You have Active Directory groups being sync’d to Azure AD via Azure AD Connect. These sync’d groups are being used for assigning licenses in your tenant. If you delete one of these groups from your Active Directory, AD Connect throws an error and you get an error alert email.
The error says:
The cause of the error is not clear. This operation will be retried during the next synchronization. If the issue persists, contact Technical Support.
If you open the Azure AD Connect Synchronization Service, you can also see the error there:
AAD Connect Error
If you try to delete the same group via PowerShell, you get the following error:
Remove-AzureADGroup : Error occurred while executing RemoveGroup.
Message: Group deletion is not allowed.
Azure AD blocks group deletion when the group is being used to assign licenses. This is to help protect you from accidentally removing all of your users’ licenses with a single action.
Remove the license assignment from the group and run the sync again. You can kick off the sync from your AAD Connect Server by running:
Group Based Licensing: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-group-assignment-azure-portal
When creating Teams in Office 365, you may notice that the files and wiki features (items that depend on access to the back-end SharePoint site collection for the Office 365 group) do not work correctly.
Here is an example of the error In Teams UI
Hang tight, we’re busy making space for your Wiki. Wait a few minutes then try again.
Even after waiting 24 hours, the connection still does not work. Additionally, if you select the “Open in SharePoint” option from the channel menu:
You are given this error message:
We are setting up your file directory.
Lastly, and this is the cause of the issue, you see this error if you try to browse to the underlying SharePoint site collection from off-premises.
Due to organizational policies, you can’t access these resources from this network location.
Your organization has IP restrictions setup in the SharePoint Online tenant to restrict which source IP addresses are allowed to connect to your sites.
These restrictions can be configured in the SharePoint online Admin Portal:
- Open the Office 365 Admin Portal
- Browse to Admin Centers -> SharePoint
- Click on Device Access on the left navigation
- Check the Control access based on network location section for any IP restrictions. Your organization may have put their public IP ranges in this field to limit access to on-premises only.
Microsoft teams requires that it (the teams infrastructure) can access your SharePoint tenant. Check with your organization about removing the IP restrictions from SharePoint Online device access policy.
You may experience an error when connecting to SharePoint Online (or other Office 365 services) via PowerShell. All you get back is a generic:
Connect-SPOService : Unexpected response from the server. The content type of the response is “text/html;
charset=UTF8”. The status code is “OK”.
PS C:\Windows\system32] Connect-SPOService -Url https://tenant-admin.sharepoint.com
Connect-SPOService : Unexpected response from the server. The content type of the response is "text/html;
charset=UTF8". The status code is "OK".
At line:1 char:1
+ Connect-SPOService -Url https://tenant-admin.sharepoint.com
+ CategoryInfo : NotSpecified: (:) [Connect-SPOService], ClientRequestException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ClientRequestException,Microsoft.Online.SharePoint.PowerShel
This can happen when your corporate web filter blocks the traffic to your admin URL, such as https://tenant-admin.sharepoint.com. Check the logs on the web filter / proxy to ensure the traffic is being allowed.