cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Home

Guest invite limitation?

%3CLINGO-SUB%20id%3D%22lingo-sub-298916%22%20slang%3D%22en-US%22%3EGuest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298916%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20want%20to%20make%20sure!%26nbsp%3B%20Company%20with%20DomainX%20use%20office%20365%20for%20some%20users!%20If%20i%20add%20a%20user%20with%20user.domainX.com%20to%20my%20team%26nbsp%3Band%20that%20user%20have%20a%20license%20in%20their%20tenant%20it%20works!%20If%20I%20invite%20someone%20on%20domainX%20not%20using%20office%20365%20%2C%20they%20get%20an%20error%20using%20the%20invite%20link%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomething%20like%20this%3A%26nbsp%3B%20%3CSPAN%3EAADB2B_0001%20Can't%20create%20an%20Azure%20AD%20account%20with%20self-service%20due%20to%20the%26nbsp%3Bcatalog%20is%20federated%E2%80%A6.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAdam%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-298916%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299725%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299725%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20experienced%20a%20few%20scenarios%20like%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.)%20Like%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%20where%20the%20other%20tenant%20has%20365%20but%20Teams%20is%20completely%20off%20and%20the%20org%20didn't%20want%20Teams%2C%20I%20have%20invited%20them%20as%20a%20guest%20on%20their%20MSA%20account%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.)%20In%20the%20same%20scenario%20when%20the%20other%20tenant%20has%20365%20but%20Teams%20is%20completely%20off%20I%20managed%20to%20convince%20the%20org%20to%20set%20up%20Teams%20for%20the%20user%20and%20invited%20them%20as%20a%20guest%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.)%20I%20have%20also%20experienced%20this%20when%20adding%20a%20guest%20to%20our%20tenant%20for%20an%20org%20who%20hasn't%20used%20Office%20365%20at%20all%20and%20someone%20has%20gone%20and%20created%20a%20free%20Power%20BI%20subscription.%20Had%20to%20go%20remove%20the%20domain%20and%20blow%20it%20away%20before%20the%20user%20could%20be%20added%20as%20a%20guest.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20agree%20with%20everything%20others%20have%20said.%20If%20the%20domain%2Fsubdomain%20is%20in%20AAD%20then%20the%20invite%20will%20look%20for%20the%20user%20there.%20If%20there%20was%20a%20scenario%2C%20let's%20say%2C%20where%20the%20domain%20is%20in%20AAD%20and%20the%20org%20is%20only%20using%20SharePoint%20with%20AADC%20(not%20teams)%20and%20the%20user%20wasn't%20part%20of%20their%20SharePoint%20site%2C%20then%20the%20org%20would%20need%20to%20sync%20the%20user%20on%20AADC%20for%20the%20user%20to%20exist%20in%20Azure%20AD%20and%26nbsp%3Ban%20Office%20365%20licence%20with%20Teams%20(I.e.%20like%20Business%20Essentials)%20would%20be%20the%20optimal%20add.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20helps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%20Chris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299704%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299704%22%20slang%3D%22en-US%22%3EI%20haven%E2%80%99t%20tried%20in%20awhile%20so%20I%20do%20t%20know%20if%20it%20changed%20but%20you%E2%80%99ll%20know%20cause%20you%E2%80%99ll%20authenticate%20then%20get%20the%20whole%20teams%20must%20be%20enabled%20for%20your%20organization%20message%20when%20trying%20to%20use%20the%20client.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299700%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299700%22%20slang%3D%22en-US%22%3E%3CP%3Eyeah%2C%20i've%20heard%20those%20scenarios.%20But%20in%20this%20case%20I%20guess%20the%20user%20won't%20have%20to%20be%20licenced.%20isn't%20that%20basically%20the%20same%20thing%20as%20having%20a%20365%20license%2C%20with%20teams%20disabled%20in%20this%20case%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299697%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299697%22%20slang%3D%22en-US%22%3EThey%20still%20have%20to%20go%20back%20to%20their%20tenant%20to%20authenticate.