Forum Discussion
External user error message - I think it's on their end?
MicrosoftBefore they onboarded onto Office 365, were they using the same email address for a Microsoft account (EASI ID)? If so, here is what is likely happening...
1) You previously invited Stephen@contoso.com to your tenant.
2) I accepted using Stephen@contoso.com (MSA).
3) Contoso onboards onto Office 365 and I begin using Exchange with Stephen@contoso.com (AAD).
4) I click on the shared document.
5) As I am not authenticated, I get redirected to AAd for auth.
6). AAD says I'm signed in with Stephen@contoso.com (AAD) and sends me back to SPO with that identity.
7) SPO throws the above error message because Stephen@contoso.com (AAD) does not have access to that document; Stephen@contoso.com (MSA) does.
If you ask your users to sign out of their AAD account, then, when they log back in after clicking on the shared document, they will be asked which identity they want to use. If they pick the "personal" (MSA) option, it should work.
Hope that helps!!!
Stephen Rice
OneDrive Program Manager II
Stephen,
I believe you are correct - they had previously been using an MSA to log into sharepoint prior to adopting O365.
Is there a specific address I can point them to when asking them to log out of their AAD account? They do not have a sharepoint site, so would portal.office.com work for them?
Michael
I have seen a lot of authentication problems for people having the same username (i.e. email address) for the MSA and the Office 365 (commercial) account.
My advice is to get rid asap from the MSA username. It is actually very easy and, changing the username, they will loose neither their MSA identity, nor all the subscription and services associated with it.
Give a look to this article: https://www.howtogeek.com/277170/how-to-change-the-primary-email-address-for-your-microsoft-account/
Thanks Salvatore.
One question though about an issue that I don't know how to offer a resolution to these users. We are a business running projects, using sharepoint to distribute documents and send alerts. Previously these external users were signed in with the MSA tied to their work email account. Alerts and notifications wouild go to their work inbox.
If they change the primary email on the MSA, alerts being sent out for a project they are working on for their company are now going to someone's personal, potentially unmonitored inbox.
This seems like a very weak link in the business process.
What is it in their AAD setup that is preventing them from logging into our sharepoint site with their Office 365 / AAD account???
Michael
In my understanding, the problem is that those users are instantiated in your AAD as MSAs. Hence, if they are logged in to their AAD and try to login to your AAD, Office 365 will automatically try to use their AAD identity for authentication and will fail (also if the username, i.e. the email address, is the same...).
One way to solve the problem, as Stephen adviced, is to sign out their AAD every time they want to access your resources, so they will have the possibility to choose to login to your AAD with their MSA.
AFAIK, though, to solve once for all the problem, they should get rid of their MSA primary email address and you should remove their MSA from your directory and reshare the resources with them using their AAD identity. StephenRice: am I correct?
