Site icon Office 365 for IT Pros

Check Your Azure AD Accounts Before Adding Org-Wide Teams


Team Membership Might Not Be Quite So Org-Wide

Using new software can be both a joy and a pain. On the one hand, you get to play with new features; on the other, some of the new features might not work as well as you’d like. Such was the case with Org-Wide Teams.

Specifically, the problem was that some valid tenant accounts were never added to an org-wide team. Even more bizarrely, a tenant administrator who created an org-wide team was added as a team owner only to be removed from the membership soon afterwards.

A Missing Value in Azure AD

In both cases, the problem was that the Azure Active Directory accounts had no value in the UserType property. This is a relatively new property that should be populated with Member for tenant accounts and Guest for guest accounts. However, some older accounts might have null values. In my tenant, I found six accounts with null values, all created in 2014 (soon after the tenant was set up).

To find these accounts, connect to Azure Active Directory with PowerShell (use the V2 module), and run the command:

Get-AzureADUser -All $True | ? {$_.UserType -eq $Null} | Format-Table DisplayName, UserType, ObjectId

If nothing is returned, you don’t have a problem and org-wide team membership will be fine. Apart, that is, from the shared mailboxes, room mailboxes, and the like that are added and need to be removed afterwards – Microsoft is aware of the problem and is working to fix the Graph filters used to generate membership.

But if you find some tenant accounts with null values, you can fix them individually by running the command (the $GUID variable is populated with the object identifier for the account)

Set-AzureADUser -ObjectId $GUID -UserType Member

The GUID is the object identifier for the account listed in the command that returns a list of accounts with null UserType values.

Or, if (like me) you find that all the accounts with missing values are tenant accounts, you can fix them with:

Get-AzureADUser -All $True | ? {$_.UserType -eq $Null} | Set-AzureADUser -Usertype member

Checking the accounts afterwards, you should see that UserType is correctly populated.


All Fixed Up

Once the accounts are fixed, the background process that calculates org-wide team membership will detect the values and add the accounts to the org-wide team membership.

Microsoft knows about this issue, but checking and fixing all Azure Active Directory accounts for null values might not be high on their priority list, so if you want to use org-wide Teams you should fix these accounts yourself.

Need more information about managing Azure Active Directory accounts with PowerShell? The Office 365 for IT Pros eBook has many examples in different chapters (starting in Chapter 4) together with tons of other examples of using PowerShell to manage Office 365 Groups and Teams.

Exit mobile version