User keeps getting removed from Team - need advice on how to track down cause

Posted by ZippyDan@reddit | sysadmin | View on Reddit | 14 comments

I have a user that keeps getting removed from a specific Team.

I've checked the Audit logs and I found an initial removal of several Team Members by a Team Owner - most of them were deactivated accounts so this was a legitimate removal, but I think one current Team member was accidentally selected for removal.

I can see the specific Owner's username doing the original removal in the logs, followed by several removals of other Members done by a "ServicePrincipal" account associated with "Microsoft Teams Services" Enterprise App.

Since then, I add the user back to the Team every time, but the user is getting removed from the Team again and again. I don't see any specific username (of a real user, anyway) associated with these subsequent removals - only a "ServicePrincipal" again, but this time it's always by a different Enterprise App: "Microsoft Teams Templates Service".

Has anyone experienced a situation like this before?
Is there any way to track down why this user keeps getting removed by this Enterprise App?

It's almost like the Owner set a list of what Members should be on the Team, and Teams is automatically "purging" any Members that don't appear on their master list? But I don't know how this would be occurring. Is there such a function on Teams? I tried digging through the Microsoft Teams Admin Center for an "Allowed List" - and of course I checked the "Teams Templates" section - but I don't see any such relevant feature.

I know I can restrict access to a Team, but I'm able to add the user to the Team with no problem. The user is not blocked from accessing the Team - they are being removed from the Team at seemingly random intervals by a Teams process: sometimes it happens days later, sometimes a month later.

[-]

Sad-Offer-8747@reddit

Unified audit logs?

[-]

ZippyDan@reddit (OP)

I got my information from the Audit logs in Purview.
Is there somewhere else I should look?

[-]

Sad-Offer-8747@reddit

To be honest what I prefer to do is take a big chunk of logs, put em in a csv, run it thru ChatGPT and explain the issue I’m looking for, and ask it for a play by play of what happened

[-]

ZippyDan@reddit (OP)

I already found the relevant logs of the user's removal.

[-]

FixClassic4352@reddit

Hello i am a consultant from a microsoft 365 partner i have the same problem with a company and specific user.

i already tried to contact support but microsoft 365 support is a shame i already found the user is being kick from a app@sharepoint but i cannot found the RCA

do you have any update with this if i find it i will share it

[-]

Sad-Offer-8747@reddit

Yeah, that’s the audit logs I was talking about

[-]

godspeedfx@reddit

It sounds like the team was created from a template (or another team) and they included the member list so whenever the sync happens, they get removed again. Either that or a dynamic security group is being used for the members list, but I'm assuming you would have seen that straight away.

You can use the compliance admin center to check audit logs for team creation events to see what the origin was, but I think there's only 180 days of history in there unless you have a premium plan.

That being said, it'd probably be a lot easier to just create a new team from the existing one and make sure you don't include the member list, add the users to it manually, and then delete the old one.

[-]

ZippyDan@reddit (OP)

And there is no way to check what Template is being used to manage the Team?
That seems like a huge oversight.
That means if I ever add new members to that Team, they will get removed and I have no way to modify that original setting?

But, new users are added to that Team all the time, and I don't have this problem with any other users.

That said, your comment about Dynamic Security Groups has me thinking you might be on to something:

I didn't create this Team originally, so I'm still trying to figure out how it was set up.
All new users automatically get added to this Team. So there is some dynamic element to it - I'm not sure exactly how it was setup though.
- I checked in Entra and the group pertaining to the Teams in question is set to "Assigned" membership, not "Dynamic", so it's not that.
- However, scrolling through the Members of the Team, I did notice a "suspicious" user with a Display Name of "package_527[censored]5-0819-4a78-b7a6-fc1[censored]9" and a Username of "package_b7a[censored]0-8413-404a-9a01-76b[censored]7@[MYDOMAIN].com".
  - This same strange user is also a member of the Dynamic "All Users" group, and nothing else.
  - I tried googling the full Display Name and Username and they seem to be unique to my tenant, as there were no result.
  - I tried googling ways to dynamically add users to a Team, and I found that Power Automate can be used to accomplish this, among other options: could that be related to a "package" user?
  - "Package" immediately made me think of "Policy Packages" in Teams Admin Center, but I searched through the Policies applied there, and I couldn't find any applied to that Team or User.
What is this "package"? Is it a red herring? Is it even related to this issue?
How else could users be automatically added to a Team on creation? Perhaps if I figure out how that is happening, I can find the source of this problem (or at least eliminate a possibility).

[-]

ms6615@reddit

Sounds like an “access package” I think that a thing in Purview??? It’s another way to automate group memberships and permissions by bundling them together.

[-]

ZippyDan@reddit (OP)

I thought Purview is about data management (logs, investigations, analytics).
It doesn't make sense that it would be there, to me.

[-]