Blocked accounts removed from Microsoft Teams even though they're still in the O365 Group!

Iron Contributor

We've recently spotted that when we block an account in Office 365, the account is removed from the Teams it's in with a 'XYZ has been removed from the team.' message. This is behaviour we did not expect to see! Sometimes we need to temporarily block an account. These are accounts that are still active, still have licenses, and accounts that we will sometime unblock after a period of time. However within 24 hours of blocking the account, the member is removed from Microsoft Teams teams they're part of. As sometimes the blocking of an account is for sensitive reasons, for it to be broadcast to other team members is not our expected or desired behaviour. 

 

I'm raising a ticket with Microsoft Support but I'm posting here in case others have any insight to this. I'd be really interested to hear if you've experienced this or if you think this is expected behaviour that is acceptable and we should be changing our processes when temporarily blocking accounts.

 

To clarify a couple of things:

  • these accounts are not removed from the underlying Office 365 Group
  • the licenses are not revoked
  • we're experiencing this behaviour on multiple independent tenants
  • when unblocked, the member is returned to the Team - with another message in the general channel!

I'm expecting this to be related to Microsoft Teams eligibility criteria as the article on Org-wide teams talks about blocked accounts. However, this is not an org-wide team and I'd have not expected this behaviour for groups with manually managed membership.

 

For reference, the image below shows the message in the General channel of a test Team we used to recreate the issue, alongside the status within different admin portals from the same in time. You'll see the blocked test account is still in the Group but is absent from the from end Team.

 

Screen captures of missing account in TeamsScreen captures of missing account in Teams

22 Replies
That’s pretty much how it’s designed. Many people have complained about the status messages in teams but I don’t think your going to be able to get that changed anytime soon but it’s def something that will need modified as it’s expected results currently.

Well the messages are not the issue here, the fact that people get actually removed from the Team when the account is blocked is. It's a stupid design decision that needs to be finally addressed. And it's even more annoying because disabled users are still shown in some parts of Teams, you can search for them, etc.

I'm inclined to agree with your thoughts on poor design. I think the inconsistency is also troubling. Why are they removed just from the Team experience but not the underlying group? The status messages are generally annoying but in this case it was extremely negative as team members thought someone had left the organisation - which was not the case at all. I struggle to believe this specific scenario is an intentional design. Either way, the verbose messaging in Teams significantly amplifies the issue.

Well I'll report it again, but doubt anything will change...

@Vasil Michev > Did you get a response from opening a ticket please?

 

I was about to do the same but thought I'd ask you first :)

Nah, I tried to revive an old thread we had on this with the engineering folks. Crickets...

Thanks @Vasil Michev > Let me ask our CSM and share back if he has any insights :)

@Vasil Michev My conversation with Microsoft Support has - unsurprisingly - come back with this being by design. However, they have raised it as an issue to their senior team. I'm not sure if this will get anywhere so anything that you can do to raise this through your contacts as an MVP would be great. I've also created a Uservoice for it but realise this will probably get lost in the noise of other request - https://microsoftteams.uservoice.com/forums/555103-public/suggestions/38783713-stop-teams-eligibilit...

Thanks for your thoughts and input here. Hopefully something will change either on this specific issue or around status notifications in general.

Yeah, it's on my "keep an eye on this" list. I cannot guarantee that anyone from MS will commit to anything of course :)

@Phil Maynard 

We experienced the same last week with a customer when a user was blocked from sign-in, and in the Audit log it looks like one of the owners of the team has removed and then later added the user to the team. We have spoken to these owners and they have not removed the user.

In the Audit log it should have stated that the user was removed by the system, and not one of the owners. Have anybody else seen the same issue with the Audit log?

 

@Phil Maynard 

This has created a bit of trouble for us as well. Per your post - "As sometimes the blocking of an account is for sensitive reasons, for it to be broadcast to other team members is not our expected or desired behaviour. " We sometimes have to block for security reasons - for instance a bad departure of a staff member and we have to quickly block any ability to wreak havoc. This departure has not yet been communicated to staff or Teams but this feature lets them know. We can't control the messaging. We have to use a lousy workaround whereas we do not block and instead change their password and then disable their MFA requirement (so they cannot change their password). And then reset the MFA requirement with IT email address and phone. Somewhat painful. Ugh. Maybe there's a better way, but that's how we're dealing with this...

@Phil Maynard We have this same issue and an open ticket with Microsoft as the users who are "blocked" and being removed from the Team are shown as being removed by an owner on the team. So, owners are reaching out - "Hey, I didn't remove Marylou, why are you removing her?"

 

I am the owner of multiple groups and we just had to furlough many employees due to C-19. 

So, the audit trail shows that I have removed hundreds of users, when in fact I did no such thing. What is to stop my security people from running an audit and assume I have maliciously removed users?

Teams.pnglogaudit.png

 

Pretty sure there are other logs for the group or other actions that show the admin removing it.

@Chris Webb I am sure there are too - but Teams shouldn't divert admin actions to the "owners" of the Team. Thank you.

Jan - this is exactly what we are running into - could you let me know which audit report you are using?

We are facing this on two fronts. First of which is that the owners are getting upset at us as its saying they removed the user when in fact the only thing that has happened to them is they were disabled in AD, AD Connect syncs that to Azure AD and is a normal part of leaving the company. They are most  upset as this has a  negative impact on morale with larger groups. But even if its by design it cant say something that isnt true, the owner didnt remove them, that must be fixed. We opened a case and are working with support now on it.

oh the other front is that if you remove a owner via Azure AD they magically get added back into the team days later again phantom style "by the owner" even though they didnt.

@Chris Webb 

 

I don't suppose Microsoft is ever going to add a real field to AD/AzureAD that means "employee left company" are they?  Continuing to build termination processes based off the "account disabled" event is a bit mind boggling.  There are plenty of reasons to disable an account that have nothing to do with termination of employment, and some reasons to retain active enabled accounts after termination. 

 

Automation can be awesome when the correct trigger starts it.

I opened a ticket with Microsoft and the answer was this:

When a user is blocked, either through Active Directory or directly in Office 365, the user is removed from teams in Microsoft Teams. This is the expected behavior for the tool (by design) and is linked to the policy evaluation service, which automatically searches Teams users, in order to prevent Teams users from violating any policies.

More details on the issue are available at the following link: https://docs.microsoft.com/en-us/MicrosoftTeams/information-barriers-in-teams#how-policy-changes-imp...