Azure AD B2B Inviting

%3CLINGO-SUB%20id%3D%22lingo-sub-54395%22%20slang%3D%22en-US%22%3EAzure%20AD%20B2B%20Inviting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54395%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EThere's%20been%20a%20lot%20of%20changes%20with%20Azure%20AD%20B2B%20and%20I%20wanted%20to%20see%20if%20anyone%20had%20already%20implemented%20a%20method%20to%20let%20internal%20users%20invite%20external%20accounts%20themselves%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere's%20both%20PowerShell%20and%20API%20methods%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-b2b-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-b2b-api%3C%2FA%3E%20but%20they're%20the%20more%20of%20a%20framework.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere's%20some%20code%20samples%20here%20on%20triggering%20the%20invite%20too%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-b2b-code-samples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-b2b-code-samples%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20implemented%20an%20end%20user%20system%20to%20let%20staff%20do%20the%20invites%20themselves%2C%20and%20give%20approprtiate%20permissions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20is%20there%20a%20nice%20way%20to%20clean%20up%20externally%20invited%20accounts%20that%20haven't%20been%20used%20for%20a%20certain%20period%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFinally%2C%20is%20there%20any%20security%20risk%20in%20having%20an%20external%20user%20invited%2C%20but%20with%20no%20extra%20settings%20configured%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-54395%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-56052%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20Inviting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-56052%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20now%20found%20out%20that%20script%20won't%20work%20for%20inviting%20people%20who%20are%20using%20a%20public%20email%20account%20such%20as%20gmail%20or%20hotmail%2C%20as%20it%20parses%20the%20email%20address%20differently.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThankfully%20I%20can%20cut%20out%20a%20step%20and%20just%20use%20an%20object%20from%20inside%20an%20object%20inside%20an%20object%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24group%20%3D%20get-azureadgroup%20-SearchString%20%22Sharepoint%20Online%20Testsite%22%20%7C%20where%20%7B%24_.dirsyncenabled%20-eq%20%24null%7D%3C%2FP%3E%3CP%3E%24newuser%20%3D%20New-AzureADMSInvitation%20-InvitedUserEmailAddress%20testy%40contoso.com%26nbsp%3B-InvitedUserDisplayName%20%22Full%20Name%22%20-sendinvitationmessage%20%24true%20-InviteRedirectUrl%20%22%3CA%20href%3D%22http%3A%2F%2Fmyapps.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmyapps.microsoft.com%3C%2FA%3E%22%3C%2FP%3E%3CP%3EAdd-AzureADGroupMember%20-objectid%20%24group.objectid%20-RefObjectId%20%24newuser.InvitedUser.Id%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-54514%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20B2B%20Inviting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-54514%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20been%20testing%20some%20of%20this%20in%20PowerShell%20using%20the%20Azure%20AD%20Preview%20module.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInviting%20a%20user%20is%20easy%20enough%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-AzureADMSInvitation%20-InvitedUserEmailAddress%20someexternaluser%40externaldomain.com%20-SendInvitationMessage%20%3CSPAN%20class%3D%22hljs-literal%22%3E%24True%3C%2FSPAN%3E%20-InviteRedirectUrl%20%3CSPAN%20class%3D%22hljs-string%22%3E%3CSPAN%20class%3D%22hljs-string%22%3E%22%3CA%20href%3D%22http%3A%2F%2Fmyapps.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmyapps.microsoft.com%3C%2FA%3E%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBut%20adding%20that%20user%20to%20a%20group%20for%20them%20to%20access%20something%20I'm%20finding%20much%20tricker%20to%20automate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20you'd%20have%20to%20find%20the%20group%20and%20then%20get%20the%20Object%20ID.%20But%20you%20also%20need%20to%20Object%20ID%20of%20the%20user%20you%20just%20invited.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGetting%20the%20Object%20ID%20of%20the%20user%20is%20tricky%20because%20the%20invite%20itself%20generates%20an%20ID%20in%20the%20ID%20field%2C%20but%20that's%20not%20the%20Object%20ID.%20That's%20hidden%20in%20the%20InvitedUser%20field%2C%20which%20contains%20other%20data%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGetting%20the%20user%20via%20email%20address%20doesn't%20work%2C%20so%20this%20was%20the%20quickest%20way%20I%20could%20work%20it%20out%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24group%20%3D%20get-azureadgroup%20-SearchString%20%22Sharepoint%20Online%20Testsite%22%20%7C%20where%20%7B%24_.dirsyncenabled%20-eq%20%24null%7D%3C%2FP%3E%3CP%3E%24newuser%20%3D%20New-AzureADMSInvitation%20-InvitedUserEmailAddress%20testy%40contoso.com%26nbsp%3B-InvitedUserDisplayName%20%22Full%20Name%22%20-sendinvitationmessage%20%24true%20-InviteRedirectUrl%20%22%3CA%20href%3D%22http%3A%2F%2Fmyapps.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmyapps.microsoft.com%3C%2FA%3E%22%3C%2FP%3E%3CP%3E%24newuser2%20%3D%20get-azureaduser%20-SearchString%20%24newuser.InvitedUserEmailAddress%3C%2FP%3E%3CP%3EAdd-AzureADGroupMember%20-objectid%20%24group.objectid%26nbsp%3B-RefObjectId%20%24newuser2.objectid%3C%2FP%3E%3C%2FLINGO-BODY%3E
Adam Fowler
MVP

