It’s best practice from a security point of view to disable users from creating security groups or Microsoft 365 groups. Users can create security groups in Azure portals, API or PowerShell by default. The below setting will also prevent users from creating teams in Microsoft Teams as this will create a Microsoft 365 group.
In this post we will be creating a Power App and workflow to allow users to create teams on our terms. We will be letting users choose what type of Team they need and it will be provisioned. At the end I’ll be listing a few best practices regarding usability and security of this solution.
Prevent users from creating teams
The first step is preventing users from creating teams by switching the option to create groups to “No”. The user is able to create teams by default.
Switching the slider will show the following for users when trying to create a team
Create your Power App / Power Automate flow
You can create a Power App to you liking. I’ve just create a simple app with a few buttons.
The Power Automate flow is just as simple which will create a Team and add a user to this team.
Clicking on the button will create the default team
Best practices
Control and naming conventions
Adding an approval to the flow will give administrators control on which Teams are being created. Using the app you can use your own naming convention to know which teams have been created and filter based on them.
Service Account
Run / create the flow using a non-personal (service) account. This will make sure that the application will stop working when the account who created it is deleted.
Logic apps
This flow is created directly from the Power App where it’s also possible to use an Azure Logic App. This allows administrators additional monitoring. The behaviour of the logic app can be exported to a Log Analytics Workspace. An alert can also be created should the Logic App or an action in the Logic App fail.