Home

Guest invite limitation?

%3CLINGO-SUB%20id%3D%22lingo-sub-298916%22%20slang%3D%22en-US%22%3EGuest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298916%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20want%20to%20make%20sure!%26nbsp%3B%20Company%20with%20DomainX%20use%20office%20365%20for%20some%20users!%20If%20i%20add%20a%20user%20with%20user.domainX.com%20to%20my%20team%26nbsp%3Band%20that%20user%20have%20a%20license%20in%20their%20tenant%20it%20works!%20If%20I%20invite%20someone%20on%20domainX%20not%20using%20office%20365%20%2C%20they%20get%20an%20error%20using%20the%20invite%20link%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomething%20like%20this%3A%26nbsp%3B%20%3CSPAN%3EAADB2B_0001%20Can't%20create%20an%20Azure%20AD%20account%20with%20self-service%20due%20to%20the%26nbsp%3Bcatalog%20is%20federated%E2%80%A6.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAdam%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-298916%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299725%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299725%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20experienced%20a%20few%20scenarios%20like%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.)%20Like%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%20where%20the%20other%20tenant%20has%20365%20but%20Teams%20is%20completely%20off%20and%20the%20org%20didn't%20want%20Teams%2C%20I%20have%20invited%20them%20as%20a%20guest%20on%20their%20MSA%20account%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.)%20In%20the%20same%20scenario%20when%20the%20other%20tenant%20has%20365%20but%20Teams%20is%20completely%20off%20I%20managed%20to%20convince%20the%20org%20to%20set%20up%20Teams%20for%20the%20user%20and%20invited%20them%20as%20a%20guest%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.)%20I%20have%20also%20experienced%20this%20when%20adding%20a%20guest%20to%20our%20tenant%20for%20an%20org%20who%20hasn't%20used%20Office%20365%20at%20all%20and%20someone%20has%20gone%20and%20created%20a%20free%20Power%20BI%20subscription.%20Had%20to%20go%20remove%20the%20domain%20and%20blow%20it%20away%20before%20the%20user%20could%20be%20added%20as%20a%20guest.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20agree%20with%20everything%20others%20have%20said.%20If%20the%20domain%2Fsubdomain%20is%20in%20AAD%20then%20the%20invite%20will%20look%20for%20the%20user%20there.%20If%20there%20was%20a%20scenario%2C%20let's%20say%2C%20where%20the%20domain%20is%20in%20AAD%20and%20the%20org%20is%20only%20using%20SharePoint%20with%20AADC%20(not%20teams)%20and%20the%20user%20wasn't%20part%20of%20their%20SharePoint%20site%2C%20then%20the%20org%20would%20need%20to%20sync%20the%20user%20on%20AADC%20for%20the%20user%20to%20exist%20in%20Azure%20AD%20and%26nbsp%3Ban%20Office%20365%20licence%20with%20Teams%20(I.e.%20like%20Business%20Essentials)%20would%20be%20the%20optimal%20add.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20helps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%20Chris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299704%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299704%22%20slang%3D%22en-US%22%3EI%20haven%E2%80%99t%20tried%20in%20awhile%20so%20I%20do%20t%20know%20if%20it%20changed%20but%20you%E2%80%99ll%20know%20cause%20you%E2%80%99ll%20authenticate%20then%20get%20the%20whole%20teams%20must%20be%20enabled%20for%20your%20organization%20message%20when%20trying%20to%20use%20the%20client.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299700%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299700%22%20slang%3D%22en-US%22%3E%3CP%3Eyeah%2C%20i've%20heard%20those%20scenarios.%20But%20in%20this%20case%20I%20guess%20the%20user%20won't%20have%20to%20be%20licenced.%20isn't%20that%20basically%20the%20same%20thing%20as%20having%20a%20365%20license%2C%20with%20teams%20disabled%20in%20this%20case%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299697%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299697%22%20slang%3D%22en-US%22%3EThey%20still%20have%20to%20go%20back%20to%20their%20tenant%20to%20authenticate.%20Also%20I%20used%20to%20have%20the%20issue%20with%20teams%20guest%20access%20back%20then%20if%20the%20user%20had%20365%20but%20didn%E2%80%99t%20have%20teams%20on%20they%20can%E2%80%99t%20join%20as%20a%20guest%20anywhere%20else.