Provisioning a team with hundreds of guest users - azure-active-directory

I was wondering how would I go about provisioning a team that will have hundreds of guest users?
I looked at PowerShell and School Data Sync, but it's only possible to add members within the organization. Is there a way to add about 13.000 guests (in an organisation that has 250 employees), without having to add them individually?
It's an EDU tenant.
We would split 13.000 users to multiple teams, so 10k limit will not be reached per team.
Thanks

Well there are two ways to do this. One which you already mentioned - PowerShell - You can add people outside your organization(Guests). Adding guests is a two step process. 1st you need to invite user, 2nd add him to the team. Check this documentation for how to add the guest and how to add bulk users using PowerShell script.
And second option is to use api.

As per my knowledge, you have to add guest users in azure active directory. If you need some special features like MFA then for guest users you can add up to 5 guest users for 1 license otherwise there are no restrictions. In the past I created 132 guest users for my azure account.

Yes, it is possible to add guest users in your Teams organization.
Add guest users as mail contacts in your exchange organization
Add the contacts in to Teams
You can find a short video tutorial prepared in my blog explaining this in the link shown below:
If you are looking for the solution which I explain in my blog, I can help out further in preparing PowerShell script to add all users by PowerShell cmdlet
Add External Contacts in Microsoft Teams
Thanks,
Manu

Related

Guest added to Microsoft 365 group through Azure Active Directory PowerShell for Graph module is not able to see Team site

Quick explanation:
We want to add new guests to a Microsoft Team as streamlined as possible. Adding the guest to the M365 group through Powershell seems to work and the guest appears in Team membership, but no URL sent to the guest will get them into the Team channels. They get either an empty Team dashboard (no channels) or "You'll need permissions to access this team or channel", depending on the URL. Deleting the guest from the team and re-adding them through Team admin portal works fine.
Steps to recreate:
Have a team already set up and working, e.g. "MSTeamTest".
Create a CSV in c:\temp called invitations.csv, with the following rows (e.g.):
Name,InvitedUserEmailAddress,TeamName
Test Person, testperson#gmail.com, MSTeamTest
Run these commands in PowerShell (gist):
# Install AzureADPreview
Install-Module AzureADPreview
# Hit UI login for AAD global admin:
Connect-AzureAD
# import CSV
$invitations = import-csv c:\temp\invitations.csv
# Add guest users to AzureAD
$messageInfo = New-Object Microsoft.Open.MSGraph.Model.InvitedUserMessageInfo
$messageInfo.customizedMessageBody = "Hey there! Check this out. I created an invitation through PowerShell"
foreach ($email in $invitations) {New-AzureADMSInvitation -InvitedUserEmailAddress $email.InvitedUserEmailAddress -InvitedUserDisplayName $email.Name -InviteRedirectUrl https://teams.microsoft.com/?tenantid={putIDHere} -InvitedUserMessageInfo $messageInfo -SendInvitationMessage $true}
# Add same guest users to Microsoft 365 Group (same csv)
# wait a few seconds so the new guest user objects are available to add to the group
Start-Sleep -Second 30
foreach ($email in $invitations) {Add-AzureADGroupMember -RefObjectId (Get-AzureADUser | Where { $_.Mail -eq $email.InvitedUserEmailAddress }).ObjectID -ObjectId (Get-AzureADGroup | Where { $_.DisplayName -eq $email.TeamName }).ObjectID}
At this point, assuming this was an entirely new guest, you have rights, licenses, etc., you now have the guest in AzureAD and the guest appears in the Team under: https://admin.teams.microsoft.com/teams/manage/{Teamid}
However, if the person tries to use the web version for https://teams.microsoft.com/?tenantid={putIDHere} they get an empty Teams dashboard (no teams listed).
If you send them a Team link from more>get link to team, and they try something like this: https://teams.microsoft.com/l/team/19%{teamID}%40thread.tacv2/conversations?groupId={groupID}&tenantId={tenantID} they get:
"You'll need permissions to access this team or channel. Try contacting the team owner or admin."
And the same behavior happens if they follow a link like this: https://myapps.microsoft.com/?tenantid={tenantID} - they see they are a member of the "MSTeamTest" group with no apps. Clicking the group lets them launch Teams, but they get the same "You'll need permissions" dialog.
And again - through the admin panel, the person looks to be part of membership. For an existing member they see the person listed as a guest on the Team. It's almost like I'm missing one powershell command.
Why am I doing this at all?
The process is too cluttered if the end goal is to just get a guest up and running in Teams. Two emails with manual intervention in between is confusing to the guests (one for AAD, one for Teams)
AzureAD B2B lets you create a guest and make them a member of a group at the same time, but for bulk import in the UI with a CSV of new guest users, it does not let you add membership to a group (aka the Team in question), so I've turned to PowerShell.
I know folks say it takes a while for things to propagate:
https://techcommunity.microsoft.com/t5/microsoft-teams/teams-membership-and-groups-membership/m-p/92982
however this does not seem to be the issue.
If you have any thoughts or a solution I'd be grateful! Thanks!
FYI, please be aware that when you add users to a o365 group through powershell or teams, it can take up to 24 hours to sync with teams backend and to fully provision the users. they are actually 2 separate datasets, where the o365 membership needs to be synced to the teams data on the microsoft backend. so there are chances where you will see inconsistencies up to 24 hours. it's not a real-time operation.
The issues have been made worse with all the covid- work from home situation because teams is seeing such a massive spike of users.
But if you notice inconsistencies, that is usually the reason, especially if you added users through powershell or even more so through graph api.
The order of operation that seems to work seems to be:
Add the user to the AzureAD using: New-AzureADMSInvitation
Wait (e.g.) 30 seconds: Start-Sleep -Second 30
Add user to Microsoft 365 group using: Add-TeamUser
Notes:
Step #3 is part of Install-Module -Name MicrosoftTeams. Email for the Team seems to be sent ~10-15 minutes after the initial invite. The Microsoft Team email has a SharePoint link, and if you go into the documents there, you will eventually see a link to open the Team channel. So far this seems to be working, albeit with the delays mentioned.

Extract users from two Active Directory groups

I have tried multiple times to get this to work, but I haven't figured it out yet, so I'm asking in here, hoping that someone will be able to help me out.
I am using Atlassian's Bitbucket, Jira and Bamboo and they're all synced with an AD. At the moment I am using my AD user to retrieve all the other users. It works, but it's not optimal, as the password expires every three months, and I have to change the LDAP user login info on all three applications. We have ordered a Service User, where the password doesn't expire, but the problem is that the Service User is in another group.
The picture below shows how the AD is set up. My Service User is in a group called Special Users. I would like to use this user as the login user in the settings. This way I would never have to think about changing password, when my AD password expires.
I would then like to retrieve all the users from the "Normal Users" group.
Let me know if more information is needed.
Thanks.
You could also add multiple user directories pointing to different parts of your Active Directory.
Jira has an internal Crowd out of the box.
You may let Jira connect to User directory and let all other application use Jira for authintication.
This would save time by only updating your LDAP password every 3 months on 1 application and reflected on all 3 applications

Email alias with AAD and Intune

I'm new to managing a small company using Intune and Azure Active Directory. I need to create an email alias (info#, webmaster#, etc) and have those emails go to a specific user. I created a group with the email alias I want to use but this appears to be more of a shared email box that has to be logged into.
Can someone help me or point me to the correct MS docs to accomplish this?
I've tried googling for the answer to this question but maybe I'm not using the correct search terms.
You could add email alias in Microsoft 365 admin center.
Please refer to the detailed steps: Add email aliases to a user。
Note the step 2:
On the Active Users page, select the user > Manage email aliases.
You won't see this option if the person doesn't have a license assigned to them.
So you need to make sure the user has Exchange Online license.

Unlicensed User without Office Plan with PowerBI license

I work for a company where we started to share the PowerBI license for users without the Office plan. They started asking us to give them access to the Outlook to be in touch with newsletters and other reports from PowerBI. Our organization is not allowing to supply an Office license to PowerBI users.
I have a few questions :
Is there a chance to forward emails to their private mailboxes without converting them to SharedMailbox?
if I add a PowerBI license with Office plan and convert it to shared the PowerBI will be disabled on that account? If not is it possible to take it off or do I need to convert it to the regular mailbox to take it off?
I know about Mail Flow rules, are they safe to use? They are global rules either way.
I am excluding here a Contact user with one reason PowerBI license cannot be added to a Contact user.
Thanks for any suggestions
Found an answer,
Create AD account synch it with O365 move it to correct OU,
go to the user created earlier -> Attribute Editor -> Attribute: targetAddress add: SMTP:youraddress#something.com
Wait to synch and test. All emails should be redirected to the target address without having the license.

New MS CRM contact already has an Active Directory account. How do I pull from AD?

I have some clients that I'd like to put into Microsoft CRM (3.0 Dynamics). These people are already in a small Active Directory group for access to a couple of internal applications.
Is there a way to add these people to CRM and pull/push the contact data from Active Directory, so I'm not creating a second repository of information that conflict?
Unfortunately there's no out-of-the-box way to dot his. You'd have to write a custom app in order to query AD and pull in the data. Unless you're looking at over 100 customers you probably won't make up the time it would take you to manually input this data.

Resources