Guest added to Microsoft 365 group through Azure Active Directory PowerShell for Graph module is not able to see Team site

0
votes

Quick explanation:
We want to add new guests to a Microsoft Team as streamlined as possible. Adding the guest to the M365 group through Powershell seems to work and the guest appears in Team membership, but no URL sent to the guest will get them into the Team channels. They get either an empty Team dashboard (no channels) or "You'll need permissions to access this team or channel", depending on the URL. Deleting the guest from the team and re-adding them through Team admin portal works fine.

Steps to recreate:

  1. Have a team already set up and working, e.g. "MSTeamTest".
  2. Create a CSV in c:\temp called invitations.csv, with the following rows (e.g.): 
    Name,InvitedUserEmailAddress,TeamName  
    Test Person, [email protected], MSTeamTest
  1. Run these commands in PowerShell (gist):
# Install AzureADPreview
Install-Module AzureADPreview

# Hit UI login for AAD global admin:
Connect-AzureAD

# import CSV
$invitations = import-csv c:\temp\invitations.csv

# Add guest users to AzureAD
$messageInfo = New-Object Microsoft.Open.MSGraph.Model.InvitedUserMessageInfo
$messageInfo.customizedMessageBody = "Hey there! Check this out. I created an invitation through PowerShell"
foreach ($email in $invitations) {New-AzureADMSInvitation -InvitedUserEmailAddress $email.InvitedUserEmailAddress -InvitedUserDisplayName $email.Name -InviteRedirectUrl https://teams.microsoft.com/?tenantid={putIDHere} -InvitedUserMessageInfo $messageInfo -SendInvitationMessage $true}

# Add same guest users to Microsoft 365 Group (same csv)
# wait a few seconds so the new guest user objects are available to add to the group
Start-Sleep -Second 30
foreach ($email in $invitations) {Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.Mail -eq $email.InvitedUserEmailAddress }).ObjectID -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $email.TeamName }).ObjectID}

At this point, assuming this was an entirely new guest, you have rights, licenses, etc., you now have the guest in AzureAD and the guest appears in the Team under: https://admin.teams.microsoft.com/teams/manage/{Teamid}

However, if the person tries to use the web version for https://teams.microsoft.com/?tenantid={putIDHere} they get an empty Teams dashboard (no teams listed).

If you send them a Team link from more>get link to team, and they try something like this: https://teams.microsoft.com/l/team/19%{teamID}%40thread.tacv2/conversations?groupId={groupID}&tenantId={tenantID} they get:

"You'll need permissions to access this team or channel. Try contacting the team owner or admin."

And the same behavior happens if they follow a link like this: https://myapps.microsoft.com/?tenantid={tenantID} - they see they are a member of the "MSTeamTest" group with no apps. Clicking the group lets them launch Teams, but they get the same "You'll need permissions" dialog.

And again - through the admin panel, the person looks to be part of membership. For an existing member they see the person listed as a guest on the Team. It's almost like I'm missing one powershell command.

Why am I doing this at all? The process is too cluttered if the end goal is to just get a guest up and running in Teams. Two emails with manual intervention in between is confusing to the guests (one for AAD, one for Teams)

AzureAD B2B lets you create a guest and make them a member of a group at the same time, but for bulk import in the UI with a CSV of new guest users, it does not let you add membership to a group (aka the Team in question), so I've turned to PowerShell.

I know folks say it takes a while for things to propagate: https://techcommunity.microsoft.com/t5/microsoft-teams/teams-membership-and-groups-membership/m-p/92982 however this does not seem to be the issue.

If you have any thoughts or a solution I'd be grateful! Thanks!

2
azure-active-directorymicrosoft-graph-apimicrosoft-teams
I just noticed that although the added guests appear within: admin.teams.microsoft.com/teams/manage{groupID} - they do not appear within teams.microsoft.com > manage team. I'm guessing I should be using this Team module instead or in tandem with the existing code: docs.microsoft.com/en-us/MicrosoftTeams/… - will keep diggingtb1
Hmm.. after running "Get-TeamUser" on the groupID from that module, the user seems to have been granted rights... very weird. Almost like it woke things up. Maybe it's all buggy. I'll try to delete the guests from AAD and recreate a few ways. If anyone else finds a stable order of operations, I'm all ears.tb1

2 Answers

2
votes

FYI, please be aware that when you add users to a o365 group through powershell or teams, it can take up to 24 hours to sync with teams backend and to fully provision the users. they are actually 2 separate datasets, where the o365 membership needs to be synced to the teams data on the microsoft backend. so there are chances where you will see inconsistencies up to 24 hours. it's not a real-time operation.

The issues have been made worse with all the covid- work from home situation because teams is seeing such a massive spike of users. But if you notice inconsistencies, that is usually the reason, especially if you added users through powershell or even more so through graph api.

0
votes

The order of operation that seems to work seems to be:

  1. Add the user to the AzureAD using: New-AzureADMSInvitation
  2. Wait (e.g.) 30 seconds: Start-Sleep -Second 30
  3. Add user to Microsoft 365 group using: Add-TeamUser

Notes:

Step #3 is part of Install-Module -Name MicrosoftTeams. Email for the Team seems to be sent ~10-15 minutes after the initial invite. The Microsoft Team email has a SharePoint link, and if you go into the documents there, you will eventually see a link to open the Team channel. So far this seems to be working, albeit with the delays mentioned.