Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD B2B Inviting

Iron Contributor

Hi,

There's been a lot of changes with Azure AD B2B and I wanted to see if anyone had already implemented a method to let internal users invite external accounts themselves?

 

There's both PowerShell and API methods here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-api but they're the more of a framework.

 

There's some code samples here on triggering the invite too https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-code-samples 

 

Has anyone implemented an end user system to let staff do the invites themselves, and give approprtiate permissions?

 

Also, is there a nice way to clean up externally invited accounts that haven't been used for a certain period?

 

Finally, is there any security risk in having an external user invited, but with no extra settings configured?

 

Thanks

Adam

3 Replies

I've been testing some of this in PowerShell using the Azure AD Preview module.

 

Inviting a user is easy enough:

 

New-AzureADMSInvitation -InvitedUserEmailAddress someexternaluser@externaldomain.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com"

But adding that user to a group for them to access something I'm finding much tricker to automate.

 

First you'd have to find the group and then get the Object ID. But you also need to Object ID of the user you just invited.

 

Getting the Object ID of the user is tricky because the invite itself generates an ID in the ID field, but that's not the Object ID. That's hidden in the InvitedUser field, which contains other data too.

 

Getting the user via email address doesn't work, so this was the quickest way I could work it out:

 

$group = get-azureadgroup -SearchString "Sharepoint Online Testsite" | where {$_.dirsyncenabled -eq $null}

$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress testy@contoso.com -InvitedUserDisplayName "Full Name" -sendinvitationmessage $true -InviteRedirectUrl "http://myapps.microsoft.com"

$newuser2 = get-azureaduser -SearchString $newuser.InvitedUserEmailAddress

Add-AzureADGroupMember -objectid $group.objectid -RefObjectId $newuser2.objectid

I've now found out that script won't work for inviting people who are using a public email account such as gmail or hotmail, as it parses the email address differently.

 

Thankfully I can cut out a step and just use an object from inside an object inside an object :)

 

$group = get-azureadgroup -SearchString "Sharepoint Online Testsite" | where {$_.dirsyncenabled -eq $null}

$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress testy@contoso.com -InvitedUserDisplayName "Full Name" -sendinvitationmessage $true -InviteRedirectUrl "http://myapps.microsoft.com"

Add-AzureADGroupMember -objectid $group.objectid -RefObjectId $newuser.InvitedUser.Id

Thank you very much for this post, was extremely helpful in my work.

I do have a question though. How can I get the objectID of an invited user outside the scope of this script?

For example, if I had already invited a user but then I want to create a separate script which calls for an objectID of a given invited user and then, let's say, add them to a group.