Missing “UserType” attribute in Azure AD

1

Over the years, I’ve created multiple labs, so that I can test different scenarios. One of my first “cloud only” Azure AD labs was created back in 2012. Two weeks ago, I wanted to use this lab to test a new Conditional Access scenario that one of my customers needed.

Long time ago, I also created an “All Users” group, that was based on direct membership, so I thought it was a good idea to replace that group with a new and “shiny” dynamic group based on the “UserType” attribute.

So, I created the following group, and started to redeploy all my policies to the new group.

SNAGHTML15204371

But the policy didn’t get applied. At least not to my test user.

I checked the group and for some reason my test user wasn’t added as a member to the new dynamic group. By checking the properties of the user, I learned that the Source was “Unknown” and the User Type was “blank”.

SNAGHTML1520a642

I then pulled a list of all the users in my test lab (Get-AzureADUser), and two user accounts didn’t have a “UserType” specified. All other users was ok.

SNAGHTML1520fc70

I fixed the users by setting the “UserType” to “Member” by running the following PowerShell command:

Set-MsolUser -UserPrincipalName username@contoso.onmicrosoft.com -UserType Member

This fixed both the missing “UserType” and the “Source”.

I finally found this article that says “UserType” (Guest/Member) was first introduced on August 31st 2014.

https://cloudblogs.microsoft.com/enterprisemobility/2014/08/15/prepping-for-new-management-features/

So basically, this means that all you Azure AD User accounts that was created before this date might be affected by this issue. You can identify the creation date by running the following PowerShell command:

Get-MSOLUser -All | Select DisplayName, UserPrincipalName, WhenCreated

clip_image007

Like we would expect, the 2 users with the missing “UserType” property where both created before August 31st, 2014.

Conclusion:

As you can guess this will most likely be an issue for many customer, so I contacted Microsoft Support, that said they will escalate this to find a solution that will help other customers fixe this.

Meanwhile… If you have an Azure AD that was created before August 2014, and want to use this attribute you might want to check the state of the user settings, and fix it yourself (the documented fix here is fully supported).

/Enjoy.

About Author

My name is Ronni Pedersen and I'm currently working as a Cloud Solution Architect at EG A/S in Denmark. My primary focus is Enterprise Client Management solutions, based on technologies like AzureAD, Intune, EMS and System Center Configuration Manager. I'm is also a Microsoft Certified Trainer and Microsoft MVP in Enterprise Mobility.

1 Comment

Leave A Reply