SOLVED

Teams Aadsync adding and deleting users - known issue but no official documentation

%3CLINGO-SUB%20id%3D%22lingo-sub-1984903%22%20slang%3D%22en-US%22%3ETeams%20Aadsync%20adding%20and%20deleting%20users%20-%20known%20issue%20but%20no%20official%20documentation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1984903%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20is%20happening%20a%20lot%20and%20there%20is%20still%20no%20official%20document%20about%20this.%3C%2FP%3E%3CP%3EWhat%20exactly%20does%20the%20Teams%20Aadsync%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20team%20where%20it%20added%208%20users%20then%20removed%202.%20All%20users%20were%20part%20of%20a%20security%20group.%20But%20afaik%20know%20there%20is%20not%20%22automatic%20group%20membership%22%3C%2FP%3E%3CP%3EThe%20Teams%20has%20no%20%22dynamic%20group%20membership%22%20defined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20what%20triggers%20this%20behaviour%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22StephanGee_0-1607942600763.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240147i2B2C1808A428B881%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22StephanGee_0-1607942600763.png%22%20alt%3D%22StephanGee_0-1607942600763.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20explain%20it%20to%20our%20users%20and%20the%20management.%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EStephan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1984903%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1985049%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Aadsync%20adding%20and%20deleting%20users%20-%20known%20issue%20but%20no%20official%20documentation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1985049%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F551905%22%20target%3D%22_blank%22%3E%40bec064%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell.%20Not%20really.%20I%20already%20had%20a%20look%20into%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20AAD%20Connect%20-%20we%20get%20the%20Office%20365%20Group%20synced%20to%20our%20AD%20but%20this%20is%20a%20one%20way%20sync.%20So%20there%20is%20no%20adding%20to%20the%20Azure%20AD%20group.%20(Well%20users%20find%20ways...%20but%20normally%20we%20teach%20them%20to%20use%20Teams%20for%20this)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20owners%20added%20a%20library%20to%20the%20underlying%20SharePoint%20page%20and%20then%20tried%20to%20add%20a%20security%20group%20to%20that%20library%20by%20breaking%20inheritance.%3C%2FP%3E%3CP%3EIt%20must%20have%20to%20do%20something%20with%20that%20action.%20I%20am%20trying%20to%20reverse%20engineer%20with%20the%20audit%20log%20(would%20be%20easier%20if%20it%20could%20be%20scoped%20to%20a%20certain%20Team%20though)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi everyone,

 

this is happening a lot and there is still no official document about this.

What exactly does the Teams Aadsync?

 

I have a team where it added 8 users then removed 2. All users were part of a security group. But afaik know there is not "automatic group membership"

The Teams has no "dynamic group membership" defined.

 

So what triggers this behaviour?

StephanGee_0-1607942600763.png

 

I need to explain it to our users and the management.

Best regards

Stephan

 

 

4 Replies
Hi, Tony Redmond just posted this https://office365itpros.com/2020/12/14/membership-sync-azuread-teams/

Does that answer your question? (the underlying workflow).

@ChristianBergstrom 

Well. Not really. I already had a look into this.

 

We have AAD Connect - we get the Office 365 Group synced to our AD but this is a one way sync. So there is no adding to the Azure AD group. (Well users find ways... but normally we teach them to use Teams for this)

 

The owners added a library to the underlying SharePoint page and then tried to add a security group to that library by breaking inheritance.

It must have to do something with that action. I am trying to reverse engineer with the audit log (would be easier if it could be scoped to a certain Team though)

best response confirmed by StephanGee (Frequent Contributor)
Solution

@StephanGee 

Found the action that triggers that information.

 

If you want to add the permission to a library but you go with this entry point:

StephanGee_0-1607954317376.png

Then you add some users as "members" - they seem to be added to the AAD group but not yet to Teams.

Short time later:

StephanGee_1-1607954424359.png

 

Mystery solved :) Thanks for your directions

 

Hi, great that you found out your trigger. But the article do mention it.

”Typically, the changes flowing through the pipeline are made to groups via admin centers, Exchange Online, SharePoint Online, or PowerShell modules.”

Before the Teams AadSync was introduced these changes was displayed as ”random owner has removed/added bla bla”. You’ve probably noticed that.