Forum Discussion

Luke Hoffman's avatar
Luke Hoffman
Iron Contributor
Feb 08, 2018

External Access - Microsoft Account Creation

Has anyone seen anything recently where external users cannot create Microsoft accounts with their work email addresses? How in the world is external sharing supposed to work if they cannot do that a...
files
security
SharePoint Online
Sites
Luke Hoffman's avatar
Luke Hoffman
Iron Contributor
Feb 08, 2018

Why would I have so many external users with work email addresses in my admin portal?  They weren't all created more than 2 years ago.  It's totally unsustainable to create external IDs for each external user.  IT would be a huge bottleneck.  Maybe it has been like this all along as I don't have another work address to test with.  I typically send to some test gmail accounts I have.  I just don't even know what the workflow would be to give an external user access to an Office 365 group now if they aren't on Office 365. 

  • Anonymous's avatar
    Anonymous
    Feb 08, 2018
    because your guest user that gets setup in AAD goes by the address that you specify, the actual Microsoft account used gets tied to that AAD account when they log in the first time using a Microsoft account accessing a shared resource in your tenant.

    So you send a SharePoint invite out to external user@hiscompany.com he get's the e-mail and tries to access. He logs in with his user@outlook.com microsoft account. That account gets added into your tenant as user@hiscompany.com even thou he logged in with the outlook.com account. But it now knows to associate that account with that user when they login to that account to access your tenant resources.
    • Luke Hoffman's avatar
      Luke Hoffman
      Iron Contributor
      Feb 12, 2018

      Great explanation.  Thank you. 

      • StephenRice's avatar
        StephenRice
        Icon for Microsoft rankMicrosoft
        Feb 12, 2018

        Luke Hoffman,

         

        Lots of good feedback in this thread. When it comes to external sharing, there are two "buckets" of sharing that users can use today. First, you can share a site, add a user to an O365 group or directly add the user to the directory. All of these use AAD B2B as the underlying method of "invitation" and result in the targeted user having an account created in your directory. If you share a file or folder in ODB/SPO, you'll get the new flow that Salvatore mentioned. This does not require the user to create an account in your directory and relies on using a one time passcode to verify that the user owns the e-mail address that you shared to. And, as always, there's more improvements coming here in the future. Let me know if you have any other questions!

         

        Stephen Rice

        OneDrive Program Manager II

         

Resources