1. The M365 Group (The Connective Tissue)

  • The Blast Radius: M365 Groups are the underlying identity and access framework for modern collaboration. Creating a Group automatically provisions an Exchange Mailbox/Calendar, a SharePoint Team Site, a OneNote notebook, and a Planner plan. Adding Teams is an optional overlay.
  • Deletion & Recovery: Deleting a Team or a Group-connected SharePoint site deletes the entire M365 Group and all associated data across every workload.
    • Soft-deleted groups can be restored within 30 days via the Entra ID portal or Exchange Admin Center.
  • Naming & Expiration Policies: Administered centrally in Entra ID, these policies cascade down. If an M365 Group expires and is not renewed by the owner, all connected services (Teams, SharePoint, Exchange) are deleted.

2. Data Sync & Propagation Delays (The “Wait 24 Hours” Rule)

  • Identity Sync (Entra ID to M365): Changes to user attributes (UPN, Name, Title) or Group memberships in Entra ID often take time to reflect across the ecosystem.
    • Exchange Online and SharePoint usually update within 15–60 minutes.
    • The Microsoft Teams client relies heavily on local caching and can take up to 24–48 hours to fully reflect profile changes or new group access.
  • Search Indexing: Newly uploaded files in SharePoint/OneDrive or newly created Teams channels are not instantly searchable. Microsoft Search relies on continuous background crawling. If an entire site is missing from search, you can request a re-index via SharePoint Site Settings, but execution time is governed by Microsoft’s backend load.
  • Offline Address Book (OAB): For users running Outlook in Cached Exchange Mode, new hires or deleted users will not show up in the Global Address List immediately. Force an OAB download via the Outlook Send/Receive tab to isolate sync issues.

3. Microsoft Search & Information Architecture

  • Security Trimming: Microsoft Search (across Bing for Business, SharePoint, and Teams) is strictly security-trimmed. Users will only see results for files and sites they have explicit permission to access. If a user complains they can’t find a document, it is almost always a permissions issue, not a search engine failure.
  • Oversharing Risks: Because Search aggregates data across the tenant, poorly permissioned SharePoint sites or over-permissioned Teams channels (e.g., using “Everyone except external users”) will surface sensitive documents in routine employee searches.
  • Bookmarks & Q&A: Managed via the M365 Admin Center (Search & Intelligence). Use these to promote official company resources (e.g., HR portals, IT Helpdesk) to the top of search results.

4. Licensing & Service Plans

  • License Composition: Enterprise licenses (E3/E5) are not monolithic; they are bundles of individual “Service Plans” (e.g., Exchange Online Plan 2, SharePoint Plan 2, Sway, Planner, Viva Insights).
  • Granular Troubleshooting: If a user has an E3 license but cannot access Planner or Stream, check their specific license assignment in Entra ID or the M365 Admin Center. Individual service plans can be toggled off by administrators or group-based licensing policies.
  • Group-Based Licensing: In an enterprise environment, licenses should never be assigned manually. They must be managed via Entra ID Security Groups. Troubleshooting missing licenses requires checking the user’s group membership and the licensing group’s assignment logs.

5. Essential PowerShell Cmdlets (Microsoft Graph)

The MSOnline and AzureAD modules are deprecated. Microsoft Graph PowerShell is the required standard for cross-platform and identity management.

  • Connection: Connect-MgGraph -Scopes "Group.ReadWrite.All", "User.Read.All"
  • Group Management:
    • Get-MgGroup -Filter "displayName eq 'Project Alpha'"
    • Get-MgGroupMember -GroupId <ObjectID>
  • License Troubleshooting:
    • Get-MgUserLicenseDetail -UserId user@domain.com
  • Directory Sync (If On-Premises AD is present):
    • (Run from the Entra ID Connect server): Start-ADSyncSyncCycle -PolicyType Delta