%20Also%20I%20used%20to%20have%20the%20issue%20with%20teams%20guest%20access%20back%20then%20if%20the%20user%20had%20365%20but%20didn%E2%80%99t%20have%20teams%20on%20they%20can%E2%80%99t%20join%20as%20a%20guest%20anywhere%20else.%20I%20always%20had%20them%20just%20setup%20or%20use%20MsA%20accounts%20for%20guest%20in%20those%20cases%20that%20they%20didn%E2%80%99t%20use%20teams.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299692%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299692%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F178440%22%20target%3D%22_blank%22%3E%40Steven%20Collier%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F60%22%20target%3D%22_blank%22%3E%40Juan%20Carlos%20Gonz%C3%A1lez%20Mart%C3%ADn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20or%20experiences%20regarding%20this%20thread%20and%20the%20%3CSPAN%3EAllowEmailVerifiedUsers%20setting%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20awaiting%20the%20guest%20user%20to%20accept%20the%20invite%20after%20their%20admin%20syncing%20the%20user%20to%20AAD%2C%20but%20the%20users%20invite%20url%20is%20now%20directing%20to%20their%20tenant%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECurious%20about%20the%26nbsp%3BAllowEmailVerifiedUsers%20though!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAdam%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299255%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299255%22%20slang%3D%22en-US%22%3EFound%20this%20in%20MS%20doc%3A%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20administer%20a%20directory%20with%20a%20verified%20domain%20such%20as%20contoso.com%3CBR%20%2F%3EYou%20use%20B2B%20collaboration%20from%20a%20different%20directory%20to%20invite%20a%20user%20that%20does%20not%20already%20exist%20(userdoesnotexist%40contoso.com)%20in%20the%20home%20directory%20of%20constoso.com%3CBR%20%2F%3EThe%20home%20directory%20has%20the%20AllowEmailVerifiedUsers%20turned%20on%3CBR%20%2F%3EIf%20the%20preceding%20conditions%20are%20true%2C%20then%20a%20member%20user%20is%20created%20in%20the%20home%20directory%2C%20and%20a%20B2B%20guest%20user%20is%20created%20in%20the%20inviting%20directory.%3CBR%20%2F%3E%3CBR%20%2F%3EFrom%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-self-service-signup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-self-service-signup%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFrom%20what%20I%20understand%20from%20this%20is%20the%20following!%3CBR%20%2F%3EIn%20my%20scenario%20when%20an%20invited%20user%20don%E2%80%99t%20have%20any%20account%20in%20their%20organizations%20AAD%2C%20the%20invite%20process%20tries%20to%20create%20one%20based%20on%20the%20email%20address!%20Without%20the%20cmdlet%20above%2C%20this%20is%20not%20possible%2C%20but%20should%20be%20possible%20if%20it%20was%20set%20to%20true%3CBR%20%2F%3EAlthough%20if%20it%E2%80%99s%20a%20domain%20synced%20with%20ad%2C%20I%20guess%20it%E2%80%99s%20still%20not%20possible!%3CBR%20%2F%3EGeez....%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299247%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299247%22%20slang%3D%22en-US%22%3EYes!%20Thanks!%20I%E2%80%99ve%20read%20up%20on%20that%20now!%20There%E2%80%99s%20also%20way%20to%20take%20management%20of%20this%20tenant%20apparently%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EAlthough%20my%20issue%20is%20another%20but%20I%20seem%20to%20have%20figured%20it%20out%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299228%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299228%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20there%20is%20already%20a%20managed%20AzureAD%20then%20accounts%20can%20only%20be%20created%20there%20by%20that%20company%2C%20it's%20admins%20etc.%3C%2FP%3E%0A%3CP%3EIf%20the%20company%20has%20never%20used%20AzureAD%20then%20accounts%20get%20automatically%20provisioned%20in%20a%20virally%20provisioned%20AzureAD%20tenant%20for%20the%20company.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299220%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299220%22%20slang%3D%22en-US%22%3EHi!%20Didn%E2%80%99t%20quite%20catch%20the%20last%20paragraph!