Forum Discussion
Solved
Different identity issuer assigned to guest account
Hello there, I have been noticing a few of my guest accounts created have different identity issuer assigned. Some says "Mail" and some says "ExternalAzureAD" or sometimes "XXX.onmicrosoft.com" I ca...
- It's used by the new "one-time passcode" invite type, where identity verification happens over email, kinda.
Read here: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode
Hello Vasil,
Thank you for your quick response. The authentication type assigned for this particular domain/organization was Azure AD per connected org not EOTP (email onetime passcode), and in fact another account from the same domain/organization was assigned ExternalAzureAD for its identity issuer. I don't understand why despite coming from the same domain/organization they have different Identity Issuer. Any thoughts about this? Let me know please. Thanks! Your input is greatly appreciated.
Thank you for your quick response. The authentication type assigned for this particular domain/organization was Azure AD per connected org not EOTP (email onetime passcode), and in fact another account from the same domain/organization was assigned ExternalAzureAD for its identity issuer. I don't understand why despite coming from the same domain/organization they have different Identity Issuer. Any thoughts about this? Let me know please. Thanks! Your input is greatly appreciated.
Perhaps those users were created prior to this change?
To improve external sharing, in October 2021, Microsoft plans to turn on https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode by default for all tenants. Like the current ad-hoc sharing, the new mechanism features one-time passcodes. The big difference is that successful authentication results in the automatic creation of Azure AD guest accounts for external users.
https://office365itpros.com/2021/08/17/sharepoint-online-embraces-azure-b2b-collaboration-external-sharing
I realize this is an old post, but I kept circling back to it in a search, so I figured I'd add detail for others.
Or perhaps the allowExternalIdToUseEmailOtp value was toggled (from Vasil's article).