Hi,

There's been a lot of changes with Azure AD B2B and I wanted to see if anyone had already implemented a method to let internal users invite external accounts themselves?

 

There's both PowerShell and API methods here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-api but they're the more of a framework.

 

There's some code samples here on triggering the invite too https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-code-samples 

 

Has anyone implemented an end user system to let staff do the invites themselves, and give approprtiate permissions?

 

Also, is there a nice way to clean up externally invited accounts that haven't been used for a certain period?

 

Finally, is there any security risk in having an external user invited, but with no extra settings configured?

 

Thanks

Adam

2 Replies

I've been testing some of this in PowerShell using the Azure AD Preview module.

 

Inviting a user is easy enough:

 

New-AzureADMSInvitation -InvitedUserEmailAddress someexternaluser@externaldomain.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com"

But adding that user to a group for them to access something I'm finding much tricker to automate.

 

First you'd have to find the group and then get the Object ID. But you also need to Object ID of the user you just invited.

 

Getting the Object ID of the user is tricky because the invite itself generates an ID in the ID field, but that's not the Object ID. That's hidden in the InvitedUser field, which contains other data too.

 

Getting the user via email address doesn't work, so this was the quickest way I could work it out:

 

$group = get-azureadgroup -SearchString "Sharepoint Online Testsite" | where {$_.dirsyncenabled -eq $null}

$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress testy@contoso.com -InvitedUserDisplayName "Full Name" -sendinvitationmessage $true -InviteRedirectUrl "http://myapps.microsoft.com"

$newuser2 = get-azureaduser -SearchString $newuser.InvitedUserEmailAddress

Add-AzureADGroupMember -objectid $group.objectid -RefObjectId $newuser2.objectid

I've now found out that script won't work for inviting people who are using a public email account such as gmail or hotmail, as it parses the email address differently.

 

Thankfully I can cut out a step and just use an object from inside an object inside an object :)

 

$group = get-azureadgroup -SearchString "Sharepoint Online Testsite" | where {$_.dirsyncenabled -eq $null}

$newuser = New-AzureADMSInvitation -InvitedUserEmailAddress testy@contoso.com -InvitedUserDisplayName "Full Name" -sendinvitationmessage $true -InviteRedirectUrl "http://myapps.microsoft.com"

Add-AzureADGroupMember -objectid $group.objectid -RefObjectId $newuser.InvitedUser.Id

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies