Automating the Provisioning of Selective Teams with Guest Access: Part 4.1 — Governing the ‘Viral’ Creation of Teams

Or, “How can I create a Microsoft Team with Guests Access off to begin with?”

You want to click the button

Series Contents

• Introduction
• History & Background
• Part 1: Application Authentication — Azure AD Application Registrations
• Part 2: Request Storage — SharePoint
• Part 3: Request Process Automation — Microsoft Power Automate & Microsoft Graph
• Part 3.5: Flow Enhancements
• Part 4: Enhanced User Interface — Power Apps & Teams
• Part 4.1: Governing the ‘Viral’ Creation of Teams (you are here)
• Part 5: Next Steps — Security

Guest Access, for those that have been a part of my engagements at the Philadelphia MTC, or follow me here and on LinkedIn, know that this is a topic very near and dear to me. And while the notion of owning the process of provisioning a Microsoft Team from beginning-to-end to provide some control over guests coming into the tenant is a sweet spot for some customers, some don’t want to go that crazy, and just want a little consistency in their Teams as they get created. As myself and my ‘colleague/partner-in-Guest-Access-crime/guest contributor for today’ Bruce Weaver has found, not everyone wants to create a separate application to provide some governance. So both Bruce and I noodled on this and we found a way to provide a level of governance that doesn’t hinder the out-of-the-box Teams creation experience. Enter SharePoint Site Designs and Site Scripts.

SharePoint Site Designs (and the scripts in them) allow for us to apply a consistent set of configurations to sites as they are created. But you may be asking yourself: “What does this have to do with Microsoft Teams, and how does it help me provision a Team with Guest Access off?” Well, let’s outline this:

1. Recall that each Microsoft Team is underpinned by an Office 365 Group
2. Each Office 365 Group includes/creates a SharePoint Team Site
3. SharePoint Online supports Site Designs — which allow for additional, templated processing to execute each time a SharePoint Team Site is created
4. Site Designs consists of Site Scripts; Site Scripts consist of Actions
5. One of the Actions you can call within a Site Script is to kick-off a Power Automate Flow

What this means is that each time a person creates a Team we can use the above mechanisms execute a Power Automate Flow to systematically turn off guest access for any newly created Team. What’s that look like in a little more detail?

1. Each time a new SharePoint Online Team Site is created, SharePoint Site Design will post an HTTPS payload that triggers your Flow
2. The HTTPS payload sent to Flow includes the webURL of the Team’s associated SharePoint Team Site
3. The GroupId of the Team’s Team-Site can be derived from the webURL
4. Once we have the GroupId, we can derive if it was created via creation of a new Team
5. If the GroupId was derived from creation of a new team, we proceed processing; else we complete the Flow with no further action
6. Once we have the GroupId and know that it was created via creation of a new Team, we can set AllowToAddGuests = False on the Teams’ underlying Office 365 Group
7. Once AllowToAddGuests = False, Guest Access for the Teams is not permitted

Let’s take a look at these steps.

Flow Trigger — When a HTTP Request is Received

Trigger of our Flow

This is the first step in the flow, and is triggered (via Site Design/Site Script associated to the default SharePoint Team Site template) each time a new SharePoint Team Site is created in your tenant.

Utilizing the Payload Property to Get the GroupId

Getting the calling site’s GroupId

Here we leverage the webUrl property that’s sent as part of the initial payload and use it to call the SharePoint Online REST service to return the site’s GroupId.

Get Group Details

HTTP Action to call Microsoft Graph Group endpoint

Once we have the GroupId of the Team Site that was created, we can pull the Group’s details by calling Groups endpoint in the Microsoft Graph.

Determine if This Group Came from Team Creation

Condition to check length() of the resourceProvisioningOptions collection

Property details

Part of the list of properties that are returned as part of the Group Resource Type is a collection labeled resourceProvisioningOptions. This collection contains a value that states how the Group was created. If it’s valued with ‘Team’, then this Group was created as part of a Microsoft Team being requested/created. As this is the only value for this collection, we just check the length() of it as shown in the above image.

Set Guest Access to False

HTTP Action calling the Microsoft Graph to set AllowToAddGuests = False

After gathering all of the information required, and determining if this is the proper Group, we can “turn off” guests by calling the Microsoft Graph and applying the relevant setting to the Group, in this case, ‘False’.

Conclusion

There are many ways to approach this challenge, and not everyone wants to clamp down on the out-of-the-box creation of Microsoft Teams. But for those that are looking to provide some semblance of governance around this process, the use of SharePoint Site Designs, Power Automate, the Microsoft Graph combined in the above concept can help us have that governance with a minimally invasive approach to the end user’s experience.

Stay tuned for the Security bits, they are still forthcoming, I promise :)