Forum Discussion

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Feb 21, 2018
Solved

Group Ownership - Account removal-orphaning

Can anyone help me find a detailed technical explanation of the which user account editing scenarios will cause the owner of an Azure AD (office/office 365) group to be removed ? it was my understand...
  • TonyRedmond's avatar
    TonyRedmond
    Feb 21, 2018

    We're dealing with two things here. The Azure AD user object (the account) is as you say: blocked.

    However, the Azure AD user object still exists in the directory and the GUID pointing to the object in the list of owners is valid. So when Get-UnifiedGroupLinks returns the set of owners, it thinks the user object is fine because it can be found...

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Feb 21, 2018

Thanks, is there an attribute that is can be changed in an off-boarding workflow to also make this happen?

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Feb 21, 2018

I found some additional information, that should help to clarify my question. 

The account in question shows up in the O365 Admin Center as blocked,

  • licenses show- no products assigned,
  • sign in status- sign in blocked, 

Azure AD shows the last login on Feb 5, 2018

 

An Office 365 group show that this account is still in the Owners role, Azure AD shows the same. Why is the blocked account still shown as an Owner? 

When will the blocked account stop showing up in the group owner role?

 

  • TonyRedmond's avatar
    TonyRedmond
    MVP
    Feb 21, 2018

    We're dealing with two things here. The Azure AD user object (the account) is as you say: blocked.

    However, the Azure AD user object still exists in the directory and the GUID pointing to the object in the list of owners is valid. So when Get-UnifiedGroupLinks returns the set of owners, it thinks the user object is fine because it can be found...

    • Dean_Gross's avatar
      Dean_Gross
      Silver Contributor
      Feb 21, 2018

      Thanks that makes sense to me. So it appears that Exchange and Outlook stop recognizing the account because the mailbox has been disabled, but SharePoint and any other app that looks at the Office Group are not smart enough to do the same thing. Is that a fair assessment?

      If blocking the account does not prevent it from showing in the group, what action must be performed to cause this to occur?

      • TonyRedmond's avatar
        TonyRedmond
        MVP
        Feb 22, 2018

        That's one way of looking at it. Get-UnifiedGroupLinks is an Exchange Online cmdlet, so it might be the case that Exchange is more precise about detecting and not using an account that does not have an assigned license. 

         

        Basically, if you do not want an account to show up in the group, make sure that its link is removed from the membership list by running Remove-UnifiedGroupLinks or update the membership in the admin UIs (EAC, Office 365 Admin Center). The key here is to break the connection between the membership and the AAD object, which is the link in the owner membership list (BTW, make sure to remove the object from both the owner member list and the member list).