Managing Teams – Movers and Leavers

Whenever someone leaves an organisation or changes roles, the permissions of their user account should be checked to ensure that

  1. No Teams are left without an owner (every Team should really have two owners)
  2. Their access to Teams they no longer need access to is revoked.

There are many ways to do this but most organisations will consider this when the need arises. I have published a PowerShell module that provides commandlets to carry out some essential actions to support the management of Teams permissions.

The Commandlets

All of the commandlets can be found at https://github.com/al-eardley/TeamsManagement

Check-TeamMembership

Creates a CSV file containing a list of all of the Teams that a user is a member or owner of.

$CSVFilePath = Check-TeamMembership `
	-UserUPN "alan.eardley@company.com"  `
	-CSVPath "C:\Scratch\" `
	-ShowDebug $false

The path and name of the output file is returned from the commandlet and take the form of TeamMembership_alan_eardley_at_comapny_com.csv

Replace-TeamOwner

Reads a CSV file with a list of Teams. For each Team add a new owner and remove the user from the owner role

The CSV requires the following column

  • GroupId – contains the GroupID of the Teams where the owner will be replaced
Replace-TeamOwner `
	-OldOwnerUPN "user1@company.com"  `
	-NewOwnerUPN "user2@company.com"  `
	-CSVFilePath "C:\Scratch\TeamMembership_alan_eardley_at_company_com.csv" `
	-ShowDebug $false

Remove-TeamMember

Reads a CSV file with a list of Teams and removes a user from the membership of each Team

The CSV requires the following column

  • GroupId – contains the GroupID of the Teams from with the user will be removed
Remove-TeamMember `
	-UserUPN "alan.eardley@company.com"  `
	-CSVFilePath "C:\Scratch\TeamMembership_alan_eardley_at_comapny_com.csv" `
	-ShowDebug $false

Check-TeamsCompliance

Creates a CSV containing a list of all of the Teams in a tenant with a count of owners, members and guests

$CSVFilePath = Check-TeamsCompliance `
	-CSVPath "C:\Scratch\" `
	-ShowDebug $false

Add-TeamOwner

Reads a CSV file with a list of Teams and adds a user as the owner

The CSV requires the following column

  • GroupId – contains the GroupID of the Teams where the owners will be added
  • NewOwnerUPN – The UPN of the user to add as an owner
Add-TeamOwner `
	-CSVFilePath "C:\Scratch\AddOwner.csv" `
	-ShowDebug $false

How to use the Commandlets

A user is changing role

Aim: Find all the Teams that a user is an Owner of, review them and replace them with someone else

Steps:

$CSVFilePath = Check-TeamMembership `
	-UserUPN "alan.eardley@company.com"  `
	-CSVPath "C:\Scratch\" `
	-ShowDebug $false

Review the CSV file that is created and save a copy that contains only the Teams where the replacement is needed remain

Review the CSV file that is created and save a copy that contains only the Teams where the user should no longer have access

Replace-TeamOwner `
	-OldOwnerUPN "alan.eardley@company.com"  `
	-NewOwnerUPN "new.owner@company.com"  `
	-CSVFilePath "C:\Scratch\ReplaceOwner_alan_eardley_at_company_com.csv" `
	-ShowDebug $false

Remove-TeamMember `
	-UserUPN "alan.eardley@company.com"  `
	-CSVFilePath "C:\Scratch\RemoveMember_alan_eardley_at_comapny_com.csv" `
	-ShowDebug $false

Add owners to Teams with no owners

Aim: find all Teams with no owners and add an owner

Steps:

$CSVFilePath = Check-TeamsCompliance `
	-CSVPath "C:\Scratch\" `
	-ShowDebug $false

Review the CSV file and add a column called NewOwnerUPN containing the UPN of the user to be added to the Team as an owner.

Add-TeamOwner `
	-CSVFilePath "C:\Scratch\AddOwner.csv" `
	-ShowDebug $false

Summary

These are pretty simple commandlets create and read CSV files that allow these actions to be carried out in bulk, which can be a very useful tool when there are a lot of Teams to review and update.

All of the commandlets can be found at https://github.com/al-eardley/TeamsManagement