Group policies have moved to MS Graph / AAD and AAD is the authoritative of group settings including group creation enforcement. Get-OwaMailboxPolicy is coming from exchange which are moving towards AAD policies.
Please set up the policies in AAD and decide to disable team creation and enable only for users in a specific security group.
So when you've disabled the ability for users to create O365 groups and therefore Teams, the user tries to click "Add Team" and anyone not in the 'Group creation allowed group' get a message saying the IT department have disabled the ability, etc..
That works well, however when I add a user to an O365 group where a private team already exists the user doesn't see that team appear in Teams.
Is there a powershell command I can run centrally to make the team show in Teams automatically when a user is put into an exsiting team? Otherwise it looks like users need to be able to create groups just to add an existing group.
I suppose I'm thinking/hoping something along the lines of automapping with Exchange mailboxes - when you have permissions over the mailbox with the -automapping flag it appears in Outlook.
The reason we've disabled the ability for users to create groups is because they can only create groups using the default domain. We've got multiple domains in our tenancy so users creating them in the default domain is a real pain.