Teams creation governance example using PowerShell

There are a lot of different ways to govern how Teams get created. Some companies choose to allow Teams creation to everyone, opening M365 up to content sprawl and data duplication. Others lock everything down so tight that it is impossible to use. In my job, I created a way that I would like to think spilts the difference. This method

• Locks down group creation, but allows anyone to request a Team
• Team creation is done with approval
• Teams are created automatically after approval using PowerShell

This is what I did to set that up:

Lock Down M365 group creation

The first step is to lock down M365 group creation to a small group of people. I chose to do the IT department, but you can go as large or small as you want. Just make sure that the Teams Admin service account that you use in the PowerShell script is allowed to make M365 groups.

The process to lock down group creation is detailed here: 

https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide

Create a PowerShell Script

Copy this PowerShell script and save it as a .ps1 file. You will need to change the variables that are highlighted in yellow below.

Install-Module -Name MicrosoftTeams -Force -AllowClobber
$username = "TeamsAdmin@contoso.com"
$password = ConvertTo-SecureString "TeamsAdminPassword” -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
Connect-MicrosoftTeams -credential $psCred
$TeamFocus = "Department"
$TeamDept = "Accounting"
$TeamProject = "Accounts Payable"
$TeamDescription = "Description for the Team " + $TeamDept +", "+$TeamProject
$TeamVisibility = "Public" # or "Private"
$TeamOwner1 = "TeamsAdmin@contoso.com"
$TeamOwner2 = "bob@contoso.com"
$TeamOwner3 = "sara@contoso.com"
$TeamChannel1 = "Team 1"
$TeamChannel2 = "Team 2"
$TeamChannel3 = "Team 3"
if($TeamFocus -eq "Department"){
    $TeamName = "Dept "+$TeamDept +" "+$TeamProject
}
elseif($TeamFocus -eq "Project"){
    $TeamName = "Proj " + $TeamProject
}
else{
    $TeamName = "Team " + $TeamProject
}
$TeamNickname = $TeamName -replace '(^\s+|\s+$)','' -replace '\s+','' -replace '&',''
try{$group = New-Team -DisplayName $TeamName -Description $TeamDescription -Visibility $TeamVisibility}
catch{
    $rand = Get-Random -Maximum 100
    $TeamNickname += $rand
    $TeamName = $TeamName + " " + $rand
    $group = New-Team -MailNickname $TeamNickname -DisplayName $TeamName -Description $TeamDescription -Visibility $TeamVisibility
}
finally{
    Add-TeamUser -GroupId $group.GroupId -User $TeamOwner1 -Role "owner"
    Add-TeamUser -GroupId $group.GroupId -User $TeamOwner2 -Role "owner"
    Add-TeamUser -GroupId $group.GroupId -User $TeamOwner3 -Role "owner"
    if($TeamChannel1 -ne ""){
        New-TeamChannel -GroupId $group.GroupId -DisplayName $TeamChannel1
    }
    if($TeamChannel2 -ne ""){
        New-TeamChannel -GroupId $group.GroupId -DisplayName $TeamChannel2
    }
    if($TeamChannel3 -ne ""){
        New-TeamChannel -GroupId $group.GroupId -DisplayName $TeamChannel3
    }
    Disconnect-MicrosoftTeams
 }

Set up approvals in your ticketing system

We used SCSM for our ticketing system, and SCORCH for automation in our solution, but you can accomplish this with any modern ticketing system that includes approvals and launching PowerShell commands.

The workflow we set up was:

1. Requester creates a ticket, filling in the info needed for the PowerShell variables in the ticket.
2. Then the ticket goes to the requesters manager for approval
3. If that is approved, then it goes to IT leadership, where at least 2 leaders must approve the request.
4. If they approve it, then the above PowerShell command launches, with the variables populated by what the requester put into the ticket which creates the Team. The owner gets an automated email from Microsoft telling them that they have been added to the Team as an owner, and then the ticket closes.

An that's it! You now have a workflow with approvals that automatically creates a Team using PowerShell.

If you get errors...

Initially I was running this off of MS Server 2016 and was getting this error:

This was happening every time I tried to invoke New-Team, even if I gave it the most basic configurations. 

The problem was that the server was using an older version of PowerShell that would not support the MicrosoftTeams library. The solution was to upgrade it to PowerShell 7

https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2#msi

After upgrading, I was able to run the script and create a Team with no issues.

Sources:

• https://techgenix.com/creating-a-new-team-using-powershell/
  
• https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-managing-teams
  
• https://docs.microsoft.com/en-us/powershell/module/teams/new-team?view=teams-ps
  
• https://answers.microsoft.com/en-us/msoffice/forum/all/turning-off-email-notification-when-adding-team/ea22f6c7-20f0-4b35-97eb-bf923b353e4f
  
• https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide
  
• https://regroove.ca/stellark/2021/09/15/teams-governance-and-locking-down-teams-creation/
• https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.2#msi
  

 

Share on Google Plus

About Tom DeMeulenaere

Highly accomplished information technology professional with extensive knowledge in System Center Configuration Manager, Windows Server, SharePoint, and Office 365.