%20I%20always%20had%20them%20just%20setup%20or%20use%20MsA%20accounts%20for%20guest%20in%20those%20cases%20that%20they%20didn%E2%80%99t%20use%20teams.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299692%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299692%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F178440%22%20target%3D%22_blank%22%3E%40Steven%20Collier%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F169605%22%20target%3D%22_blank%22%3E%40Christopher%20Hoard%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F60%22%20target%3D%22_blank%22%3E%40Juan%20Carlos%20Gonz%C3%A1lez%20Mart%C3%ADn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20or%20experiences%20regarding%20this%20thread%20and%20the%20%3CSPAN%3EAllowEmailVerifiedUsers%20setting%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20awaiting%20the%20guest%20user%20to%20accept%20the%20invite%20after%20their%20admin%20syncing%20the%20user%20to%20AAD%2C%20but%20the%20users%20invite%20url%20is%20now%20directing%20to%20their%20tenant%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECurious%20about%20the%26nbsp%3BAllowEmailVerifiedUsers%20though!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAdam%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299255%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299255%22%20slang%3D%22en-US%22%3EFound%20this%20in%20MS%20doc%3A%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20administer%20a%20directory%20with%20a%20verified%20domain%20such%20as%20contoso.com%3CBR%20%2F%3EYou%20use%20B2B%20collaboration%20from%20a%20different%20directory%20to%20invite%20a%20user%20that%20does%20not%20already%20exist%20(userdoesnotexist%40contoso.com)%20in%20the%20home%20directory%20of%20constoso.com%3CBR%20%2F%3EThe%20home%20directory%20has%20the%20AllowEmailVerifiedUsers%20turned%20on%3CBR%20%2F%3EIf%20the%20preceding%20conditions%20are%20true%2C%20then%20a%20member%20user%20is%20created%20in%20the%20home%20directory%2C%20and%20a%20B2B%20guest%20user%20is%20created%20in%20the%20inviting%20directory.%3CBR%20%2F%3E%3CBR%20%2F%3EFrom%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-self-service-signup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen%2Fazure%2Factive-directory%2Fusers-groups-roles%2Fdirectory-self-service-signup%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFrom%20what%20I%20understand%20from%20this%20is%20the%20following!%3CBR%20%2F%3EIn%20my%20scenario%20when%20an%20invited%20user%20don%E2%80%99t%20have%20any%20account%20in%20their%20organizations%20AAD%2C%20the%20invite%20process%20tries%20to%20create%20one%20based%20on%20the%20email%20address!%20Without%20the%20cmdlet%20above%2C%20this%20is%20not%20possible%2C%20but%20should%20be%20possible%20if%20it%20was%20set%20to%20true%3CBR%20%2F%3EAlthough%20if%20it%E2%80%99s%20a%20domain%20synced%20with%20ad%2C%20I%20guess%20it%E2%80%99s%20still%20not%20possible!%3CBR%20%2F%3EGeez....%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299247%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299247%22%20slang%3D%22en-US%22%3EYes!%20Thanks!%20I%E2%80%99ve%20read%20up%20on%20that%20now!%20There%E2%80%99s%20also%20way%20to%20take%20management%20of%20this%20tenant%20apparently%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EAlthough%20my%20issue%20is%20another%20but%20I%20seem%20to%20have%20figured%20it%20out%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299228%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299228%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20there%20is%20already%20a%20managed%20AzureAD%20then%20accounts%20can%20only%20be%20created%20there%20by%20that%20company%2C%20it's%20admins%20etc.%3C%2FP%3E%0A%3CP%3EIf%20the%20company%20has%20never%20used%20AzureAD%20then%20accounts%20get%20automatically%20provisioned%20in%20a%20virally%20provisioned%20AzureAD%20tenant%20for%20the%20company.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299220%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299220%22%20slang%3D%22en-US%22%3EHi!%20Didn%E2%80%99t%20quite%20catch%20the%20last%20paragraph!