The root cause of SharePoint permission sync issues in Teams Private channels explained

For the past three months, I’ve been working with Microsoft Support on my SharePoint permission issue with private channels in Teams.

Read:  Members of Teams private channels have no access to the SharePoint site

In my previous post and via LinkedIn, I asked readers to reach out if they were experiencing the same issue, and some organizations did. Thank you for your collaboration and for providing me with some valuable insights related to that issue.

Two weeks ago, a colleague reported a strange issue involving a guest in SharePoint. The guest received an error stating he didn’t have a SharePoint license to access a shared site. I was able to reproduce this with other guest accounts.

Guest received an error stating he didn’t have a SharePoint license
Guest received an error stating he didn’t have a SharePoint license

This is unusual, as guest accounts typically don’t require a SharePoint license. I immediately suspected the situation was related to my private channel issue. Both cases show similar behavior patterns.

  • It works for internal users.
  • Guest accounts encounter a ‘missing SharePoint license’ error in a specific scenario.
  • I can’t reproduce it in my personal tenants.

As documented in the SharePoint service description:

Rights of guests: If you purchase a plan and create a site that uses enterprise features, guests you invite are granted rights to use and/or view the enterprise features within the site. While you can invite guests to perform a full range of actions on a site, they won’t have the same capabilities as a licensed user within your organization. For example, if your plan includes desktop versions of Office applications, guests can’t install them on their own computers unless you assign them a license.

I asked my contacts from the previous case one specific question:
Please verify whether SharePoint license enforcement is enabled in your tenant.

The test is simple:
Use any internal account without a SharePoint license and try to open a site shared with “Everyone.” SharePoint will display a message about the missing license if license enforcement is enabled.

The answer was consistent: All organizations that responded currently have license enforcement enabled.
This also explains why the issue only affects specific tenants, and when it does, it affects all private channels in that tenant. The problem isn’t with the guest accounts themselves, but with the underlying license requirement.

About SharePoint Online license enforcement
License enforcement in SharePoint is disabled by default. Microsoft documented this behavior back in 2018. I couldn’t find a current reference.
Previously, Microsoft explained that license enforcement is disabled by default, allowing customers to migrate data to SharePoint without requiring a full license. Once the migration is complete, organizations should request Microsoft Support to enable license enforcement. Once enabled, it cannot be turned off again.

With Microsoft’s input, the case finally makes sense. The private channel fails to sync guest permissions because the system responds with a 404 Not Found error. The system can’t find the guest account, as no valid SharePoint license is assigned.

The browser log below shows what happens when you add an unlicensed user to a private channel while license enforcement is enabled, affecting both internal and guest accounts.

  1. Teams calls an API to add a new member using the Entra ID object ID.
Adding a new member to a Teams private channel
Adding a new member to a Teams private channel
  1. Teams receives a “404 Not Found” error for the user object.
404 Not Found error for the user object if the user has no SharePoint license
404 Not Found error for the user object if the user has no SharePoint license

This is the same behavior you get when trying to add an unlicensed internal account to a SharePoint site.
Here’s an example comparing an unlicensed and a licensed user using PnP PowerShell.

  • The unlicensed user can’t be added — SharePoint can’t find the account.
  • No issue with the licensed user.
Unlicensed users could not be added to a SharePoint site
Unlicensed users could not be added to a SharePoint site

Normally, this doesn’t affect guest accounts, except for private channel site collections.
Similarly, unlicensed internal accounts don’t appear in the People Picker when license enforcement is enabled, and SharePoint will return an error if you try to share content with them.

Unable to share content with unlicensed internal users
Unable to share content with unlicensed internal users
What did I do to confirm the root cause?
  • Internal account without a SharePoint service plan

I prepared an internal test account with the SharePoint service plan disabled. After adding it to my private channel, the permission wasn’t synced to the SharePoint site; the same behavior as with guest accounts. The screenshots showing the “404 Not Found” errors above are from this test user.

  • Guest account with a SharePoint service plan

I then assigned a SharePoint Kiosk service plan to my guest account (all other service plans disabled).

SharePoint service plan is assigned to a guest account
SharePoint service plan is assigned to a guest account

After re-adding this guest to the private channel, the permission synced successfully to the SharePoint site. A test confirms it, the guest now has access to the files tab in the Teams private channel and the SharePoint site.

The licensed guest account is synced from a Teams private channel
The licensed guest account is synced from a Teams private channel

I shared my findings with Microsoft on Monday. They implemented a tenant-specific solution related to license enforcement, and private channels now work correctly for users without a SharePoint license.
I ran some additional tests. The tenant-specific solution: License enforcement was disabled. Microsoft is currently investigating a permanent solution.

The positive note: I was able to identify/confirm a second issue related to license enforcement.

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *