Control a user's ability to become a Team Owner with a Security Group


Is there a way to use a security group to control if a user can be added as an owner of a team?  My organization requires that users go through training before they can become a Team Owner.  It is easy to control this requirement as we're setting up new teams, but Team Owners can promote other members to the owner role without our validation.  

4 Replies

@simpkinspete No, there is no policy that would prevent someone becoming an owner.


If you have Azure AD P1 you can have a group that defines who can create a Team, or any M365 group, would that work for you?


Manage who can create Microsoft 365 Groups | Microsoft Docs

Unfortunately, that wouldn't help in this case. We have that group defined and have implemented a provisioning process for new teams. We're looking for a way to help drive team owner accountability and validate that they have been properly trained to manage their teams.



If we can't control that permission, we could set up an activity alert based on a "changing of a team member's role (MemberRoleChanged)" event to trigger a helpdesk ticket to review the event.  



Yup, however your helpdesk would need to check every owner to see if they were already qualified.


Why not just have a PowerShell that runs every few hours that gets all the Team Owners and sees if they are already a member of some group of trained people, then sends them instructions on where they need to go to get trained.