Avoiding the Problems Seen with Disabled User Accounts
Last April, I wrote about the problems caused in Teams when disabling a Microsoft 365 user account. In a nutshell, Teams removes disabled accounts from team rosters (the lists controlling team memberships) while leaving the accounts as members of the underlying Microsoft 365 groups. When the account is reenabled (or unblocked), Teams attempts to reverse the process and reintroduce the account into team rosters. That process doesn’t work so well from time to time and is slow, and users lose access to any private channels they belong to. The net effect is confusion and frustration.
Teams works this way by design. The intention is to stop team members seeing blocked accounts whom they can’t collaborate with. For instance, if Jane is leaving the organization and an administrator blocks her account as part of the departing employee process, there’s no point in showing her as a team member.
In any case, I suspect that message center MC264095 (posted June 23) is linked to some moves Microsoft is making to improve the situation, and possibly also to prepare the way for the introduction of shared channels later this year (it wouldn’t be good if blocked users lose their membership of those channels either!).
MC264095 covers a change to the way that the Teams guest access setting works. This is an organization setting in the Microsoft 365 admin center (Figure 1).
As the name implies, when a tenant turns off guest access in Teams, external people who are guest members in teams in the tenant can no longer access those teams and team owners cannot add any further guest members. Up to now, if a tenant turned guest access off, Teams would remove guests from its team rosters (just like it does for disabled user accounts). The guests remain members of the underlying Microsoft 365 groups and can access resources available to those groups such as the SharePoint Online team site, Planner, and so on.
When you consider how much usage Teams currently gets, disabling guest access could impose a considerable processing load on Office 365 to track down and remove all the guest accounts from all teams in the tenant. Those resources could be better used for more productive purposes.
The change being introduced in late July will stop Teams removing guest accounts from team rosters. This is a sensible step. It avoids the problems that can occur when a tenant turns guest access back on. In the past, Teams would have to compare its rosters against the membership of the Microsoft 365 groups to find guest members and add those guests to the rosters. As we’ve seen with unblocked user accounts, sometimes this process doesn’t work and overall, it can take a long time. Now, guest access is a simple on-off switch which should be much less disruptive.
If you really want to remove guests from Teams, team owners or an administrator would need to check membership and remove the guest accounts. Turning off all guest access for a tenant is a dramatic step to take. A more nuanced approach is to implement an Azure AD B2B collaboration policy and whitelist the domains the organization wants to collaborate with. A PowerShell script can then look for and remove any guest account which doesn’t come from the approved domains.
I don’t hear of many tenants disabling and reenabling guest access to Teams, but I’m sure that it happens. I hope that this change is a forerunner of a future change to the way Teams deals with disabled user accounts.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across Office 365. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what’s happening.