Using new software can be both a joy and a pain. On the one hand, you get to play with new features; on the other, some of the new features might not work as well as you’d like. Such was the case with Org-Wide Teams.
Specifically, the problem was that some valid tenant accounts were never added to an org-wide team. Even more bizarrely, a tenant administrator who created an org-wide team was added as a team owner only to be removed from the membership soon afterwards.
A Missing Value in Azure AD
In both cases, the problem was that the Azure Active Directory accounts had no value in the UserType property. This is a relatively new property that should be populated with Member for tenant accounts and Guest for guest accounts. However, some older accounts might have null values. In my tenant, I found six accounts with null values, all created in 2014 (soon after the tenant was set up).
To find these accounts, connect to Azure Active Directory with PowerShell (use the V2 module), and run the command:
If nothing is returned, you don’t have a problem and org-wide team membership will be fine. Apart, that is, from the shared mailboxes, room mailboxes, and the like that are added and need to be removed afterwards – Microsoft is aware of the problem and is working to fix the Graph filters used to generate membership.
But if you find some tenant accounts with null values, you can fix them individually by running the command (the $GUID variable is populated with the object identifier for the account)
Set-AzureADUser -ObjectId $GUID -UserType Member
The GUID is the object identifier for the account listed in the command that returns a list of accounts with null UserType values.
Or, if (like me) you find that all the accounts with missing values are tenant accounts, you can fix them with:
Checking the accounts afterwards, you should see that UserType is correctly populated.
All Fixed Up
Once the accounts are fixed, the background process that calculates org-wide team membership will detect the values and add the accounts to the org-wide team membership.
Microsoft knows about this issue, but checking and fixing all Azure Active Directory accounts for null values might not be high on their priority list, so if you want to use org-wide Teams you should fix these accounts yourself.
Need more information about managing Azure Active Directory accounts with PowerShell? The Office 365 for IT Pros eBook has many examples in different chapters (starting in Chapter 4) together with tons of other examples of using PowerShell to manage Office 365 Groups and Teams.
Well in my own 10 user tenant 8 accounts needed set, on a client site where we actually created an Org Wide Team out of 500 odd accounts approx 120 were blank. There’s going to be a lot of confused admins out there
Loading...
Hopefully there will be fewer confused admins now… but your point is well taken. I do know that Microsoft is considering how best to solve this issue across Office 365… We’ll see what they do.
I have the opposite problem. I get all my users in my Org-Wide team. But, I also get service accounts, healthmailbox accounts, and all kinds of other things that I don’t want. There’s doesn’t seem to be a way to tell this to only get actual Users which sucks. If I could set it to only pull in accounts that have an active O365 license, that’d be great. If I could tell it to only pull users with a certain field in AD set to a certain thing, that’d be great. Hopefully they enhance that feature or do something to make this easier. 🙂
Unfortunately, the developers seem to have some problems nailing what the actual set of users that should be included in an org-wide team. The net is that you need to keep an eye on what’s happening, just in case some of the erroneous accounts sneak through.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Tony – I needed to modify the above with “Get-AzureADUser -All $true” to return all such objects from Azure AD
Hmmm… I had that change in the post but it never was posted… It is now. The reason, of course, is that Get-AzureADUser https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaduser?view=azureadps-2.0 returns 100 records by default unless you tell it to return everything. How many duff records (if any) did you discover?
Well in my own 10 user tenant 8 accounts needed set, on a client site where we actually created an Org Wide Team out of 500 odd accounts approx 120 were blank. There’s going to be a lot of confused admins out there
Hopefully there will be fewer confused admins now… but your point is well taken. I do know that Microsoft is considering how best to solve this issue across Office 365… We’ll see what they do.
I have the opposite problem. I get all my users in my Org-Wide team. But, I also get service accounts, healthmailbox accounts, and all kinds of other things that I don’t want. There’s doesn’t seem to be a way to tell this to only get actual Users which sucks. If I could set it to only pull in accounts that have an active O365 license, that’d be great. If I could tell it to only pull users with a certain field in AD set to a certain thing, that’d be great. Hopefully they enhance that feature or do something to make this easier. 🙂
Unfortunately, the developers seem to have some problems nailing what the actual set of users that should be included in an org-wide team. The net is that you need to keep an eye on what’s happening, just in case some of the erroneous accounts sneak through.