Forum Discussion
Blocked accounts removed from Microsoft Teams even though they're still in the O365 Group!
We've recently spotted that when we block an account in Office 365, the account is removed from the Teams it's in with a 'XYZ has been removed from the team.' message. This is behaviour we did not expect to see! Sometimes we need to temporarily block an account. These are accounts that are still active, still have licenses, and accounts that we will sometime unblock after a period of time. However within 24 hours of blocking the account, the member is removed from Microsoft Teams teams they're part of. As sometimes the blocking of an account is for sensitive reasons, for it to be broadcast to other team members is not our expected or desired behaviour.
I'm raising a ticket with Microsoft Support but I'm posting here in case others have any insight to this. I'd be really interested to hear if you've experienced this or if you think this is expected behaviour that is acceptable and we should be changing our processes when temporarily blocking accounts.
To clarify a couple of things:
- these accounts are not removed from the underlying Office 365 Group
- the licenses are not revoked
- we're experiencing this behaviour on multiple independent tenants
- when unblocked, the member is returned to the Team - with another message in the general channel!
I'm expecting this to be related to Microsoft Teams eligibility criteria as the article on Org-wide teams talks about blocked accounts. However, this is not an org-wide team and I'd have not expected this behaviour for groups with manually managed membership.
For reference, the image below shows the message in the General channel of a test Team we used to recreate the issue, alongside the status within different admin portals from the same in time. You'll see the blocked test account is still in the Group but is absent from the from end Team.
Screen captures of missing account in Teams
22 Replies
- This continues to be a horrible situation. I have documented the issue and escalated it to the Teams engineering group as a formal bug. Hopefully they will do something:
Teams Processing Causes Problems for Disabled Azure AD User Accounts
Organizations often disable Azure AD accounts when users leave or for other reasons. What you might not know is that Teams then removes the account from membership of individual teams. A background process looks for disabled users and removes these accounts from team memberships. That doesn’t sound too bad, but what’s horrible is when you unblock an account. Teams takes a long time (at least 24 hours) to restore standard teams, it might not ever restore membership of org-wide teams, and private channel membership is removed too. It’s not a good situation.
https://practical365.com/disable-azure-ad-accounts-teams/I am currently experiencing this situation after making a user account "cloud only" that was previously synced via AD Connect (done by removing the user account from synced OUs/groups, which deletes them in Azure AD, then restoring the account in AAD).
The user experiences very strange behaviour - from seeing two of is ~30 Teams, to seeing 15 of them later that day, back to seeing only 2 of them in the evening - even Teams that we removed and re-added him manually during the day are gone again!
Audit Logs show a wild history of multiple "MemberAdded" and "MemberRemoved" - adding happens in the Team's owner's name, removing in "Microsoft Teams Sync"'s name.
Thanks alot for your explanation post of this, TonyRedmond - do you have any insights on when this behavior normalizes itself? We are 24 hours in and I'm a bit scared because the customer cannot work like this - if Group Memberships we re-added after restoring the users are removed again by Teams Sync, there's nothing we can do to prevent this...?!
- Adding and removing users from Teams membership rosters sounds like a side-effect of turmoil in AAD. The Teams AAD Sync process is responsible for detecting change in AAD and replicating that to Teams, so if odd things are happening there, it's all to do with the underlying AAD. I think you need to have an AAD Connect expert check out the synchronization and what's happening to drive change in AAD (which then shows up in Teams).
I opened a ticket with Microsoft and the answer was this:
When a user is blocked, either through Active Directory or directly in Office 365, the user is removed from teams in Microsoft Teams. This is the expected behavior for the tool (by design) and is linked to the policy evaluation service, which automatically searches Teams users, in order to prevent Teams users from violating any policies.
More details on the issue are available at the following link: https://docs.microsoft.com/en-us/MicrosoftTeams/information-barriers-in-teams#how-policy-changes-impact-existing-chats
philmaynard_wap We have this same issue and an open ticket with Microsoft as the users who are "blocked" and being removed from the Team are shown as being removed by an owner on the team. So, owners are reaching out - "Hey, I didn't remove Marylou, why are you removing her?"
I am the owner of multiple groups and we just had to furlough many employees due to C-19.
So, the audit trail shows that I have removed hundreds of users, when in fact I did no such thing. What is to stop my security people from running an audit and assume I have maliciously removed users?
- Jan - this is exactly what we are running into - could you let me know which audit report you are using?
We are facing this on two fronts. First of which is that the owners are getting upset at us as its saying they removed the user when in fact the only thing that has happened to them is they were disabled in AD, AD Connect syncs that to Azure AD and is a normal part of leaving the company. They are most upset as this has a negative impact on morale with larger groups. But even if its by design it cant say something that isnt true, the owner didnt remove them, that must be fixed. We opened a case and are working with support now on it.
- Pretty sure there are other logs for the group or other actions that show the admin removing it.
ChrisWebbTech I am sure there are too - but Teams shouldn't divert admin actions to the "owners" of the Team. Thank you.
This has created a bit of trouble for us as well. Per your post - "As sometimes the blocking of an account is for sensitive reasons, for it to be broadcast to other team members is not our expected or desired behaviour. " We sometimes have to block for security reasons - for instance a bad departure of a staff member and we have to quickly block any ability to wreak havoc. This departure has not yet been communicated to staff or Teams but this feature lets them know. We can't control the messaging. We have to use a lousy workaround whereas we do not block and instead change their password and then disable their MFA requirement (so they cannot change their password). And then reset the MFA requirement with IT email address and phone. Somewhat painful. Ugh. Maybe there's a better way, but that's how we're dealing with this...
We experienced the same last week with a customer when a user was blocked from sign-in, and in the Audit log it looks like one of the owners of the team has removed and then later added the user to the team. We have spoken to these owners and they have not removed the user.
In the Audit log it should have stated that the user was removed by the system, and not one of the owners. Have anybody else seen the same issue with the Audit log?
- That’s pretty much how it’s designed. Many people have complained about the status messages in teams but I don’t think your going to be able to get that changed anytime soon but it’s def something that will need modified as it’s expected results currently.
I don't suppose Microsoft is ever going to add a real field to AD/AzureAD that means "employee left company" are they? Continuing to build termination processes based off the "account disabled" event is a bit mind boggling. There are plenty of reasons to disable an account that have nothing to do with termination of employment, and some reasons to retain active enabled accounts after termination.
Automation can be awesome when the correct trigger starts it.
Well the messages are not the issue here, the fact that people get actually removed from the Team when the account is blocked is. It's a stupid design decision that needs to be finally addressed. And it's even more annoying because disabled users are still shown in some parts of Teams, you can search for them, etc.
- I'm inclined to agree with your thoughts on poor design. I think the inconsistency is also troubling. Why are they removed just from the Team experience but not the underlying group? The status messages are generally annoying but in this case it was extremely negative as team members thought someone had left the organisation - which was not the case at all. I struggle to believe this specific scenario is an intentional design. Either way, the verbose messaging in Teams significantly amplifies the issue.