%20Can%20you%20please%20explain%20a%20little%20further%3F%3CBR%20%2F%3EAlso%20you%20mean%20a%20tenant%20gets%20created%20if%20there%E2%80%99s%20no%20azure%20ad%20connected%20to%20the%20guest%20mails%20domain%3F%3CBR%20%2F%3EIn%20this%20case%20there%20is%20already%20though%20but%20the%20user%20don%E2%80%99t%20exist%20in%20that%20AAD%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299209%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299209%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72542%22%20target%3D%22_blank%22%3E%40adam%20deltinger%3C%2FA%3E%20if%20the%20company%20your%20are%20connecting%20to%20does%20not%20use%20any%20services%20based%20on%20AzureAD%20then%20a%20tenant%20gets%20provisioned%20and%20your%20guests%20are%20created%20within%20it.%3C%2FP%3E%0A%3CP%3EIf%20the%20company%20already%20has%20AzureAD%20for%20something%20then%20it's%20managed%20by%20the%20global%20admins%20of%20that%20tenant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInterestingly%20if%20you%20have%20one%20of%20these%20virally%20provisioned%20tenants%2C%20then%20but%20something%20with%20AzureAD%20you%20adopt%20the%20tenant%2C%20and%20can%20then%20manage%20the%20accounts%20created%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299099%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299099%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20looking%20at%20the%26nbsp%3B%3CSPAN%3ESet-Msol%3C%2FSPAN%3E%3CSPAN%3ECompany%3C%2FSPAN%3E%3CSPAN%3ESettings%3C%2FSPAN%3E%20%3CSPAN%3E-AllowEmailVerifiedUsers%20setting%20which%20joins%20by%20email%20validation%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EDon't%20know%20exactly%20%3CSPAN%3Ewhat's%20happening%20here%20but%20according%20to%20this%20blogpost%2C%20it%20would%20be%20possible%20if%20the%20mail%20address%20matches%20the%20tenant%20name%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fwww.xtseminars.co.uk%2Fblog%2Fazure-ad-b2b-invitations-and-email-verified-users%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.xtseminars.co.uk%2Fblog%2Fazure-ad-b2b-invitations-and-email-verified-users%3C%2FA%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3EFound%20this%20MS%20documentation%20link%20about%20the%20cmdlet%20as%20well!%20Don't%20say%20much%20though%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmsonline%2Fset-msolcompanysettings%3Fview%3Dazureadps-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fmsonline%2Fset-msolcompanysettings%3Fview%3Dazureadps-1.0%3C%2FA%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CFONT%3E%2F%20Adam%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299065%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299065%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20no%20such%20thing%20as%20self-service%20account%20provisioning%2C%20an%20admin%20in%20the%20organization%20needs%20to%20provision%20the%20account.%20If%20the%20account%20doesn't%20exist%2C%20the%20entry%20will%20simply%20remain%20in%20your%20directory%20as%20%22orphaned%22%20object.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299000%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299000%22%20slang%3D%22en-US%22%3EYeah%20if%20they%20have%20a%20domain%20but%20no%20user%20account%20sync'd%20you're%20going%20to%20have%20problems%20because%20basically%20the%20account%20doesn't%20exist.%20If%20the%20account%20sync's%20from%20on-prem%2C%20but%20not%20licensed%20it%20should%20work%20in%20that%20case%2C%20but%20the%20account%20needs%20to%20exist%20in%20the%20365%20domain.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298987%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20invite%20limitation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298987%22%20slang%3D%22en-US%22%3ECorrect%20me%20if%20I%E2%80%99m%20wrong!%20A%20guest%20user%20from%20a%20domain%20in%20office365%20uses%20their%20AAD%20to%20authenticate!%20If%20the%20user%20is%20not%20present%20(%20not%20created%20or%20synced%20)%20aka%20not%20using%20office%20365%20%2C%20the%20invite%20procedure%20tries%20to%20create%20the%20user%20in%20their%20AAD.%20This%20will%20probably%20fail%20due%20to%20several%20reasons!%3CBR%20%2F%3ESo%20to%20correct%20this%20their%20admin%20has%20to%20either%20make%20a%20setting%20via%20powershell%20to%20enable%20self%20creation%20or%20sync%2Fcreate%20the%20user%20in%20their%20AAD%3C%2FLINGO-BODY%3E
adam deltinger
MVP