%20Can%20you%20please%20explain%20a%20little%20further%3F%3CBR%20%2F%3EAlso%20you%20mean%20a%20tenant%20gets%20created%20if%20there%E2%80%99s%20no%20azure%20ad%20connected%20to%20the%20guest%20mails%20domain%3F%3CBR%20%2F%3EIn%20this%20case%20there%20is%20already%20though%20but%20the%20user%20don%E2%80%99t%20exist%20in%20that%20AAD%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299209%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299209%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72542%22%20target%3D%22_blank%22%3E%40adam%20deltinger%3C%2FA%3E%20if%20the%20company%20your%20are%20connecting%20to%20does%20not%20use%20any%20services%20based%20on%20AzureAD%20then%20a%20tenant%20gets%20provisioned%20and%20your%20guests%20are%20created%20within%20it.%3C%2FP%3E%0A%3CP%3EIf%20the%20company%20already%20has%20AzureAD%20for%20something%20then%20it's%20managed%20by%20the%20global%20admins%20of%20that%20tenant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInterestingly%20if%20you%20have%20one%20of%20these%20virally%20provisioned%20tenants%2C%20then%20but%20something%20with%20AzureAD%20you%20adopt%20the%20tenant%2C%20and%20can%20then%20manage%20the%20accounts%20created%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299099%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299099%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20looking%20at%20the%26nbsp%3B%3CSPAN%3ESet-Msol%3C%2FSPAN%3E%3CSPAN%3ECompany%3C%2FSPAN%3E%3CSPAN%3ESettings%3C%2FSPAN%3E%20%3CSPAN%3E-AllowEmailVerifiedUsers%20setting%20which%20joins%20by%20email%20validation%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EDon't%20know%20exactly%20%3CSPAN%3Ewhat's%20happening%20here%20but%20according%20to%20this%20blogpost%2C%20it%20would%20be%20possible%20if%20the%20mail%20address%20matches%20the%20tenant%20name%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fwww.xtseminars.co.uk%2Fblog%2Fazure-ad-b2b-invitations-and-email-verified-users%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.xtseminars.co.uk%2Fblog%2Fazure-ad-b2b-invitations-and-email-verified-users%3C%2FA%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3EFound%20this%20MS%20documentation%20link%20about%20the%20cmdlet%20as%20well!%20Don't%20say%20much%20though%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmsonline%2Fset-msolcompanysettings%3Fview%3Dazureadps-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmsonline%2Fset-msolcompanysettings%3Fview%3Dazureadps-1.0%3C%2FA%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3E%2F%20Adam%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299065%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299065%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20such%20thing%20as%20self-service%20account%20provisioning%2C%20an%20admin%20in%20the%20organization%20needs%20to%20provision%20the%20account.%20If%20the%20account%20doesn't%20exist%2C%20the%20entry%20will%20simply%20remain%20in%20your%20directory%20as%20%22orphaned%22%20object.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299000%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299000%22%20slang%3D%22en-US%22%3EYeah%20if%20they%20have%20a%20domain%20but%20no%20user%20account%20sync'd%20you're%20going%20to%20have%20problems%20because%20basically%20the%20account%20doesn't%20exist.%20If%20the%20account%20sync's%20from%20on-prem%2C%20but%20not%20licensed%20it%20should%20work%20in%20that%20case%2C%20but%20the%20account%20needs%20to%20exist%20in%20the%20365%20domain.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298987%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298987%22%20slang%3D%22en-US%22%3ECorrect%20me%20if%20I%E2%80%99m%20wrong!%20A%20guest%20user%20from%20a%20domain%20in%20office365%20uses%20their%20AAD%20to%20authenticate!%20If%20the%20user%20is%20not%20present%20(%20not%20created%20or%20synced%20)%20aka%20not%20using%20office%20365%20%2C%20the%20invite%20procedure%20tries%20to%20create%20the%20user%20in%20their%20AAD.%20This%20will%20probably%20fail%20due%20to%20several%20reasons!%3CBR%20%2F%3ESo%20to%20correct%20this%20their%20admin%20has%20to%20either%20make%20a%20setting%20via%20powershell%20to%20enable%20self%20creation%20or%20sync%2Fcreate%20the%20user%20in%20their%20AAD%3C%2FLINGO-BODY%3E
adam deltinger
adam deltinger
MVP

