When a major incident hits, you do not want admins scrambling through portals to spin up collaboration spaces. A repeatable PowerShell workflow lets you create a structured “war room” Team, assign the right owners, separate sensitive discussions into private channels, and later archive the workspace for audit and lessons learned.
Prerequisites
1) Install and connect to the Teams PowerShell module
Install-Module MicrosoftTeams -Force
Connect-MicrosoftTeams
2) Know your target users
In this example we’ll use:
- Incident Commander (owner)
- Security Lead (owner)
- IT Ops (members)
- Communications (members)
- Legal (private channel members)
Step 1: Create the “War Room” Team
Use New-Team to create the Team. The MailNickname becomes the group alias and part of the email address.
New-Team `
-DisplayName "War Room – Phishing Incident (Jan 2026)" `
-Description "Incident response coordination space for the Jan 2026 phishing incident." `
-MailNickname "WarRoomPhishJan2026" `
-Visibility Private
Important operational note:
- The creator is automatically added as an owner. Plan to remove yourself if needed.
Step 2: Capture the Team (Group) ID Once
Instead of repeatedly calling Get-Team, store it in a variable.
$group = Get-Team -MailNickname "WarRoomPhishJan2026"
$group.GroupId
You will use $group.GroupId for all subsequent cmdlets.
Step 3: Add Members and Owners
Add incident roles as Team owners and operational staff as members.
# Owners
Add-TeamUser -GroupId $group.GroupId -User "ic@contoso.com" -Role Owner
Add-TeamUser -GroupId $group.GroupId -User "seclead@contoso.com" -Role Owner
# Members
Add-TeamUser -GroupId $group.GroupId -User "itops1@contoso.com" -Role Member
Add-TeamUser -GroupId $group.GroupId -User "itops2@contoso.com" -Role Member
Add-TeamUser -GroupId $group.GroupId -User "comms@contoso.com" -Role Member
Notes:
- If
-Roleis omitted, the user is added as a Member by default. - Owners are automatically members as well.
Remove a Team user
Remove-TeamUser -GroupId $group.GroupId -User "itops2@contoso.com"
Step 4: Create Channels for Structured Incident Work
A war room works best when channels are aligned to operational tracks.
Create standard channels
New-TeamChannel -GroupId $group.GroupId -DisplayName "Triage"
New-TeamChannel -GroupId $group.GroupId -DisplayName "Containment"
New-TeamChannel -GroupId $group.GroupId -DisplayName "User Comms"
New-TeamChannel -GroupId $group.GroupId -DisplayName "Lessons Learned"
Create a private channel for sensitive discussions
Use a private channel for legal or HR-sensitive content.
New-TeamChannel `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-MembershipType Private
Remove a channel
Remove-TeamChannel -GroupId $group.GroupId -DisplayName "Lessons Learned"
Step 5: Manage Private Channel Membership
Private channels have separate membership. The channel creator becomes a private channel owner.
Add private channel members
Add-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "legal1@contoso.com"
Promote a private channel member to owner
Add-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "legal1@contoso.com" `
-Role Owner
Add another private channel member
Add-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "compliance@contoso.com"
Remove a private channel user
Remove-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "compliance@contoso.com"
Operational note:
- If you created the private channel and should not remain an owner, remove yourself after handing over ownership.
Step 6: Delete the Team (If Required)
If the Team was created in error, or you need to fully remove it:
Remove-Team -GroupId $group.GroupId
Deleted Teams (groups) are typically retained for 30 days, after which recovery is not available.
Step 7: Restore a Deleted Team (Within Retention)
Restore uses Microsoft Graph PowerShell (beta) because the Team no longer appears in Get-Team.
Install-Module Microsoft.Graph.Beta -Force
Connect-MgGraph -Scopes "Group.ReadWrite.All"
List deleted groups:
Get-MgBetaDirectoryDeletedGroup
Restore using the deleted GroupId:
Restore-MgBetaDirectoryDeletedItem -DirectoryObjectId ""
Step 8: Archive the War Room When the Incident Ends
Archiving preserves content and context for audit, reporting, and post-incident review, while preventing ongoing chat activity.
Set-TeamArchivedState `
-GroupId $group.GroupId `
-Archived:$true `
-SetSpoSiteReadOnlyForMembers:$true
If you want members to still edit files in SharePoint while archived:
Set-TeamArchivedState `
-GroupId $group.GroupId `
-Archived:$true `
-SetSpoSiteReadOnlyForMembers:$false
Unarchive
Set-TeamArchivedState -GroupId $group.GroupId -Archived:$false
Recommended “War Room” Channel Blueprint
- Triage: initial reports, scope, impact confirmation
- Containment: actions taken, status updates, blockers
- User Comms: approved messaging, FAQs, comms timelines
- Legal Review (Private): legal/compliance coordination
- Lessons Learned: post-incident action items and improvements
Wrap-Up
With a consistent PowerShell pattern, you can:Managing Microsoft Teams with PowerShell: The “Incident Response War Room” Scenario
When a major incident hits, you do not want admins scrambling through portals to spin up collaboration spaces. A repeatable PowerShell workflow lets you create a structured “war room” Team, assign the right owners, separate sensitive discussions into private channels, and later archive the workspace for audit and lessons learned.
