Microsoft Teams Governance Tutorial: Stop Team and Channel Sprawl
Step-by-Step Guide: Configure Each Control to Prevent Microsoft Teams Sprawl
This is a configuration-focused runbook. Each section includes where to click in the portals, what to set, and what to verify. Iโm assuming youโre using Microsoft 365 + Entra ID + Teams admin center.
1) Restrict Who Can Create Teams
What this controls
Team creation is driven by Microsoft 365 Group creation. If you restrict group creation, you effectively restrict Teams creation for most users.
Step-by-step (Entra ID)
- Go to Microsoft Entra admin center
- Navigate to Identity > Groups > All groups
- Create a new Security group named:
M365-Team-Creators
- Add the users who are allowed to create Teams (IT, PMO, designated coordinators)
Apply group creation restriction (PowerShell required)
This setting is still typically configured via PowerShell.
- Install module (if needed):
Install-Module AzureADPreview -Force
- Connect:
Connect-AzureAD
- Create a directory setting template and apply it (example pattern):
$group = Get-AzureADGroup -SearchString "M365-Team-Creators"
$setting = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
if (-not $setting) {
$template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
$setting = $template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $setting
$setting = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}
}
$setting["EnableGroupCreation"] = "false"
$setting["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $setting.Id -DirectorySetting $setting
Verify
- Test with a user not in
M365-Team-Creators: they should not be able to create a Team. - Test with a user in the group: creation should work.
2) Configure a Team Request and Approval Workflow (Power Automate)
Goal
Users request a new team; approvers validate details; a controlled creator provisions it.
Step-by-step (Recommended Flow)
Option A: Microsoft Forms + Power Automate
- Create a Microsoft Form called โRequest a New Teamโ
- Add fields:
- Team name
- Business purpose
- Primary owner UPN/email
- Secondary owner UPN/email
- External access (Yes/No)
- Sensitivity (General/Confidential/Restricted)
- Expected end date (optional)
- In Power Automate:
- Create flow: Automated cloud flow
- Trigger: When a new response is submitted (Microsoft Forms)
- Action: Get response details
- Action: Start and wait for an approval
- Approver: IT/PMO group mailbox
- Details: include the form fields
- If Approved:
- Notify authorized creators or create the group via Graph automation (advanced)
- If Rejected:
- Email the requester with the reason
Verify
- Submit request as a normal user
- Confirm approval arrives
- Confirm provisioning path is documented and works
3) Enforce Naming Policy for Teams (Entra ID)
Goal
Standardize names to reduce duplicates and improve search.
Step-by-step
- Go to Microsoft Entra admin center
- Navigate to Identity > Groups > Naming policy
- Configure:
- Prefix/Suffix (example):
- Prefix:
[Department] - Suffix:
[Region]
- Prefix:
- Blocked words:
test, temp, new, team, group, abc, xxx, random
- Prefix/Suffix (example):
Example output
HR - Recruiting - CA
Verify
- Attempt to create a team with a blocked word
- Confirm the policy prevents it or modifies it
4) Restrict Channel Creation (Owners Only)
Goal
Stop members from creating channels (especially private/shared channels) without owner oversight.
Step-by-step (Teams Admin Center)
- Go to Teams admin center
- Navigate to Teams > Team policies
- Edit your baseline policy (or create a new one)
- Configure:
- Create and update channels: Off for members (or restrict as available)
- Confirm controls for private channels and shared channels align with your governance
Note: Channel creation permissions are partly managed at the team level via โManage teamโ settings and templates. For strict governance, enforce via policy + owner guidance.
Verify
- Add a test user as member
- Confirm they cannot create a channel
- Add test user as owner
- Confirm they can
5) Configure Group Expiration Policy (Lifecycle Management)
Goal
Automatically prompt owners to renew inactive teams and expire unused ones.
Step-by-step (Entra ID)
- Go to Microsoft Entra admin center
- Navigate to Identity > Groups > Expiration
- Enable expiration and set:
- Expiration period: 180 days (common) or 365
- Notification recipients: Group owners
- Choose scope:
- All Microsoft 365 groups, or selected groups only
- Configure exclusions:
- Exempt critical org-wide teams
Verify
- Pick a test group and validate renewal email behavior when thresholds are met (may take time)
- Ensure owners exist (see step 6)
6) Identify Ownerless Teams and Enforce Two Owners
Goal
Every team should have at least two owners for continuity.
Step-by-step (Audit + Fix)
Option A: Manual portal check (small tenants)
- Teams admin center โ Teams
- Select a team โ Manage team
- Confirm Owners list includes at least two
Option B: PowerShell report (recommended)
Use Microsoft Graph PowerShell to:
- List Teams (groups with Team provisioned)
- Identify groups with 0 or 1 owner
- Output to CSV for remediation
(If you want, Iโll provide a ready-to-run script that does exactly this with least-privilege permissions.)
Fix process
- Assign a secondary owner (manager, coordinator, shared mailbox owner)
- Document ownership standard in your request workflow
7) Archive Inactive Teams
Goal
Keep content for reference but stop collaboration in dead teams.
Step-by-step (Teams Admin Center)
- Go to Teams admin center
- Navigate to Teams > Manage teams
- Select the inactive team
- Choose Archive
- Optional: allow read-only access to content
Verify
- Team becomes read-only
- Users can view but cannot post (depending on your settings)
8) Schedule Regular Audits (Teams + Group Membership)
Goal
Governance stays effective only if you continuously review growth and access.
Step-by-step (Operational cadence)
Create a recurring monthly checklist:
- New teams created (past 30 days)
- Teams with guest users
- Teams with private/shared channels
- Owner count compliance
- Inactive teams nearing expiration
Tools
- Teams admin center reports
- Entra group insights
- Microsoft Purview audit logs
- Graph PowerShell exports
9) Monitor Recently Created Teams and Channels (Audit Logs)
Goal
Spot sprawl early and intervene before duplication spreads.
Step-by-step (Microsoft Purview)
- Go to Microsoft Purview compliance portal
- Navigate to Audit
- Search activities like:
- Team created
- Channel created
- Member added
- Guest invited
- Filter by:
- Date range: last 7/30 days
- Specific users or departments creating many teams
Verify
- Confirm you can see recent creation events
- Export results for reporting if needed
10) User Education and Decision Rules (Team vs Channel)
Goal
Prevent duplicates caused by misunderstanding.
Step-by-step (Publish a one-page guidance)
Create a short internal doc that says:
Create a new Team when:
- membership differs significantly
- separate permissions required
- separate SharePoint site needed
Create a new Channel when:
- same membership
- new topic or workflow
- keep files centralized
Deliver it
- Post in an IT announcements channel
- Add to onboarding
- Add to your Team request form confirmation page
Recommended โMinimum Viable Governanceโ (Implement First)
If you want the best impact with the least friction, implement in this order:
- Restrict Team creation to approved creators
- Team request + approval workflow
- Naming policy + blocked words
- Two owners requirement
- Group expiration policy
- Archive process + monthly audit
