a specified group of users. With this in place, you can relatively easily build your Microsoft Teams provisioning solution. This would include requests, approvals, and creation.

In the next article, I will be talking about the content (sites, libraries, and files) permissions in Teams, and how they correlate with underlying SharePoint permissions.

free_trial_820_point