Better Membership Synchronization Between Azure AD and Teams

Posted on by Tony Redmond

New Graph API and Teams AadSync

To reduce clutter in the General channel, Microsoft moved system notifications to an information pane earlier this year. Among the system messages are those for updates to team membership. Because the information pane is only exposed when a user wants to see its contents, it’s possible that you’ve missed noticing a very important change to the Teams infrastructure.

Synchronizing Changes from Azure AD to Teams

Since its earliest days, Teams has relied upon a background synchronization process to make sure that changes made to the membership of Microsoft 365 groups in Azure AD were replicated to team rosters. The background process was triggered by user activity in the Teams client and meant that it could take up to 48 hours before membership changes were made. This is clearly an unacceptable situation, especially for such a high-profile application.

Recently, Microsoft made several changes to improve matters. First, the Teams Graph API has been upgraded to introduce a new membership API. The new interface supports the ability to write changes to Teams and Azure AD (for the Microsoft 365 group underpinning Teams membership). The new approach means that changes made through the API show up in Teams immediately and is a big improvement from updating membership through the Groups API.

In effect, this is like the approach taken when Exchange Online issues two writes (to Azure AD and EXODS) when Outlook clients update group membership.

Microsoft Teams AadSync

Not every membership update will flow through the new API. To handle updates performed through other APIs, Teams uses a change notification for the Azure AD publishing pipeline to learn about changes to group membership. Typically, the changes flowing through the pipeline are made to groups via admin centers, Exchange Online, SharePoint Online, or PowerShell modules. When Teams detects a change in Azure AD, it updates the roster of the affected team. Notifications of these updates show up in the information pane as changes made by Microsoft Teams AadSync (Figure 1).

Notification that the Teams AadSync process adds a user to a team roster
Figure 1: Notification that the Teams AadSync process added a user to a team membership roster

The net result is that the speed and reliability of group membership updates from Azure AD to Teams is much improved. Microsoft quotes a maximum SLA of 24 hours before membership changes made in Azure AD appear in Teams. This SLA reflects the need to accommodate times of high load on the service, but normal service is much better, and a membership change made to a group using OWA or by running the Add-UnifiedGroupLinks cmdlet typically show up in Teams within minutes.

ISV Options

Microsoft recommends that ISVs and developers building Teams-based solutions use the new membership API if they need to add or remove members. Other solutions focus on Microsoft 365 Groups rather than exclusively on Teams should continue to use the group API and rely on the Azure AD publishing pipeline to pass any membership updates to Teams.

Microsoft Teams is the most updated of all Office 365 apps. It’s hard to keep up to date with what’s happening inside Teams, especially internal updates. The Office 365 for IT Pros eBook helps administrators know what’s going on and what’s important.

One Reply to “Better Membership Synchronization Between Azure AD and Teams”

  1. Pingback: Better Membership Synchronization Between Azure AD and Teams – blog by @12Knocksinna

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.