Forum Discussion
Solved
Group Ownership - Account removal-orphaning
Can anyone help me find a detailed technical explanation of the which user account editing scenarios will cause the owner of an Azure AD (office/office 365) group to be removed ? it was my understand...
We're dealing with two things here. The Azure AD user object (the account) is as you say: blocked.
However, the Azure AD user object still exists in the directory and the GUID pointing to the object in the list of owners is valid. So when Get-UnifiedGroupLinks returns the set of owners, it thinks the user object is fine because it can be found...
Thanks, is there an attribute that is can be changed in an off-boarding workflow to also make this happen?
I found some additional information, that should help to clarify my question.
The account in question shows up in the O365 Admin Center as blocked,
- licenses show- no products assigned,
- sign in status- sign in blocked,
Azure AD shows the last login on Feb 5, 2018
An Office 365 group show that this account is still in the Owners role, Azure AD shows the same. Why is the blocked account still shown as an Owner?
When will the blocked account stop showing up in the group owner role?
We're dealing with two things here. The Azure AD user object (the account) is as you say: blocked.
However, the Azure AD user object still exists in the directory and the GUID pointing to the object in the list of owners is valid. So when Get-UnifiedGroupLinks returns the set of owners, it thinks the user object is fine because it can be found...
Thanks that makes sense to me. So it appears that Exchange and Outlook stop recognizing the account because the mailbox has been disabled, but SharePoint and any other app that looks at the Office Group are not smart enough to do the same thing. Is that a fair assessment?
If blocking the account does not prevent it from showing in the group, what action must be performed to cause this to occur?
That's one way of looking at it. Get-UnifiedGroupLinks is an Exchange Online cmdlet, so it might be the case that Exchange is more precise about detecting and not using an account that does not have an assigned license.
Basically, if you do not want an account to show up in the group, make sure that its link is removed from the membership list by running Remove-UnifiedGroupLinks or update the membership in the admin UIs (EAC, Office 365 Admin Center). The key here is to break the connection between the membership and the AAD object, which is the link in the owner membership list (BTW, make sure to remove the object from both the owner member list and the member list).