Home

Silently adding Guest users to Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-504577%22%20slang%3D%22en-US%22%3ESilently%20adding%20Guest%20users%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-504577%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20is%20a%20use%20case%3A%3C%2FP%3E%3CP%3EWe%20are%20planning%20to%20migrate%20our%20on-premises%20SharePoint%202013%20(Client%20facing%20portal)%20to%20Office%20365%20and%20leverage%20Azure%20AD%20B2B%20(Guest%20Users)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMigration%20Requirements%3A%3C%2FP%3E%3CP%3E-%20The%20external%20user%20accounts%20need%20to%20be%20available%20at%20the%20destination%20to%20successfully%20map%20the%20content%20from%20the%20source%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChallenge%3A%3C%2FP%3E%3CP%3E-%20If%20we%20create%20an%20external%2Fguest%20user%20account%20in%20Azure%20AD%2C%20an%20invitation%20email%20goes%20out%20for%20account%20activation%2Facceptance%20of%20the%20terms%2Fenrollment%20in%20MFA%20-%20this%20may%20confuse%20users%20as%20migration%20hasn't%20started%20yet%20and%20they%20won't%20have%20access%20to%20any%20sites%20in%20Office%20365%20at%20this%20point%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EObjective%3A%3C%2FP%3E%3CP%3E-%20I%20would%20like%20to%20create%20external%20user%20accounts%20silently%20(about%203%2C000)%2C%20do%20the%20migration%2Fmap%20the%20content%20to%20the%20newly%20created%20accounts%20-%20send%20out%20an%20email%20to%20external%20clients%20about%20their%20account%20activation%3C%2FP%3E%3CP%3E-%20I%20would%20like%20to%20enable%20MFA%20for%20all%20the%20accounts%20for%20external%20users%20when%20they%20first%20login%2Factivate%20the%20account%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20this%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-504577%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-528236%22%20slang%3D%22en-US%22%3ERe%3A%20Silently%20adding%20Guest%20users%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-528236%22%20slang%3D%22en-US%22%3ENot%20tested%20but%20You%20can%20programmatically%20create%20guest%20users%20using%20Invitation%20API%20and%20save%20the%20the%20redemption%20url%20generated%20against%20each%20guest%20user%20name%20probably%20in%20a%20csv%20file.%20Later%20on%20you%20can%20send%20email%20to%20each%20guest%20user%20with%20redemption%20link.%20In%20Azure%20AD%2C%20you%20can%20configure%20conditional%20access%20(MFA)%20since%20start%20for%20usertype%20%3D%20guest.%20When%20guest%20user%20will%20receive%20your%20invitation%20email%20and%20try%20to%20redeem%20the%20invitation%2C%20MFA%20setup%20will%20automatically%20trigger%20for%20the%20user.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-535321%22%20slang%3D%22en-US%22%3ERe%3A%20Silently%20adding%20Guest%20users%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-535321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F260%22%20target%3D%22_blank%22%3E%40Ronnie%20Saini%3C%2FA%3E%26nbsp%3BAs%20per%20the%20answer%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6833%22%20target%3D%22_blank%22%3E%40Prashant%20Gupta%3C%2FA%3E%2C%20you%20can%20create%20the%20users%20via%20PowerShell%20script%2C%20capture%20the%20redemption%20URL%20and%20then%20distribute%20the%20redemption%20URL%20to%20the%20users%20via%20another%20method.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20did%20exactly%20that.%20A%20few%20lessons%20we%20learned%3A%3C%2FP%3E%3COL%3E%3CLI%3EA%20process%20needs%20to%20be%20put%20in%20place%20to%20%22clean%20up%22%20or%20%22remind%22%20users%20to%20complete%20their%20registration.%20Not%20all%20users%20will%20be%20available%20%2F%20able%20to%20complete%20the%20process%20when%20you%20dictate.%3COL%3E%3CLI%3EBe%20aware%20that%20the%20PowerShell%20script%20will%20create%20the%20object%2C%20this%20is%20needed%20in%20order%20to%20assign%20it%20to%20a%20group%20%2F%20SharePoint%20site.%3C%2FLI%3E%3CLI%3EThis%20means%20that%20if%20users%20do%20not%20redeem%20the%20invitation%2C%20you%20will%20have%20artefacts%20that%20you%20need%20to%20be%20aware%20of%20%2F%20maintain%20for%20a%20period%20of%20time.%3C%2FLI%3E%3CLI%3EUsers%20are%20%22funny%22%20creatures.%20A%20guest%20will%20ignore%20the%20redemption%20email%20and%20a%20few%20months%20from%20now%20attempt%20to%20access%20your%20environment.%20If%20you%20did%20not%20%22clean%20up%22%20the%20environment%2C%20you%20need%20to%20re-send%20the%20invitation.%20I'm%20not%20sure%20that%20the%20redemption%20URL%20can%20be%20re-created%20without%20deleting%20the%20object%20and%20re-creating%20the%20object.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EA%20process%20needs%20to%20be%20put%20in%20place%20to%20assist%20users%20with%20resetting%20their%20MFA%20device%20(in%20case%20of%20loss%20or%20theft)%20or%20MFA%20phone%20number%20(as%20you%20cannot%20control%20which%20MFA%20option%20the%20guest%20will%20opt%20for)%3COL%3E%3CLI%3EWe%20recommended%20our%20guests%20install%20the%20Microsoft%20Authenticator%20application%20on%20a%20mobile%20device%20as%20it%20only%20uses%20data%20for%20initial%20download%20and%20registration%2C%20thereafter%20you%20do%20not%20require%20a%20data%20connection%20(in%20our%20experience).%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EHope%20this%20helps.%20Know%20that%20this%20is%20not%20a%20simple%20%22fire%20and%20forget%22%20activity%2C%20it%20requires%20a%20lot%20of%20reporting%2C%20follow-up%20and%20monitoring%20to%20ensure%20your%20users%20are%20not%20significantly%20impacted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20point%20-%20remember%20to%20set%20the%20password%20restrictions%20for%20the%20guest%20accounts%20to%20be%20the%20same%20as%20for%20your%20internal%20users%2C%20else%20you%20have%20two%20levels%20to%20maintain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJ%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763252%22%20slang%3D%22en-US%22%3ERe%3A%20Silently%20adding%20Guest%20users%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763252%22%20slang%3D%22en-US%22%3EPer%20my%20understanding%2C%20you%20will%20always%20send%20an%20email%20to%20users.%20If%20this%20is%20the%20case%2C%20you%20can%20invite%20using%20PowerShell%20(bulk%20invitation)%20with%20an%20email%20template%20created%20by%20you.%20I%20have%20attached%20the%20script.%20Remember%3A%20the%20user%20needs%20to%20accept%20and%20consent%20the%20invitation.%20There's%20no%20workaround%20for%20this%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Highlighted
Ronnie Saini
Senior Member