‎12-11-2018 06:17 AM

‎12-11-2018 06:17 AM

Guest invite limitation?

Just want to make sure!  Company with DomainX use office 365 for some users! If i add a user with user.domainX.com to my team and that user have a license in their tenant it works! If I invite someone on domainX not using office 365 , they get an error using the invite link

 

Something like this:  AADB2B_0001 Can't create an Azure AD account with self-service due to the catalog is federated….

 

 

Adam

731 Views
0 Likes
14 Replies
Reply
14 Replies
Highlighted
adam deltinger

‎12-11-2018 07:49 AM

‎12-11-2018 07:49 AM

Re: Guest invite limitation?

Correct me if I’m wrong! A guest user from a domain in office365 uses their AAD to authenticate! If the user is not present ( not created or synced ) aka not using office 365 , the invite procedure tries to create the user in their AAD. This will probably fail due to several reasons!
So to correct this their admin has to either make a setting via powershell to enable self creation or sync/create the user in their AAD
0 Likes
Reply
Chris Webb

‎12-11-2018 08:11 AM

‎12-11-2018 08:11 AM

Re: Guest invite limitation?

Yeah if they have a domain but no user account sync'd you're going to have problems because basically the account doesn't exist. If the account sync's from on-prem, but not licensed it should work in that case, but the account needs to exist in the 365 domain.
0 Likes
Reply
Vasil Michev

‎12-11-2018 10:00 AM

‎12-11-2018 10:00 AM

Re: Guest invite limitation?

There is no such thing as self-service account provisioning, an admin in the organization needs to provision the account. If the account doesn't exist, the entry will simply remain in your directory as "orphaned" object.

0 Likes
Reply
adam deltinger

‎12-11-2018 10:56 AM

‎12-11-2018 10:56 AM

Re: Guest invite limitation?

I was looking at the Set-MsolCompanySettings -AllowEmailVerifiedUsers setting which joins by email validation

 

Don't know exactly what's happening here but according to this blogpost, it would be possible if the mail address matches the tenant name

 

https://www.xtseminars.co.uk/blog/azure-ad-b2b-invitations-and-email-verified-users

 

Found this MS documentation link about the cmdlet as well! Don't say much though

 

https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1...

 

/ Adam

 

 

 

 

0 Likes
Reply
Steven Collier

‎12-11-2018 12:55 PM

‎12-11-2018 12:55 PM

Re: Guest invite limitation?

@adam deltinger if the company your are connecting to does not use any services based on AzureAD then a tenant gets provisioned and your guests are created within it.

If the company already has AzureAD for something then it's managed by the global admins of that tenant.

 

Interestingly if you have one of these virally provisioned tenants, then but something with AzureAD you adopt the tenant, and can then manage the accounts created there.

0 Likes
Reply
adam deltinger

‎12-11-2018 01:03 PM

‎12-11-2018 01:03 PM

Re: Guest invite limitation?

Hi! Didn’t quite catch the last paragraph! Can you please explain a little further?
Also you mean a tenant gets created if there’s no azure ad connected to the guest mails domain?
In this case there is already though but the user don’t exist in that AAD
0 Likes
Reply
Steven Collier

‎12-11-2018 01:09 PM

‎12-11-2018 01:09 PM

Re: Guest invite limitation?

If there is already a managed AzureAD then accounts can only be created there by that company, it's admins etc.

If the company has never used AzureAD then accounts get automatically provisioned in a virally provisioned AzureAD tenant for the company.

