TECHCOMMUNITY.MICROSOFT.COM



TSG: Cannot add external users to a teamProblem:When adding Guests a Team owner received an error “You’re not Authorized”Investigation:Collect teams web logs using Ctrl+alt+shift+1 and search for keywords like guest, Err. In this scenario logs has evident error“TeamMembershipService: [inviteGuest] Failed to invite guest. Error: Microsoft Teams Tenant settings is off for guests, so cannot invite new guest in this team”Root Cause:Guest/External Access is disabled either on Azure, Groups or TeamsResolution:Ensure guest/external access is enabled in following locationsAzureLogin to Click on Azure Active directory on the left paneClick on Users and Groups under manageClick on User SettingsEnsure following settings are turned on (They are enabled by default)?GroupsLogin to O3565 admin center Click on Settings and then Services & add-insSelect Office365 groupsEnsure “Let group owners add people outside the organization to groups” is enabledP.S: If this setting is turned off it will block Team owners to add new guests but can add guests accounts that already exist in AAD.TeamsLogin to O3565 admin center Click on Settings and then Services & add-insSelect Microsoft TeamsClick on drop down Settings by User/Licence type and select guestEnsure “Turn Microsoft Teams on or off for all users of this type” is enabledTSG: External users shows as member instead of guests in a team and they fail to redeem guest inviteProblem:Users are not detected as guests when added to a team and cannot switch tenantsRoot Cause:A user that is being added exist in the home tenant AAD already as mail user. Teams does a check on smtp address first in home tenant and this causes Teams to believe the user is a local user. Resolution: Disable the mail user in exchange on prem or exchange online and after AAD sync you can add the users as guest to a team. The guest account can then be made available in GAL for email delivery.TSG: Corp users are identified as guests while adding to a teamProblem:When adding users from internal domain to a team they are identified as guestsRoot Cause:Users are hosted on prem and not dir synced to AADResolution: Ensure on prem users are dir synced to AAD for them to be identified as members. Also ensure they have teams license to be able to leverage teamsTSG: Corp users are identified as guests while adding to a teamProblem:Guest Users unable to access Files or onenote in a teamRoot Cause:External access disabled on Sharepoint sitesResolution: Login to O3565 admin center Click on Settings and then Services & add-insSelect SitesEnsure “let users share sharepoint online and Ondrive for business content with people outside the organization” is enabledTSG: Guest users can’t sign in Problem:User SMTP address is added to a Microsoft Team and he has accepted invitation but when the user goes to switch tenants, sign in fails.Investigation:Confirm that invited user is from a valid O365 domain and if on-premises AD created, the user identity is synchronized to AAD.Check Guest AAD Object: Open PowerShellConnect-MsolServiceAuthenticate with your O365 admin credentialsRun Get-MsolUser -UserPrincipalName <smtp>#ext#@contoso. |flP.S: Replace @ with _ (underscore) in smtp field in above cmdlet and replace domain with home tenant domain name. for egGet-MsolUser -UserPrincipalName user1_#ext#@contoso. |flCheck the SMTP address and UPN attribute, ensure they are appropriate. Important attribute to look for is “AlternateSecurityIDs” which get populated after redemption of the invite. If the attribute is NULL, or CONTAINS a COMMA (,) then we had a problem stamping attribute when the user reedemed the Guest Invitation and the user won't be able to sign in. Eg of a valid/expected attribute value for “AlternateSecurityIDs” is belowRoot Cause:This may happen if the guest account existed in legacy sharepoint site previously or failure on auth while redeeming teams guest invite. It is not possible today to reset Alternativesecurityid attributeResolution: Delete the guest account from AAD using Remove-msoluser cmdlet and readd the guest in Teams.In future we will provide self help feature for users to reset the attribute.Bonus:Admins can leverage Azure AD Auditing to know how many guests has successfully redeemed invitations. Resources:Manage Guest Access Teams known Issues ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download