Microsoft Teams and Office 365 Groups member mismatch and how to fix it

Office 365 Groups are at the core for next generation Office 365 services such as Planner, Microsoft Teams and Modern SharePoint Teamsites. At the time of writing I have discovered the following regarding Office 365 Groups and membership especially in an active Microsoft Teams environment, where you are adding new members directly in the Teams client.

The Short story

Microsoft Teams does not add new members to the Office 365 Groups in Exchange, only to the corresponding Azure AD Group. The Azure AD Group is used to give access to SharePoint documents and adding a new Teams member gives access to the SharePoint Site. This will result in mismatch in member-count in these two groups that can be confusing for users when navigating around the different Office 365 Groups interfaces

The Long story

Creating Office 365 Groups

  • When creating an Office 365 Group a corresponding Azure AD Group also gets created
    • The Azure AD Group is used for Group write back with Azure AD Connect and permissions in SharePoint Teamsites
      • The Group write back option is only necessary if you have a hybrid Exchange environment and users hosted on-premises that needs to be able to resolve the distribution email address and its members
      • It may also be necessary for Skype for Business hybrid environments in order to be able to add the Office 365 Groups as group in the Skype contactlist
    • If you crate the Office 365 Group in GUI from Outlook, members gets added to that Azure AD Group
    • If you create the Office 365 Group using PowerShell with New-UnifiedGroup and add members right away, members will not get added to the Azure AD Group and you get a mismatch in member count
      • Only the Office 365 Group Owner will get added to the Azure AD Group as member and this is an issue for the Group Write Back with AADC
      • A corresponding SharePoint TeamSite gets created with a member of the group with a SharePoint license logs on to either Office 365 Groups or creates a Microsoft Teams team
    • If you create the group in PowerShell and with New-UnifiedGroup without adding members and add the members using Add-UnifiedGroupLinks, then members will get added to the corresponding Azure AD Group

Recommended method to create Office 365 Groups via PowerShell

Make sure you are logged in to Exchange Online PowerShell before you start creating the group

$Owner = "[email protected]"
$Users = "[email protected]","[email protected]"
$alias = "MyNewOffice365Group"
New-UnifiedGroup –DisplayName $alias –Alias $alias –EmailAddresses "[email protected]" -owner $Owner -Verbose
#This is optional, but may be a good practice initally since Office 365 Groups may clutter your Global Addressbook
Set-UnifiedGroup –Identity $alias –HiddenFromAddressListsEnabled $true
#Add the member to the group
Add-UnifiedGroupLinks $alias -LinkType member -Links $users
#Validate that the members where added ok
Get-UnifiedGroupLinks $alias -LinkType member
#If you want to validate that the AD group is updated ok, run the script below without $alias=$null

Adding members to existing Office 365 Groups

  • Adding members using the Exchange Online cmdlet Add-UnifiedGroupLinks results in users getting added to both the Office 365 Group and Azure AD Group, all is good
    • If this is also a Microsoft Teams enabled group then the members will get added to the team as well within 24 hours (or so)
  • Adding members using the web UI as a user results in users getting added to both the Office 365 Group and Azure AD Group, all is good
  • Adding members from the SharePoint Teamsite UI results in users only getting added to the Azure AD Group and you have a mismatch of user count between Azure AD and Office 365
  • Adding users from the Microsoft Teams client will result in users only getting added to the Azure AD Group that gives full write access to all the corresponding SharePont Teamsite documents
    • This results in a mismatch between Azure AD Group and Office 365 Group and if users are expect to see the group under Groups in Outlook they will not
    • You will also get a mismatch in the memberlist in Microsoft Teams and Office 365 Groups on the web
      • if the user tries to access the Exchange components of the group they will get added to the memberlist, but not until they actively add the group or go via SharePoint Teamsite to the groupconversation button on the top right corner

Consequences

  • If you are not a member of the Office 365 Group, you are not a part of the distribution group and you will not get see the Group in either Outlook or Outlook Web App
  • If you are not added to the Azure AD Group you will not be part of the group that gets synced back to Active Directory and part of the on-premises distribution group for users hosted on Exchange Server
  • If you are not part of the Azure AD Group you will not be visible in the Graph API as there is not way to resolve member from an Office 365 Group via the API, only members from the corresponding Azure AD Group (at the time of writing, may change in the future)

Workarounds

  • Add the member in the web UI for Groups then it will get added to the Exchange part and Azure AD part of the Office 365 Group
  • Detect and remedy the different user memberships using PowerShell by detecting and adding the missing users to either Office 365 Groups or Azure AD Group

How to detect mismatch in member-count in Office 365 Groups and Azure AD Group

Below is a simple example on how to list all the groups that have a member-count mismatch between Office 365 Groups and Azure AD Groups. It is always the Azure AD group that has the most and correct set of members so that is why we add those members to the Exchange part of the Office 365 Group.

Before you run the example you need to install the latest MSOnline PowerShel l V1 module and be logged in to Exchange Online PowerShell module

Find all groups with mismatch in member-count

$alias=$null
#find groups that have mismatching member-count in Office 365 groups and Azure AD groups
$Groups = @()
#Get all Office 365 Groups
$UnifiedGroup = get-unifiedgroup $alias
    ForEach ($Group in $UnifiedGroup){
        #Get the members of the group
        $UnifiedGroupLink=Get-UnifiedGroupLinks -Identity $Group.name -LinkType member | Select-Object -ExpandProperty PrimarySmtpAddress
        #If there are members in the group, check the corresponding Azure AD Group and find the members. Add the result in custom Powershell object
        if (($UnifiedGroupLink).count -ne 0){
            $AADGroup= Get-MsolGroup -GroupType DistributionList -All | Where-Object {$_.Emailaddress -eq $Group.PrimarySmtpAddress}
            $TempGroups = @()
            $TempGroups = New-Object PSObject -Property @{
                Emailaddress=$Group.PrimarySmtpAddress
                O365Members= $UnifiedGroupLink
                O365membercount= ($UnifiedGroupLink).count
                AADGUID=($AADGroup).ObjectId
                AADmembers=Get-MsolGroupMember -GroupObjectId ($AADGroup).ObjectId | Select-Object -ExpandProperty EmailAddress
                AADmembercount=(Get-MsolGroupMember -GroupObjectId ($AADGroup).ObjectId | Select-Object -ExpandProperty EmailAddress).count
            }
            #If there is a mismatch in the membercount, add the group to the final output variable and write the group to the console
            if($TempGroups.O365membercount -ne $TempGroups.AADmembercount){$Groups += $TempGroups; $TempGroups}
            $TempGroups
        }
}
#list all groups with mismatch
$Groups
#count the number of groups with a mismatch
Write-Host "Number of groups mismatching groups"($Groups).count

List all the members not present in the Office 365 Group

#Find all members that are present i the Azure AD group and needs to be added to the Office 365 Group
foreach ($CurrentGroup in $Groups){
    write-host
    write-host "Checking Group"$CurrentGroup.Emailaddress
    $NewMembers = $CurrentGroup.AADmembers | Where {$CurrentGroup.O365Members -NotContains $_} # Shows what items in $CurrentGroup.O365Members are missing in $CurrentGroup.AADmembers
    $NewMembers

}

Add the missing members to the Office 365 Group

#Add the users from the Azure AD group to the Office 365 group, the users added will not get a welcome mail.
foreach ($CurrentGroup in $Groups){
    write-host
    write-host "Checking Group"$CurrentGroup.Emailaddress
    $NewMembers = $CurrentGroup.AADmembers | Where {$CurrentGroup.O365Members -NotContains $_} # Shows what items in $CurrentGroup.O365Members are missing in $CurrentGroup.AADmembers
    Add-UnifiedGroupLinks $CurrentGroup.emailaddress -LinkType member -Links $NewMembers -Verbose
    Get-UnifiedGroupLinks $CurrentGroup.emailaddress -LinkType member

}
稿源:msunified.net (源链) | 关于 | 阅读提示

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » 移动互联 » Microsoft Teams and Office 365 Groups member mismatch and how to fix it

喜欢 (0)or分享给?

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录