EntraID for Customers - HowTo Disable self-service SignSup on UserFlow

How to Disable Self-Service Sign-Up in a Microsoft Entra ID for Customers User Flow

In Microsoft Entra ID for Customers, you can only create SignIn and SignUp user flows. Unlike Azure AD B2C, there is currently no option to create a SignIn-only user flow.

At the moment, the Entra ID Admin Center does not provide a built-in way to disable the Self-Service Sign-Up link within a user flow. Even custom CSS cannot be used to hide the SignUp link, as the relevant element’s styling cannot be overridden.

However, if you're managing users via Microsoft Graph and want to prevent self-service sign-ups — for example, in a B2B scenario — you can modify the user flow by patching it using the Graph API beta endpoint.

To do this, send a PATCH request to the following endpoint:

https://graph.microsoft.com/beta/identity/authenticationEventsFlows/{UserFlowID}

With the following payload:

{
  "@odata.type": "#microsoft.graph.externalUsersSelfServiceSignUpEventsFlow",
  "onInteractiveAuthFlowStart": {
    "@odata.type": "#microsoft.graph.onInteractiveAuthFlowStartExternalUsersSelfServiceSignUp",
    "isSignUpAllowed": false
  }
}

If successful, the response will be HTTP 204 No Content.

You can perform this operation using Microsoft Graph Explorer — just make sure the beta endpoint is selected.

To retrieve the UserFlowID, send a GET request to:

https://graph.microsoft.com/beta/identity/authenticationEventsFlows

Once updated, the user flow will no longer display the SignUp link on the SignIn form.

For more information, refer to the official documentation:
OnInteractiveAuthFlowStartExternalUsersSelfServiceSignUp - Microsoft Graph (beta)

Disable Self-Service Microsoft Teams Creation in Office 365

About Microsoft Teams governance, you probably need/want to prevent normal users from new Teams creation.

This can be achieved only with a PowerShell script because, right now, standard Office 365 UI do not give us this option.

Important: in order to be able to execute the script you need the Preview of AzureAD module for PowerShell. This is called "AzureADPreview".

If you already have installed production AzureAD module, you need to uninstall it and then install new preview version of the same module.

Uninstall-Module AzureAD
Install-Module AzureADPreview

Once you have this module correctly installed, all you need is to execute this script.
Change the $groupName variable to fit your environment.
This AzureAD Security Group will be the only that later can create Teams.
Keep in mind that also Global Admin members can create Microsoft Teams.

#Connect to AAD
$AzureAdCred = Get-Credential 
Connect-AzureAD -Credential $AzureAdCred

#Get reference to your AAD Group
$groupName = "UsersCanCreateTeams"
Get-AzureADGroup -SearchString $groupName 

#Disable Group Creation (on which a Team rely)
$Template = Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq 'Group.Unified'}
$Setting = $Template.CreateDirectorySetting()
New-AzureADDirectorySetting -DirectorySetting $Setting
$Setting = Get-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id
$Setting["EnableGroupCreation"] = $False

#Enable your AAD Group to group Creation
$Setting["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $groupName).objectid
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ).id -DirectorySetting $Setting

That's all.