Check Your Azure AD Accounts Before Adding Org-Wide Teams

Team Membership Might Not Be Quite So Org-Wide

Using new software can be both a joy and a pain. On the one hand, you get to play with new features; on the other, some of the new features might not work as well as you’d like. Such was the case with Org-Wide Teams.

Specifically, the problem was that some valid tenant accounts were never added to an org-wide team. Even more bizarrely, a tenant administrator who created an org-wide team was added as a team owner only to be removed from the membership soon afterwards.

A Missing Value in Azure AD

In both cases, the problem was that the Azure Active Directory accounts had no value in the UserType property. This is a relatively new property that should be populated with Member for tenant accounts and Guest for guest accounts. However, some older accounts might have null values. In my tenant, I found six accounts with null values, all created in 2014 (soon after the tenant was set up).

To find these accounts, connect to Azure Active Directory with PowerShell (use the V2 module), and run the command:

Get-AzureADUser -All $True | ? {$_.UserType -eq $Null} | Format-Table DisplayName, UserType, ObjectId

If nothing is returned, you don’t have a problem and org-wide team membership will be fine. Apart, that is, from the shared mailboxes, room mailboxes, and the like that are added and need to be removed afterwards – Microsoft is aware of the problem and is working to fix the Graph filters used to generate membership.

But if you find some tenant accounts with null values, you can fix them individually by running the command (the $GUID variable is populated with the object identifier for the account)

Set-AzureADUser -ObjectId $GUID -UserType Member

The GUID is the object identifier for the account listed in the command that returns a list of accounts with null UserType values.

Or, if (like me) you find that all the accounts with missing values are tenant accounts, you can fix them with:

Get-AzureADUser -All $True | ? {$_.UserType -eq $Null} | Set-AzureADUser -Usertype member

Checking the accounts afterwards, you should see that UserType is correctly populated.


All Fixed Up

Once the accounts are fixed, the background process that calculates org-wide team membership will detect the values and add the accounts to the org-wide team membership.

Microsoft knows about this issue, but checking and fixing all Azure Active Directory accounts for null values might not be high on their priority list, so if you want to use org-wide Teams you should fix these accounts yourself.

Need more information about managing Azure Active Directory accounts with PowerShell? The Office 365 for IT Pros eBook has many examples in different chapters (starting in Chapter 4) together with tons of other examples of using PowerShell to manage Office 365 Groups and Teams.

8 Replies to “Check Your Azure AD Accounts Before Adding Org-Wide Teams”

  1. Tony – I needed to modify the above with “Get-AzureADUser -All $true” to return all such objects from Azure AD

      1. Well in my own 10 user tenant 8 accounts needed set, on a client site where we actually created an Org Wide Team out of 500 odd accounts approx 120 were blank. There’s going to be a lot of confused admins out there

      2. Hopefully there will be fewer confused admins now… but your point is well taken. I do know that Microsoft is considering how best to solve this issue across Office 365… We’ll see what they do.

  2. I have the opposite problem. I get all my users in my Org-Wide team. But, I also get service accounts, healthmailbox accounts, and all kinds of other things that I don’t want. There’s doesn’t seem to be a way to tell this to only get actual Users which sucks. If I could set it to only pull in accounts that have an active O365 license, that’d be great. If I could tell it to only pull users with a certain field in AD set to a certain thing, that’d be great. Hopefully they enhance that feature or do something to make this easier. 🙂

    1. Unfortunately, the developers seem to have some problems nailing what the actual set of users that should be included in an org-wide team. The net is that you need to keep an eye on what’s happening, just in case some of the erroneous accounts sneak through.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.