Warning: PIM disconnects users from Teams Mobile
I have been working with Microsoft Support on this issue for three months. Hopefully I can save others the trouble.
Sometime around April 2024, I and my colleagues started seeing regular alerts on our mobile devices saying “Open Teams to continue receiving notifications for <email address>”, or “<email address> needs to sign in to see notifications”. Just as promised, after this message appears, we do not get notified about messages and Teams calls do not ring on our mobile devices until we open Teams. We eventually determined that these alerts coincided with activating or deactivating PIM roles.
Apparently, a change was made to Privileged Identity Management in Microsoft Entra ID around that time whereby users’ tokens are invalidated when a role is activated or deactivated. Quoting the Microsoft Support rep:
“When a user’s role changes (either due to activation or expiration), Skype AAD will revoke existing tokens of that users. Skype AAD will also notify PNH about that token revocation. This is expected behavior and is working as designed. These changes were rolled out in Skype AAD in April/May 2024 which is since when you are facing the issue as well.”
(I’ve never heard of Skype AAD or PNH, but who am I to question the expert?)
Anyway, as far as I can tell, this change was not announced or documented anywhere, so hopefully this message will show up in the search results of my fellow admins who are dealing with this. It’s not a bug, it’s “expected behavior and working as designed”.
I have been working with Microsoft Support on this issue for three months. Hopefully I can save others the trouble. Sometime around April 2024, I and my colleagues started seeing regular alerts on our mobile devices saying “Open Teams to continue receiving notifications for <email address>”, or “<email address> needs to sign in to see notifications”. Just as promised, after this message appears, we do not get notified about messages and Teams calls do not ring on our mobile devices until we open Teams. We eventually determined that these alerts coincided with activating or deactivating PIM roles. Apparently, a change was made to Privileged Identity Management in Microsoft Entra ID around that time whereby users’ tokens are invalidated when a role is activated or deactivated. Quoting the Microsoft Support rep: “When a user’s role changes (either due to activation or expiration), Skype AAD will revoke existing tokens of that users. Skype AAD will also notify PNH about that token revocation. This is expected behavior and is working as designed. These changes were rolled out in Skype AAD in April/May 2024 which is since when you are facing the issue as well.” (I’ve never heard of Skype AAD or PNH, but who am I to question the expert?) Anyway, as far as I can tell, this change was not announced or documented anywhere, so hopefully this message will show up in the search results of my fellow admins who are dealing with this. It’s not a bug, it’s “expected behavior and working as designed”. Read More