Using Dynamic Office 365 Groups with Teams

Posted on by Tony Redmond

Teams and Dynamic Office 365 Groups

Update: From November 2018, support for dynamic groups is included in Teams. See this article for more information.

Despite having some dynamic teams working in my tenant, some people told me that Microsoft doesn’t support dynamic Office 365 Groups when used with Teams. The documentation covering Office 365 Groups and Teams doesn’t address the point, so there doesn’t seem to be a formal restriction. At least, there wasn’t until I tried to team-enable a new dynamic Office 365 group and ran into an error.

I asked the Teams development group whether dynamic teams are supported. They admitted that some people had got dynamic teams to work (like me) but as they hadn’t completed the work to validate that dynamic teams work properly in all scenarios, they had placed a block on the creation of new dynamic teams. Microsoft will enable the feature when they complete their development and test work, and hopefully this will happen soon. We have updated Office 365 for IT Pros (August 28) to reflect the current situation.

A Dynamic Team

Every team is represented by an Office 365 Group. The membership of the group represents the membership of the team. The group can be made up of static or dynamic membership. A dynamic group uses a query against Azure Active Directory to calculate its membership. You cannot create a team with dynamic membership using a Teams client or with the PowerShell New-Team cmdlet. Instead, you create the dynamic group through the Azure Active Directory portal and then team-enable the group.

Figure 1 shows an example. The top is an extract of properties for a dynamic group taken from the Azure Active Directory portal. We can see that the membership type is dynamic and that the group has five members. The bottom is the membership visible in Teams. Five members are shown, which is what we expect.

Pictures of the Marketing department - a team that uses a dynamic group
Figure 1: The Marketing Department – a team using a dynamic group

All of this is based on experience with dynamic teams created before Microsoft initiated the block. Things could change in the future!

Owners and Members

Each team should have at least one owner. The person who creates a new team automatically becomes an owner, unless they decide not to and nominate another user for the role. You can add other owners via the Azure Active Directory portal, PowerShell, or by updating the role of a member to become an owner.

Owners are always members of the team, but they are static in that their membership does not depend on the query executed against Azure Active Directory. In other words, a dynamic group has two membership lists – one is static (the owners), and one is dynamic (the members). The dynamic list is actually composed of the owners and the members computed by the query against Azure Active Directory. You don’t see two sets in the dynamic list because the user interfaces combine the two into one seamless set.

But if you use the Get-TeamUser cmdlet to examine members of a team, you see:

Get-TeamUser -GroupId a53141d5-54ef-4a6d-877d-63b0cbda409f | ft user, role

User                                Role
----                                ----
Tony.Redmond@office365itpros.com    owner
dxredmond@office365itpros.com       owner
Administrator@redmondassociates.org owner
Sanjay.Patel@office365itpros.com    owner
Kim.Akers@office365itpros.com       member
James.Abrahams@office365itpros.com  member
James.Ryan@office365itpros.com      member

While if you run the Get-AzureADGroupOwner and Get-AzureADGroupOwner cmdlets to examine the underlying group in Azure Active Directory, you see the two sets:

Get-AzureADGroupMember -ObjectId a53141d5-54ef-4a6d-877d-63b0cbda409f

ObjectId                             DisplayName     UserPrincipalName                  UserType
--------                             -----------     -----------------                  --------
eff4cd58-1bb8-4899-94de-795f656b4a18 Tony Redmond    Tony.Redmond@office365itpros.com
96155a51-6885-4c8f-a8b6-e1614af08675 Deirdre Redmond dxredmond@office365itpros.com
d36b323a-32c3-4ca5-a4a5-2f7b4fbef31c Kim Akers       Kim.Akers@office365itpros.com
d446f6d7-5728-44f8-9eac-71adb354fc89 James Abrahams  James.Abrahams@office365itpros.com Member
cad05ccf-a359-4ac7-89e0-1e33bf37579e James Ryan      James.Ryan@office365itpros.com     Member

Get-AzureADGroupOwner -ObjectId a53141d5-54ef-4a6d-877d-63b0cbda409f

ObjectId                             DisplayName                            UserPrincipalName                   UserType
--------                             -----------                            -----------------                   --------
eff4cd58-1bb8-4899-94de-795f656b4a18 Tony Redmond                           Tony.Redmond@office365itpros.com
96155a51-6885-4c8f-a8b6-e1614af08675 Deirdre Redmond                        dxredmond@office365itpros.com
53f08764-07d4-418c-8403-a737a8fac7b3 Administrator (Redmond and Associates) Administrator@redmondassociates.org Member
ab5dc939-bb3e-4b68-bf26-8e401f0b6f00 Sanjay Patel                           Sanjay.Patel@office365itpros.com    Member

Some members are marked with UserType = Member while others are not. There’s a slight inconsistency in how users are tagged that I can’t quite explain. But everything works.

Problems

Although dynamic teams do work (if you configured them before Microsoft blocked the feature), it’s fair to say that some gotchas exist. One example of an edge case is when you demote an owner to become a member. If the demoted user does not come within the scope of the query used to populate the team membership, they are removed from the membership.

Another problem is that no documentation exists, work that would flow from testing.

Some attention might be needed to improve the synchronization between Azure Active Directory and Teams to respect changes made in dynamic membership. Anyone who has made a change to Azure Active Directory knows that Teams is sometimes not fast when it comes to synchronization, which could be a problem when dynamic membership changes. When an administrator updates the query underlying a dynamic group, background jobs evaluate the query and compute the new membership. Any changes must then be synchronized from Azure Active Directory to Teams, and then replicated to the local cache in clients.

I’m sure that Microsoft knows of all these issues and is working to resolve them before the formal launch of dynamic teams.

Update: Teams now fully supports dynamic Microsoft 365 Groups.

For More Information

For more information about Dynamic Office 365 Groups, see Chapter 12 of Office 365 for IT Pros. For more information about Teams, see Chapter 13.

 

4 Replies to “Using Dynamic Office 365 Groups with Teams”

    1. It’s coming. I expect it to be quite soon as the functionality is being tested in beta now.

      Reply

  2. Hi Tony. Thanks for this article as I have been struggling with Dynamic Groups and as a result Dynamic Teams. Has there been any update on this?

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.