Assign roles and permissions in Microsoft Teams


The new Microsoft Teams & Skype for Business Admin Center is coming soon! Starting in March 2018, we're gradually migrating settings to it from both the current Skype for Business admin center and the Microsoft Teams experience in the Office 365 admin center. If a setting has been migrated, you'll see a notification and then be directed to the setting's location in the new Microsoft Teams & Skype for Business Admin Center.

Within Microsoft Teams there are two roles: Owner and Member. By default, a user that creates a new team is granted the Owner status. If a team is created from an existing Office 365 Group, permissions are inherited.

The table below shows the difference in permissions between an owner and a member:

Team Owner Team Member
Create team Yes No
Leave team Yes Yes
Edit team name/description Yes No
Delete team Yes No
Add channel Yes Yes*
Edit channel name/description Yes Yes*
Delete channel Yes Yes*
Add members Yes** No
Add tabs Yes Yes*
Add connectors Yes Yes*
Add bots Yes Yes*

* These items can be turned off by an owner at a team level, in which case members would not have access to that.

**After adding a member to a team, an Owner can also promote a Member to Owner status. It is also possible for an Owner to demote their own status to a Member.


Owners can make other members owners in the View teams option. A team can have up to 100 owners. It's recommended to have at least a few owners to help manage the team; this will also prevent orphaned groups if the sole owner leaves your organization. For more information about orphaned groups, see Assign a new owner to an orphaned group.

Permissions to create teams

By default, all users with a mailbox in Exchange Online have permissions to create Office 365 groups and therefore a team within Microsoft Teams. You can have tighter control and restrict the creation of new teams and thus the creation of new Office 365 groups by delegating group creation and management rights to a set of users.

If your organization is interested in doing this, the instructions below outlines the tasks required to do so.

  1. Identify or create a security group (SG) of users who will have delegated permissions to create Office 365 groups.

    a. Action: Set up a security group in Office 365 so you can add your users who can create Office 365 groups.

    b. For more information, see Create, edit, or delete a security group in the Office 365 admin center.

  2. Verify that the company-wide control for users to create groups is enabled.

    a. Action: Run the following PowerShell script and verify UsersPermissiontoCreateGroupsEnabled parameter is set to True.


    b. If this is not true, run the Set-MsolCompanySettings cmdlet to set it to True. Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $True

    c. For more information, see: Manage Office 365 Group Creation.

  3. Configure Office 365 Group settings to allow only identified security group has permissions to create groups

    a. Action: Create a group settings object that contains the configuration settings of the group that will be assigned delegated permissions to create groups.

    $Template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
    $Setting = $template.CreateDirectorySetting()
    $setting["EnableGroupCreation"] = "false"
    $setting["GroupCreationAllowedGroupId"] = "<ObjectId of Group Allowed to Create Groups>"
    New-AzureADDirectorySetting -DirectorySetting $settings

    b. For more information, see: Manage Office 365 Group Creation.

Decision Point icon. Decision Point Will all Microsoft Teams users be able to create Teams (recommended)?
Next Steps icon. Next Steps Modify the default permissions for who can create Office 365 groups if you need to limit who can create Teams