Microsoft Teams doesn’t allow you to define a group for membership (dynamically).
When you add an Azure AD group to a Team, all users will be added once.
Once someone is added to that group, it won’t be added to the team automatically.
For this I created this script.
You define an Active Directory group and a Microsoft Team to manage.
All users that are in the AD group, but aren’t in the Team will be added (as a member).
All users that aren’t in the AD group, but are in the Team will be removed from the Team.
Offcourse except owners.
If an owner is in the Team, but isn’t in the AD Group it will generate a warning and continue.
You can find it on Technet Gallery:
Create an Service Account in your Active Directory domain.
This service account needs an UPN suffix with a verified Office 365 domain.
For example: It can be firstname.lastname@example.org, but cannot be email@example.com.
Where contoso.com is added as a verified domain in Office 365.
Sync your Active Directory domain with Azure AD (it normally does every 30 minutes automatically).
Also make sure the Service Account has read-rights in your Active Directory.
Go to Office 365 and add an Office 365 license to the Service Account (with the Teams subscription).
Go to teams.microsoft.com and add the service account as an owner of the Teams you want to manage from AD.
Add the users of the Teams you want to manage to the AD groups you want to sync.
Add AD Groupname and Team name you want to sync to Teams.csv (example csv is in the zip-file), with a comma as a delimiter.
Every line is an Active Directory group and Team that needs to be synced.
WARNING: MAKE SURE YOU ADD ALL MEMBER USERS THAT ARE CURRENTLY IN THE TEAM TO THE RESPECTIVE AD GROUP, ALL MEMBERS THAT ARE IN THE TEAM BUT AREN’T THE AD GROUP ARE REMOVED FROM THE TEAM.
WITH AN EXCEPTION OF OWNERS OFFCOURSE.
Run Powershell as the service user and browse to the location.
run Set-SecureTeamUserInfo.ps1 and type in the credentials of the service account (UserPrincipalName, not SamAccountName).
Credentials are now securely saved in the folder so the script can sign in to Office 365.