Missing Teams Memberships or Access

For IT admins who use SDS or any other methods to create Microsoft Class Teams via the APIs or PowerShell, some users may not appear correctly in their Class Teams, even if they do appear correctly in the corresponding Microsoft 365 group for the class. Microsoft Entra ID is the owner of the class roster within the tenant and it holds the list of all Classes (Microsoft 365 Groups), Educators (Group owners), and Students (Group members). Teams synchronizes and stores a cache of the Microsoft Entra ID for performance reasons. During provisioning, the APIs and SDS are correctly writing to Microsoft Entra ID, however the cache for Teams isn't always updating in a timely manner and sometimes it doesn't update at all. It's the missing data in the cache that is causing the users to appear missing in Teams. Microsoft is aware of these issues and is working on a fix for the pipeline that runs between Microsoft Entra ID and the Teams cache.

In the meantime, Microsoft has published two scripts to help anyone experiencing these issues. The scripts will update the Teams cache with the data stored in Microsoft Entra ID:

Add-GroupOwners-To-Teams.ps1

This script will check all owners of the Microsoft 365 group in Microsoft Entra ID and ensure they're also written to the Teams cache. This script can be run against a team owner, or it can be run against all Class Teams (created via SDS or the MSFT Graph Endpoint). Running this script will ensure team owners are reflected correctly in the Teams cache and all owners have access to their Class Teams. If you run the script against all classes, it can take a long time to complete.

Prepare to run the script

Before you can run the script, you must first download and install the MS Graph PowerShell module, download the script from GitHub, and set the location of the PowerShell client so the script can run. Follow the process below:

1. Download and save the script located in GitHub here.

   a. Select the green CODE button here and select Download as zip.

   b. In the zip file download, navigate to O365-EDUTools-master > Teams Scripts.

   c. Copy/Paste the scripts to your local c:\temp directory.

2. Launch PowerShell as an Administrator.

*Note - Does not work in PowerShell ISE

3. Run the command below:

   Set-Location c:\temp
   

4. Install the latest MS Graph Module, using the command below:

Install-Module -Name Microsoft.Graph.Authentication -MinimumVersion 0.9.1 -Force

Run the script against a single Educator

Once the setup is complete, you can run the script against a single educator. If prompted for credentials, enter your global administrator account.

1. Run the command below to run the script. Before running, update the EducatorUPN value with the UPN of the educator you want to run the script against:

.\Add-GroupOwners-To-Teams.ps1 -EducatorUPN john.smith@school.edu

2. If prompted, Confirm you want to run the script. Enter “R” for Run Once.

*Note - You will only have 120 seconds to complete the next 4 steps.

3. Copy the URL provided into a web browser (https://microsoft.com/devicelogin).

4. Enter the code provided to complete the authentication request.

5. Enter your Global Admin Credentials when prompted.

6. Confirm the session is connected.

7. Confirm the script completed successfully.

Run the script against all Educators and Class Owners

Once the setup is complete, you can run the script below against all Educators and Classes.

1. Run the command below to run the script:

.\Add-GroupOwners-To-Teams.ps1 

2. If prompted, Confirm you want to run the script. Enter “R” for Run Once.

*Note - You will only have 120 seconds to complete the next 4 steps.

3. Copy the URL provided into a web browser (https://microsoft.com/devicelogin).

4. Enter the code provided to complete the authentication request.

5. Enter your Global Admin Credentials when prompted.

6. Confirm the session is connected.

7. Confirm the script completed successfully.

Sync-GroupMembership-To-Team.ps1

This script will make sure that all owners and members (educators and students) of a Class Team are reflected correctly in the Team cache. If the team isn't activated, only the Educators will be updated in the Teams cache. If the Team is activated, all users (Educators and Students) will be checked and updated from Microsoft Entra ID to the Teams cache. This script runs on a single Team, which can be identified by SIS_ID, Email, GroupID, or Mail Nickname.

Prepare to run the script

Before you can run the script, you must first download and install the MS Graph PowerShell module, download the script from GitHub, and set the location of the PowerShell client so the script can run. Follow the process below:

1. Download and save the script located in GitHub here.

   a. Select the green CODE button here and select Download as zip.

   b. In the zip file download, navigate to O365-EDUTools-master > Teams Scripts

   c. Copy/Paste the scripts to your local c:\temp directory.

2. Launch PowerShell as an administrator

*Note - Does not work in PowerShell ISE

3. Run the command below:

Set-Location c:\temp

4. Install the latest MS Graph Module, using the command below:

Install-Module -Name Microsoft.Graph.Authentication -MinimumVersion 0.9.1 -Force

Run the script using the Class SIS ID

1. Run the command below to run the script. Before running, update the sisId value with the SIS ID of the Class you want to run the script against:

.\Sync-GroupMembership-To-Team.ps1 -sisId “008200123”

2. If prompted, confirm you want to run the script. Enter “R” for Run Once.

Note - You will only have 120 seconds to complete the next 4 steps.

3. Copy the URL provided into a web browser (https://microsoft.com/devicelogin).

4. Enter the code provided to complete the authentication request.

5. Enter your Global Admin Credentials when prompted.

6. Confirm the session is connected.

7. Confirm the script completed successfully.

Run the script using the Class Email Address

1. Run the command below to run the script. Before running, update the emailAddress value with the Email Address of the Class you want to run the script against:

.\Sync-GroupMembership-To-Team.ps1 -emailAddress Section_008200123@school.edu

2. If prompted, Confirm you want to run the script. Enter “R” for Run Once.

*Note - You will only have 120 seconds to complete the next 4 steps.

3. Copy the URL provided into a web browser (https://microsoft.com/devicelogin).

4. Enter the code provided to complete the authentication request.

5. Enter your Global Admin Credentials when prompted.

6. Confirm the session is connected.

7. Confirm the script completed successfully.

Run the script using the Class Group ID

1. Run the command below to run the script. Before running, update the groupId value with the Group ID of the Class you want to run the script against:

.\Sync-GroupMembership-To-Team.ps1 -groupId “e77144f7-a42c-4124-856e-bf6312a5ed2f”

2. If prompted, Confirm you want to run the script. Enter “R” for Run Once.

*Note - You will only have 120 seconds to complete the next 4 steps.

3. Copy the URL provided into a web browser (https://microsoft.com/devicelogin).

4. Enter the code provided to complete the authentication request.

5. Enter your Global Admin Credentials when prompted.

6. Confirm the session is connected.

7. Confirm the script completed successfully.

Run the script using the Class Mail Nickname

1. Run the command below to run the script. Before running, update the mailNickname value with the mailNickname of the Class you want to run the script against:

.\Sync-GroupMembership-To-Team.ps1 -mailNickname “Section_008200123”

2. If prompted, Confirm you want to run the script. Enter “R” for Run Once.

*Note - You will only have 120 seconds to complete the next 4 steps.

3. Copy the URL provided into a web browser (https://microsoft.com/devicelogin).

4. Enter the code provided to complete the authentication request.

5. Enter your Global Admin Credentials when prompted.

6. Confirm the session is connected.

7. Confirm the script completed successfully.

FAQ

Here are some frequently asked questions about the scripts and process described in this article.

1. If I run the script against a Class Team or Educator, will it correct both Teams that have been activated and Teams that haven't yet been activated?

   Yes, the script will correct owners of Teams in both states, either before or after Class Activation.

2. If I run the script prior to the activation of a Team, do I have to run the script again after activation?

   The scripts run independently of the activation on the Class Team. It will update the Team’s cache with the Microsoft Entra ID master values. The Activate Team unlocks the team and enables students (members) of a class to sync from Microsoft Entra ID to the Teams cache, so they can see and access their Class Teams. The scripts correct any divergences in owners and members between the directories, and can be run before, during, or after Team activation by the Educator. They can be run multiple times while the class is in various states as well, without any negative impact.

3. Will running the script activate the Class Team ahead of the educator?

   No, it will not.

4. Can the scripts be rerun against the same educator, class, or tenant?

   Yes, the scripts can be rerun as many times as needed to ensure updates to the Teams cache are correct and match the roster stored in Microsoft Entra ID.