Tag Archives: teams

Teams Shared Channels and External Guests

Posted on by
Reply

In my tenant, a previous admin enabled shared channels in Teams, but failed to fully configure it. This means that when a user tries to invite external users to the Teams-connected SharePoint site, they get this error:

Your organization’s policies don’t allow you to share with these users. Go to External Sharing in the Office 365 admin center to enable it.

You can enable shared channels in the Teams admin center, but for it to work correctly, you need to configure a few extra things in Entra: https://learn.microsoft.com/en-us/previous-versions/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-worldwide#configure-cross-tenant-access-settings-in-microsoft-entra-external-id

Lesson learned:
Regardless of the SharePoint site settings, you won’t be able to share files, folders, or content with external users until the Entra settings are in place.
The site’s external file sharing settings will not override the Entra settings.
First, adding the user to Entra as a guest does not help.
Adding a guest to content via PowerShell, Python, or MS Graph API does not work.


Useful links:
https://learn.microsoft.com/en-us/MicrosoftTeams/shared-channels
https://learn.microsoft.com/en-us/previous-versions/microsoft-365/solutions/collaborate-teams-direct-connect?view=o365-worldwide

Users Being Removed from Teams

Posted on by
Reply

Recently, a user asked if I knew why a few user accounts were being removed from a Teams team. I cracked open Purview and fired off an audit search to see what I could find.

Example of the search inputs:
Keyword Search: GUID of the Teams team (you can get this from the Teams admin center or by selecting the three dots to the right of the team name and selecting get link to team, the link has a groupId= value, which is the GUID)
Activities – friendly names: Added members, Removed members
Start: ~90 days back
End: end of today
Search name: something that makes you happy

Start the search and come back after a coffee break. With the search results open, you can see what took place and what process removed the user from the Team.

  1. This is the answer to the original question. It appears a Service Principal removed the account from an AD group. Clicking on the row reveals exactly what process performed the action. In my case, this is an Azure Runbook that cleans up teams permissions.

  2. Microsoft Teams Sync is the workhorse that handles syncing membership to or from the Active Directory (Entra) group associated with the team.