0 Likes
Reply
adam deltinger

‎12-11-2018 01:33 PM

‎12-11-2018 01:33 PM

Re: Guest invite limitation?

Yes! Thanks! I’ve read up on that now! There’s also way to take management of this tenant apparently :)
Although my issue is another but I seem to have figured it out
0 Likes
Reply
adam deltinger

‎12-11-2018 01:42 PM

‎12-11-2018 01:42 PM

Re: Guest invite limitation?

Found this in MS doc:

You administer a directory with a verified domain such as contoso.com
You use B2B collaboration from a different directory to invite a user that does not already exist (userdoesnotexist@contoso.com) in the home directory of constoso.com
The home directory has the AllowEmailVerifiedUsers turned on
If the preceding conditions are true, then a member user is created in the home directory, and a B2B guest user is created in the inviting directory.

From:
https://docs.microsoft.com/en/azure/active-directory/users-groups-roles/directory-self-service-signu...

From what I understand from this is the following!
In my scenario when an invited user don’t have any account in their organizations AAD, the invite process tries to create one based on the email address! Without the cmdlet above, this is not possible, but should be possible if it was set to true
Although if it’s a domain synced with ad, I guess it’s still not possible!
Geez....
1 Like
Reply
adam deltinger

‎12-12-2018 06:16 AM

‎12-12-2018 06:16 AM

Re: Guest invite limitation?

@Vasil Michev @Chris Webb @Steven Collier @Christopher Hoard @Juan Carlos González Martín

 

Any thoughts or experiences regarding this thread and the AllowEmailVerifiedUsers setting?

I'm awaiting the guest user to accept the invite after their admin syncing the user to AAD, but the users invite url is now directing to their tenant :)

Curious about the AllowEmailVerifiedUsers though!

 

Adam

0 Likes
Reply
Chris Webb

‎12-12-2018 06:20 AM

‎12-12-2018 06:20 AM

Re: Guest invite limitation?

They still have to go back to their tenant to authenticate. Also I used to have the issue with teams guest access back then if the user had 365 but didn’t have teams on they can’t join as a guest anywhere else. I always had them just setup or use MsA accounts for guest in those cases that they didn’t use teams.
1 Like
Reply
adam deltinger

‎12-12-2018 06:27 AM

‎12-12-2018 06:27 AM

Re: Guest invite limitation?

yeah, i've heard those scenarios. But in this case I guess the user won't have to be licenced. isn't that basically the same thing as having a 365 license, with teams disabled in this case?

0 Likes
Reply
Chris Webb

‎12-12-2018 06:29 AM

‎12-12-2018 06:29 AM

Re: Guest invite limitation?

I haven’t tried in awhile so I do t know if it changed but you’ll know cause you’ll authenticate then get the whole teams must be enabled for your organization message when trying to use the client.
0 Likes
Reply
Christopher Hoard

‎12-12-2018 06:59 AM

‎12-12-2018 06:59 AM

Re: Guest invite limitation?

Have experienced a few scenarios like this

 

1.) Like @Chris Webb where the other tenant has 365 but Teams is completely off and the org didn't want Teams, I have invited them as a guest on their MSA account

 

2.) In the same scenario when the other tenant has 365 but Teams is completely off I managed to convince the org to set up Teams for the user and invited them as a guest

 

3.) I have also experienced this when adding a guest to our tenant for an org who hasn't used Office 365 at all and someone has gone and created a free Power BI subscription. Had to go remove the domain and blow it away before the user could be added as a guest.

 

I would agree with everything others have said. If the domain/subdomain is in AAD then the invite will look for the user there. If there was a scenario, let's say, where the domain is in AAD and the org is only using SharePoint with AADC (not teams) and the user wasn't part of their SharePoint site, then the org would need to sync the user on AADC for the user to exist in Azure AD and an Office 365 licence with Teams (I.e. like Business Essentials) would be the optimal add. 

 

Hope that helps.

 

Best, Chris

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
30 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies