Home

Teams Guest user and UPN/SMTP blocks AADSync

Mika Baljaskin
Senior Member

Hello all,

 

I have an issue with Teams Guest users and their UPN (more likely secondary SMTP). As my client organization invites a user to our Teams the invited user receives an identity (firstname.surname_userdomain#EXT#@tenant.onmicrosoft.com). This ok, but the issue is in the email address used in invitation. This email address is saved in users identity as SMTP address, which causes a rather annoying issue with AADSync.

I work in government. Usually these invited users are from organization under our government, which are not yet added to government tenant. And when this is done (=organization is added to government tenant), these former guest users are blocked from Azure AD. AADSync checks if users UPN or SMTP is already in use.

So I ask you experts; is there any way to force AADSync to override these "duplicate" identities, or is there a setting that prevents using guest users mail address as a SMTP address in guest identity?

 

Oh yes, it would be easy to run PowerShell commands like "$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection" and continue searching via Exchange Online PS-addon, but our security is so tight that WinRM sessions are blocked.. This throws me to the deep end of the pool?

2 Replies

Hi! I don't think converting a guest user to a tenant user is possible at this time!

I guess deleting the guest account and sync the user vi ADconnect after, is the way to do it for now..

Keep in mind you loose all the permissions..

 

/ Adam

You can use actually "convert" a guest user to "regular" user object in Azure AD, but that is not really a supported operation. Meaning it works, but Microsoft has not documented this or mentioned that it's supposed to work. Once you "convert" the object, you can do with it as you please, just like with any other object. But again, probably not supported. So use on your own risk, there are some examples on what you can do here: https://www.michev.info/Blog/Post/2256/some-new-interesting-experiences-with-guest-users-in-office-3...

 

Outside of that method, there are limited set of operations that you can perform on guest users in the O365 admin portal or via PowerShell. Changing the Primary SMTP address can be done, but you cannot remove aliases, thus it will not solve your problem. So you might as well just recreate the Guest user.