This tutorial uses an Incident Response War Room scenario to show the same Teams PowerShell operations: create a Team, add members and owners, create standard and private channels, manage private channel membership, delete or restore the Team, and archive it when the incident is over.
Prerequisites
1) Install and connect to the Teams PowerShell module
Install-Module MicrosoftTeams -Force
Connect-MicrosoftTeams
2) Know your target users
In this example we’ll use:
- Incident Commander (owner)
- Security Lead (owner)
- IT Ops (members)
- Communications (members)
- Legal (private channel members)
Step 1: Create the “War Room” Team
Use New-Team to create the Team. The MailNickname becomes the group alias and part of the email address.
New-Team `
-DisplayName "War Room – Phishing Incident (Jan 2026)" `
-Description "Incident response coordination space for the Jan 2026 phishing incident." `
-MailNickname "WarRoomPhishJan2026" `
-Visibility Private
Important operational note:
- The creator is automatically added as an owner. Plan to remove yourself if needed.
Step 2: Capture the Team (Group) ID Once
Instead of repeatedly calling Get-Team, store it in a variable.
$group = Get-Team -MailNickname "WarRoomPhishJan2026"
$group.GroupId
You will use $group.GroupId for all subsequent cmdlets.
Step 3: Add Members and Owners
Add incident roles as Team owners and operational staff as members.
# Owners
Add-TeamUser -GroupId $group.GroupId -User "ic@contoso.com" -Role Owner
Add-TeamUser -GroupId $group.GroupId -User "seclead@contoso.com" -Role Owner
# Members
Add-TeamUser -GroupId $group.GroupId -User "itops1@contoso.com" -Role Member
Add-TeamUser -GroupId $group.GroupId -User "itops2@contoso.com" -Role Member
Add-TeamUser -GroupId $group.GroupId -User "comms@contoso.com" -Role Member
Notes:
- If
-Roleis omitted, the user is added as a Member by default. - Owners are automatically members as well.
Remove a Team user
Remove-TeamUser -GroupId $group.GroupId -User "itops2@contoso.com"
Step 4: Create Channels for Structured Incident Work
A war room works best when channels are aligned to operational tracks.
Create standard channels
New-TeamChannel -GroupId $group.GroupId -DisplayName "Triage"
New-TeamChannel -GroupId $group.GroupId -DisplayName "Containment"
New-TeamChannel -GroupId $group.GroupId -DisplayName "User Comms"
New-TeamChannel -GroupId $group.GroupId -DisplayName "Lessons Learned"
Create a private channel for sensitive discussions
Use a private channel for legal or HR-sensitive content.
New-TeamChannel `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-MembershipType Private
Remove a channel
Remove-TeamChannel -GroupId $group.GroupId -DisplayName "Lessons Learned"
Step 5: Manage Private Channel Membership
Private channels have separate membership. The channel creator becomes a private channel owner.
Add private channel members
Add-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "legal1@contoso.com"
Promote a private channel member to owner
Add-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "legal1@contoso.com" `
-Role Owner
Add another private channel member
Add-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "compliance@contoso.com"
Remove a private channel user
Remove-TeamChannelUser `
-GroupId $group.GroupId `
-DisplayName "Legal Review" `
-User "compliance@contoso.com"
Operational note:
- If you created the private channel and should not remain an owner, remove yourself after handing over ownership.
Step 6: Delete the Team (If Required)
If the Team was created in error, or you need to fully remove it:
Remove-Team -GroupId $group.GroupId
Deleted Teams (groups) are typically retained for 30 days, after which recovery is not available.
Step 7: Restore a Deleted Team (Within Retention)
Restore uses Microsoft Graph PowerShell (beta) because the Team no longer appears in Get-Team.
Install-Module Microsoft.Graph.Beta -Force
Connect-MgGraph -Scopes "Group.ReadWrite.All"
List deleted groups:
Get-MgBetaDirectoryDeletedGroup
Restore using the deleted GroupId:
Restore-MgBetaDirectoryDeletedItem -DirectoryObjectId ""
Step 8: Archive the War Room When the Incident Ends
Archiving preserves content and context for audit, reporting, and post-incident review, while preventing ongoing chat activity.
Set-TeamArchivedState `
-GroupId $group.GroupId `
-Archived:$true `
-SetSpoSiteReadOnlyForMembers:$true
If you want members to still edit files in SharePoint while archived:
Set-TeamArchivedState `
-GroupId $group.GroupId `
-Archived:$true `
-SetSpoSiteReadOnlyForMembers:$false
Unarchive
Set-TeamArchivedState -GroupId $group.GroupId -Archived:$false
Recommended “War Room” Channel Blueprint
- Triage: initial reports, scope, impact confirmation
- Containment: actions taken, status updates, blockers
- User Comms: approved messaging, FAQs, comms timelines
- Legal Review (Private): legal/compliance coordination
- Lessons Learned: post-incident action items and improvements
Wrap-Up
With a consistent PowerShell pattern, you can:
Restore it quickly if deleted by mistake within retention windows
Stand up a structured incident Team in minutes
Ensure the right owners and members are assigned immediately
Isolate sensitive threads in private channels
Archive the workspace for governance and audit requirements
