Oct 04 2019 07:30 AM
Oct 04 2019 07:30 AM
We've recently spotted that when we block an account in Office 365, the account is removed from the Teams it's in with a 'XYZ has been removed from the team.' message. This is behaviour we did not expect to see! Sometimes we need to temporarily block an account. These are accounts that are still active, still have licenses, and accounts that we will sometime unblock after a period of time. However within 24 hours of blocking the account, the member is removed from Microsoft Teams teams they're part of. As sometimes the blocking of an account is for sensitive reasons, for it to be broadcast to other team members is not our expected or desired behaviour.
I'm raising a ticket with Microsoft Support but I'm posting here in case others have any insight to this. I'd be really interested to hear if you've experienced this or if you think this is expected behaviour that is acceptable and we should be changing our processes when temporarily blocking accounts.
To clarify a couple of things:
I'm expecting this to be related to Microsoft Teams eligibility criteria as the article on Org-wide teams talks about blocked accounts. However, this is not an org-wide team and I'd have not expected this behaviour for groups with manually managed membership.
For reference, the image below shows the message in the General channel of a test Team we used to recreate the issue, alongside the status within different admin portals from the same in time. You'll see the blocked test account is still in the Group but is absent from the from end Team.
Oct 04 2019 09:35 AM
Oct 04 2019 10:17 AM
Well the messages are not the issue here, the fact that people get actually removed from the Team when the account is blocked is. It's a stupid design decision that needs to be finally addressed. And it's even more annoying because disabled users are still shown in some parts of Teams, you can search for them, etc.
Oct 04 2019 10:56 AM
Oct 05 2019 09:34 AM
Well I'll report it again, but doubt anything will change...
Oct 08 2019 02:27 AM
@Vasil Michev > Did you get a response from opening a ticket please?
I was about to do the same but thought I'd ask you first :)
Oct 08 2019 08:20 AM
Nah, I tried to revive an old thread we had on this with the engineering folks. Crickets...
Oct 08 2019 09:42 AM
Thanks @Vasil Michev > Let me ask our CSM and share back if he has any insights :)
Oct 10 2019 03:35 AM
@Vasil Michev My conversation with Microsoft Support has - unsurprisingly - come back with this being by design. However, they have raised it as an issue to their senior team. I'm not sure if this will get anywhere so anything that you can do to raise this through your contacts as an MVP would be great. I've also created a Uservoice for it but realise this will probably get lost in the noise of other request - https://microsoftteams.uservoice.com/forums/555103-public/suggestions/38783713-stop-teams-eligibilit...
Thanks for your thoughts and input here. Hopefully something will change either on this specific issue or around status notifications in general.
Oct 10 2019 09:53 AM
Yeah, it's on my "keep an eye on this" list. I cannot guarantee that anyone from MS will commit to anything of course :)
Dec 09 2019 02:30 AM
We experienced the same last week with a customer when a user was blocked from sign-in, and in the Audit log it looks like one of the owners of the team has removed and then later added the user to the team. We have spoken to these owners and they have not removed the user.
In the Audit log it should have stated that the user was removed by the system, and not one of the owners. Have anybody else seen the same issue with the Audit log?
Mar 04 2020 08:19 AM
This has created a bit of trouble for us as well. Per your post - "As sometimes the blocking of an account is for sensitive reasons, for it to be broadcast to other team members is not our expected or desired behaviour. " We sometimes have to block for security reasons - for instance a bad departure of a staff member and we have to quickly block any ability to wreak havoc. This departure has not yet been communicated to staff or Teams but this feature lets them know. We can't control the messaging. We have to use a lousy workaround whereas we do not block and instead change their password and then disable their MFA requirement (so they cannot change their password). And then reset the MFA requirement with IT email address and phone. Somewhat painful. Ugh. Maybe there's a better way, but that's how we're dealing with this...
Apr 02 2020 12:12 PM
@Phil Maynard We have this same issue and an open ticket with Microsoft as the users who are "blocked" and being removed from the Team are shown as being removed by an owner on the team. So, owners are reaching out - "Hey, I didn't remove Marylou, why are you removing her?"
I am the owner of multiple groups and we just had to furlough many employees due to C-19.
So, the audit trail shows that I have removed hundreds of users, when in fact I did no such thing. What is to stop my security people from running an audit and assume I have maliciously removed users?
Apr 02 2020 10:08 PM
Apr 03 2020 05:53 AM
@Chris Webb I am sure there are too - but Teams shouldn't divert admin actions to the "owners" of the Team. Thank you.
Apr 28 2020 01:52 PM
Apr 30 2020 07:06 AM
We are facing this on two fronts. First of which is that the owners are getting upset at us as its saying they removed the user when in fact the only thing that has happened to them is they were disabled in AD, AD Connect syncs that to Azure AD and is a normal part of leaving the company. They are most upset as this has a negative impact on morale with larger groups. But even if its by design it cant say something that isnt true, the owner didnt remove them, that must be fixed. We opened a case and are working with support now on it.
Apr 30 2020 07:07 AM
oh the other front is that if you remove a owner via Azure AD they magically get added back into the team days later again phantom style "by the owner" even though they didnt.
May 07 2020 08:46 AM
I don't suppose Microsoft is ever going to add a real field to AD/AzureAD that means "employee left company" are they? Continuing to build termination processes based off the "account disabled" event is a bit mind boggling. There are plenty of reasons to disable an account that have nothing to do with termination of employment, and some reasons to retain active enabled accounts after termination.
Automation can be awesome when the correct trigger starts it.
May 19 2020 09:00 AM - edited May 19 2020 09:01 AM
I opened a ticket with Microsoft and the answer was this:
When a user is blocked, either through Active Directory or directly in Office 365, the user is removed from teams in Microsoft Teams. This is the expected behavior for the tool (by design) and is linked to the policy evaluation service, which automatically searches Teams users, in order to prevent Teams users from violating any policies.
More details on the issue are available at the following link: https://docs.microsoft.com/en-us/MicrosoftTeams/information-barriers-in-teams#how-policy-changes-imp...