Just want to make sure!  Company with DomainX use office 365 for some users! If i add a user with user.domainX.com to my team and that user have a license in their tenant it works! If I invite someone on domainX not using office 365 , they get an error using the invite link

 

Something like this:  AADB2B_0001 Can't create an Azure AD account with self-service due to the catalog is federated….

 

 

Adam

14 Replies
Correct me if I’m wrong! A guest user from a domain in office365 uses their AAD to authenticate! If the user is not present ( not created or synced ) aka not using office 365 , the invite procedure tries to create the user in their AAD. This will probably fail due to several reasons!
So to correct this their admin has to either make a setting via powershell to enable self creation or sync/create the user in their AAD
Yeah if they have a domain but no user account sync'd you're going to have problems because basically the account doesn't exist. If the account sync's from on-prem, but not licensed it should work in that case, but the account needs to exist in the 365 domain.

There is no such thing as self-service account provisioning, an admin in the organization needs to provision the account. If the account doesn't exist, the entry will simply remain in your directory as "orphaned" object.

I was looking at the Set-MsolCompanySettings -AllowEmailVerifiedUsers setting which joins by email validation

 

Don't know exactly what's happening here but according to this blogpost, it would be possible if the mail address matches the tenant name

 

https://www.xtseminars.co.uk/blog/azure-ad-b2b-invitations-and-email-verified-users

 

Found this MS documentation link about the cmdlet as well! Don't say much though

 

https://docs.microsoft.com/en-us/powershell/module/msonline/set-msolcompanysettings?view=azureadps-1...

 

/ Adam

 

 

 

 

@adam deltinger if the company your are connecting to does not use any services based on AzureAD then a tenant gets provisioned and your guests are created within it.

If the company already has AzureAD for something then it's managed by the global admins of that tenant.

 

Interestingly if you have one of these virally provisioned tenants, then but something with AzureAD you adopt the tenant, and can then manage the accounts created there.

Highlighted
Hi! Didn’t quite catch the last paragraph! Can you please explain a little further?
Also you mean a tenant gets created if there’s no azure ad connected to the guest mails domain?
In this case there is already though but the user don’t exist in that AAD

If there is already a managed AzureAD then accounts can only be created there by that company, it's admins etc.

If the company has never used AzureAD then accounts get automatically provisioned in a virally provisioned AzureAD tenant for the company.

Yes! Thanks! I’ve read up on that now! There’s also way to take management of this tenant apparently :)
Although my issue is another but I seem to have figured it out
Found this in MS doc:

You administer a directory with a verified domain such as contoso.com
You use B2B collaboration from a different directory to invite a user that does not already exist (userdoesnotexist@contoso.com) in the home directory of constoso.com
The home directory has the AllowEmailVerifiedUsers turned on
If the preceding conditions are true, then a member user is created in the home directory, and a B2B guest user is created in the inviting directory.

From:
https://docs.microsoft.com/en/azure/active-directory/users-groups-roles/directory-self-service-signu...

From what I understand from this is the following!
In my scenario when an invited user don’t have any account in their organizations AAD, the invite process tries to create one based on the email address! Without the cmdlet above, this is not possible, but should be possible if it was set to true
Although if it’s a domain synced with ad, I guess it’s still not possible!
Geez....

@Vasil Michev @Chris Webb @Steven Collier @Christopher Hoard @Juan Carlos González Martín

 

Any thoughts or experiences regarding this thread and the AllowEmailVerifiedUsers setting?

I'm awaiting the guest user to accept the invite after their admin syncing the user to AAD, but the users invite url is now directing to their tenant :)

Curious about the AllowEmailVerifiedUsers though!

 

Adam

They still have to go back to their tenant to authenticate. Also I used to have the issue with teams guest access back then if the user had 365 but didn’t have teams on they can’t join as a guest anywhere else. I always had them just setup or use MsA accounts for guest in those cases that they didn’t use teams.

yeah, i've heard those scenarios. But in this case I guess the user won't have to be licenced. isn't that basically the same thing as having a 365 license, with teams disabled in this case?

I haven’t tried in awhile so I do t know if it changed but you’ll know cause you’ll authenticate then get the whole teams must be enabled for your organization message when trying to use the client.

Have experienced a few scenarios like this

 

1.) Like @Chris Webb where the other tenant has 365 but Teams is completely off and the org didn't want Teams, I have invited them as a guest on their MSA account

 

2.) In the same scenario when the other tenant has 365 but Teams is completely off I managed to convince the org to set up Teams for the user and invited them as a guest

 

3.) I have also experienced this when adding a guest to our tenant for an org who hasn't used Office 365 at all and someone has gone and created a free Power BI subscription. Had to go remove the domain and blow it away before the user could be added as a guest.

 

I would agree with everything others have said. If the domain/subdomain is in AAD then the invite will look for the user there. If there was a scenario, let's say, where the domain is in AAD and the org is only using SharePoint with AADC (not teams) and the user wasn't part of their SharePoint site, then the org would need to sync the user on AADC for the user to exist in Azure AD and an Office 365 licence with Teams (I.e. like Business Essentials) would be the optimal add. 

 

Hope that helps.

 

Best, Chris

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
21 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
12 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies