cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocked accounts removed from Microsoft Teams even though they're still in the O365 Group!

Phil Maynard
Iron Contributor

‎Oct 04 2019 07:30 AM

‎Oct 04 2019 07:30 AM

Blocked accounts removed from Microsoft Teams even though they're still in the O365 Group!

We've recently spotted that when we block an account in Office 365, the account is removed from the Teams it's in with a 'XYZ has been removed from the team.' message. This is behaviour we did not expect to see! Sometimes we need to temporarily block an account. These are accounts that are still active, still have licenses, and accounts that we will sometime unblock after a period of time. However within 24 hours of blocking the account, the member is removed from Microsoft Teams teams they're part of. As sometimes the blocking of an account is for sensitive reasons, for it to be broadcast to other team members is not our expected or desired behaviour. 

 

I'm raising a ticket with Microsoft Support but I'm posting here in case others have any insight to this. I'd be really interested to hear if you've experienced this or if you think this is expected behaviour that is acceptable and we should be changing our processes when temporarily blocking accounts.

 

To clarify a couple of things:

  • these accounts are not removed from the underlying Office 365 Group
  • the licenses are not revoked
  • we're experiencing this behaviour on multiple independent tenants
  • when unblocked, the member is returned to the Team - with another message in the general channel!

I'm expecting this to be related to Microsoft Teams eligibility criteria as the article on Org-wide teams talks about blocked accounts. However, this is not an org-wide team and I'd have not expected this behaviour for groups with manually managed membership.

 

For reference, the image below shows the message in the General channel of a test Team we used to recreate the issue, alongside the status within different admin portals from the same in time. You'll see the blocked test account is still in the Group but is absent from the from end Team.

 

Screen captures of missing account in TeamsScreen captures of missing account in Teams

Labels:
35.1K Views
4 Likes
22 Replies
Reply
22 Replies
Tony Redmond

‎Apr 20 2021 05:15 AM

‎Apr 20 2021 05:15 AM

Re: Blocked accounts removed from Microsoft Teams even though they're still in the O365 Group!

This continues to be a horrible situation. I have documented the issue and escalated it to the Teams engineering group as a formal bug. Hopefully they will do something:

Teams Processing Causes Problems for Disabled Azure AD User Accounts

Organizations often disable Azure AD accounts when users leave or for other reasons. What you might not know is that Teams then removes the account from membership of individual teams. A background process looks for disabled users and removes these accounts from team memberships. That doesn’t sound too bad, but what’s horrible is when you unblock an account. Teams takes a long time (at least 24 hours) to restore standard teams, it might not ever restore membership of org-wide teams, and private channel membership is removed too. It’s not a good situation.

https://practical365.com/disable-azure-ad-accounts-teams/
1 Like
Reply
Stefan Hefele

‎Apr 05 2022 03:45 PM

‎Apr 05 2022 03:45 PM

Re: Blocked accounts removed from Microsoft Teams even though they're still in the O365 Group!

I am currently experiencing this situation after making a user account "cloud only" that was previously synced via AD Connect (done by removing the user account from synced OUs/groups, which deletes them in Azure AD, then restoring the account in AAD).

The user experiences very strange behaviour - from seeing two of is ~30 Teams, to seeing 15 of them later that day, back to seeing only 2 of them in the evening - even Teams that we removed and re-added him manually during the day are gone again!

Audit Logs show a wild history of multiple "MemberAdded" and "MemberRemoved" - adding happens in the Team's owner's name, removing in "Microsoft Teams Sync"'s name.

 

Thanks alot for your explanation post of this, @Tony Redmond - do you have any insights on when this behavior normalizes itself? We are 24 hours in and I'm a bit scared because the customer cannot work like this - if Group Memberships we re-added after restoring the users are removed again by Teams Sync, there's nothing we can do to prevent this...?! 

0 Likes
Reply
Tony Redmond

‎Apr 06 2022 03:15 AM

‎Apr 06 2022 03:15 AM

Re: Blocked accounts removed from Microsoft Teams even though they're still in the O365 Group!

Adding and removing users from Teams membership rosters sounds like a side-effect of turmoil in AAD. The Teams AAD Sync process is responsible for detecting change in AAD and replicating that to Teams, so if odd things are happening there, it's all to do with the underlying AAD. I think you need to have an AAD Connect expert check out the synchronization and what's happening to drive change in AAD (which then shows up in Teams).
0 Likes
Reply