Control a user's ability to become a Team Owner with a Security Group

Occasional Contributor

Is there a way to use a security group to control if a user can be added as an owner of a team?  My organization requires that users go through training before they can become a Team Owner.  It is easy to control this requirement as we're setting up new teams, but Team Owners can promote other members to the owner role without our validation.  

4 Replies

@simpkinspete No, there is no policy that would prevent someone becoming an owner.

 

If you have Azure AD P1 you can have a group that defines who can create a Team, or any M365 group, would that work for you?

 

Manage who can create Microsoft 365 Groups | Microsoft Docs

Unfortunately, that wouldn't help in this case. We have that group defined and have implemented a provisioning process for new teams. We're looking for a way to help drive team owner accountability and validate that they have been properly trained to manage their teams.

@simpkinspete 

 

If we can't control that permission, we could set up an activity alert based on a "changing of a team member's role (MemberRoleChanged)" event to trigger a helpdesk ticket to review the event.  

@simpkinspete 

 

Yup, however your helpdesk would need to check every owner to see if they were already qualified.

 

Why not just have a PowerShell that runs every few hours that gets all the Team Owners and sees if they are already a member of some group of trained people, then sends them instructions on where they need to go to get trained.