Hide Microsoft 365 Groups from Outlook Address Book

Microsoft 365 groups are used for many things across Microsoft 365 – Teams, Planner, SharePoint, Stream, etc.

In some cases, you want to hide these groups from the Outlook address book so that people don’t accidentally email the whole group (or the groups might be private in nature).  If you are an Exchange Online-Only organization, this can be easily accomplished using the following PowerShell:

Set-UnifiedGroup "<GroupName>" -HiddenFromAddressListsEnabled:$true

However, if you are in an Exchange Hybrid state, you are a bit out of luck for your on-prem mailbox users.  The reason is that ADConnect does not write back all group attributes to AD.  One of the attributes that is missing is the “msExchHideFromAddressLists” attribute, which is what Exchange Server on-prem will use to generate its GAL for the users that have mailboxes hosted on-prem. This results in the M365 group being hidden from the GAL for Exchange Online users, but it will show up for Exchange On-Prem users.

Want to see this feature get added natively?  Vote here:

https://office365.uservoice.com/forums/286611-microsoft-365-groups/suggestions/41910307-microsoft-365-group-writeback-include-msexchhide

Channel Posts Search in Teams Returns No Results

Issue

A user tries to search the posts of a Teams channel (CTRL-F), but no results are returned.  The UI displays “No matches found.”  The same experience happens in the desktop and web UI for Teams.

Resolution

Check to be sure that the user is in the Microsoft 365 group’s members list.  It is possible in some scenarios (AAD Portal and Teams Admin Center when teams are created) that a user would only be in the group’s owners list.

1. Browse to the AAD Portal in Azure (https://aad.portal.azure.com/)
2. Select Groups
3. Search for the Team name (the M365 group name), then click on the group
4. Click Members on the left navigation of the group blade
5. Check to see if the impacted user is listed.  If they are not, add.

You may need to wait a few hours before search starts working for the user.

Unable to Delete Azure AD Connect Sync’d Groups

Issue

You have Active Directory groups being sync’d to Azure AD via Azure AD Connect.  These sync’d groups are being used for assigning licenses in your tenant.  If you delete one of these groups from your Active Directory, AD Connect throws an error and you get an error alert email.

The error says:

The cause of the error is not clear. This operation will be retried during the next synchronization. If the issue persists, contact Technical Support.

If you open the Azure AD Connect Synchronization Service, you can also see the error there:

AAD Connect Error

If you try to delete the same group via PowerShell, you get the following error:

 

Remove-AzureADGroup : Error occurred while executing RemoveGroup.
Code: Request_BadRequest
Message: Group deletion is not allowed.

 

Cause

Azure AD blocks group deletion when the group is being used to assign licenses.  This is to help protect you from accidentally removing all of your users’ licenses with a single action.

Resolution

Remove the license assignment from the group and run the sync again.  You can kick off the sync from your AAD Connect Server by running:

Start-ADSyncSyncCycle -PolicyType:Delta

 

References:

Group Based Licensing: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal

Microsoft Teams / SharePoint Online Integration Not Working

Issue

When creating Teams in Office 365, you may notice that the files and wiki features (items that depend on access to the back-end SharePoint site collection for the Office 365 group) do not work correctly.

Here is an example of the error In Teams UI

Error Message:
Hang tight, we’re busy making space for your Wiki. Wait a few minutes then try again.

Even after waiting 24 hours, the connection still does not work. Additionally, if you select the “Open in SharePoint” option from the channel menu:

You are given this error message:

We are setting up your file directory.

Lastly, and this is the cause of the issue, you see this error if you try to browse to the underlying SharePoint site collection from off-premises.

Due to organizational policies, you can’t access these resources from this network location.

Cause

Your organization has IP restrictions setup in the SharePoint Online tenant to restrict which source IP addresses are allowed to connect to your sites.

These restrictions can be configured in the SharePoint online Admin Portal:

1. Open the Office 365 Admin Portal
2. Browse to Admin Centers -> SharePoint
3. Click on Device Access on the left navigation
4. Check the Control access based on network location section for any IP restrictions. Your organization may have put their public IP ranges in this field to limit access to on-premises only.

Resolution

Microsoft teams requires that it (the teams infrastructure) can access your SharePoint tenant. Check with your organization about removing the IP restrictions from SharePoint Online device access policy.

PowerShell Fails to Connect to Office 365

Issue

You may experience an error when connecting to SharePoint Online (or other Office 365 services) via PowerShell. All you get back is a generic:

Connect-SPOService : Unexpected response from the server. The content type of the response is “text/html;
charset=UTF8”. The status code is “OK”.

Example Error

PS C:\Windows\system32] Connect-SPOService -Url https://tenant-admin.sharepoint.com
Connect-SPOService : Unexpected response from the server. The content type of the response is "text/html;
charset=UTF8". The status code is "OK".
At line:1 char:1
+ Connect-SPOService -Url https://tenant-admin.sharepoint.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Connect-SPOService], ClientRequestException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ClientRequestException,Microsoft.Online.SharePoint.PowerShel
l.ConnectSPOService

Cause

This can happen when your corporate web filter blocks the traffic to your admin URL, such as https://tenant-admin.sharepoint.com. Check the logs on the web filter / proxy to ensure the traffic is being allowed.