One simple task that turn into a nightmare when you’re managing medium to large environments on Teams it’s how you manage membership group assignment and Teams’ Team membership assignment.
A company with 24.000 users with several Teams’ Teams all over the company created by department globally asked to automate Team membership.
First things first I thought what’s the goal if you can’t add more than 5000 users to a Team’s team? We checked with all departments if that information was true.
- retrieved all Security Groups membership list (departmental security groups)
- reported any group with more than 5000 users (count the owner + 4999 users for this math)
- got a Go / No Go from the client to try out dynamic Azure AD Groups membership for synced from On-premises AD – locally all Security Groups are managed by an IM (Identity Management) Tool.
- we determined group membership based on user attributes such as “Department, Security Group Name, etc.)
Have in mind that every Team’s team creates a Office 365 Group then you need to go on Azure AD and for each Office 365 group and configure dynamic membership rules in order to add users dynamically to those groups.
- Create o New Team on Teams with no members – Name: Demo
- Double check that you’re the Owner and there’s no additional member to this group
- Open Azure Active Directory Admin Center – link
- Select All services on Left Blade and select Groups on the right blade
- Search for your Team Name “Demo”
- check the Properties menu for this group, you should see Membership type: assigned and Group type: office
- change the Membership type from assigned to Dynamic user then click on “Edit dynamic query” blue link under Dynamic user members *
- paste the following rule without the “” and click SAVE
“user.assignedPlans -any (assignedPlan.servicePlanId -eq “efb87545-963c-4e0d-99df-69c6916d9eb0” -and assignedPlan.capabilityStatus -eq “Enabled”)”
- on the next screen click SAVE again confirm the changes and wait for the group to populate (it takes up to 15 min to finish)
- click on Overview and check Membership processing status – you should see “Evaluating” and at Membership last updated will be “in progress” with 0 members and 0 group(s) and 0 Device(s)
- wait for this process to finish and check if the group membership has been updated
- now you should be able to see Membership processing status as Update complete and Membership last updated with the time stamp format: 4/22/2020, 12:58:02 AM
- click on Audit logs to check its process status
- click on members tab on left and check the users
- all users who have the service plan id equals : efb87545-963c-4e0d-99df-69c6916d9eb0 corresponding to “Exchange Online (Plan 2)” are now members of this Team on Microsoft Teams. !Click here – to understand more about Product Names and service plan identifiers for licensing.
- Go back to Teams Admin Portal \ Teams \ Manage Teams menu click at Demo Team and check if the users are now showing as members on it.
- you can use Azure AD synced security groups to retrieve its members then assign those users to a Teams’ team.
- you can use cloud only groups members to assign the same rules to a Teams’ team.
OS Name Microsoft Windows 10 Enterprise
Version 10.0.18363 Build 18363
ADDS: Windows Server 2016/2019 Azure AD latest version for AD sync