Here is a use case:

We are planning to migrate our on-premises SharePoint 2013 (Client facing portal) to Office 365 and leverage Azure AD B2B (Guest Users) 

 

Migration Requirements:

- The external user accounts need to be available at the destination to successfully map the content from the source

 

Challenge:

- If we create an external/guest user account in Azure AD, an invitation email goes out for account activation/acceptance of the terms/enrollment in MFA - this may confuse users as migration hasn't started yet and they won't have access to any sites in Office 365 at this point

 

Objective:

- I would like to create external user accounts silently (about 3,000), do the migration/map the content to the newly created accounts - send out an email to external clients about their account activation

- I would like to enable MFA for all the accounts for external users when they first login/activate the account

 

is this possible?

 

 

3 Replies
Highlighted
Not tested but You can programmatically create guest users using Invitation API and save the the redemption url generated against each guest user name probably in a csv file. Later on you can send email to each guest user with redemption link. In Azure AD, you can configure conditional access (MFA) since start for usertype = guest. When guest user will receive your invitation email and try to redeem the invitation, MFA setup will automatically trigger for the user.
Highlighted

@Ronnie Saini As per the answer from @Prashant Gupta, you can create the users via PowerShell script, capture the redemption URL and then distribute the redemption URL to the users via another method.

 

We did exactly that. A few lessons we learned:

  1. A process needs to be put in place to "clean up" or "remind" users to complete their registration. Not all users will be available / able to complete the process when you dictate.
    1. Be aware that the PowerShell script will create the object, this is needed in order to assign it to a group / SharePoint site.
    2. This means that if users do not redeem the invitation, you will have artefacts that you need to be aware of / maintain for a period of time.
    3. Users are "funny" creatures. A guest will ignore the redemption email and a few months from now attempt to access your environment. If you did not "clean up" the environment, you need to re-send the invitation. I'm not sure that the redemption URL can be re-created without deleting the object and re-creating the object.
  2. A process needs to be put in place to assist users with resetting their MFA device (in case of loss or theft) or MFA phone number (as you cannot control which MFA option the guest will opt for)
    1. We recommended our guests install the Microsoft Authenticator application on a mobile device as it only uses data for initial download and registration, thereafter you do not require a data connection (in our experience).

Hope this helps. Know that this is not a simple "fire and forget" activity, it requires a lot of reporting, follow-up and monitoring to ensure your users are not significantly impacted.

 

Another point - remember to set the password restrictions for the guest accounts to be the same as for your internal users, else you have two levels to maintain.

 

J

Highlighted
Per my understanding, you will always send an email to users. If this is the case, you can invite using PowerShell (bulk invitation) with an email template created by you. I have attached the script. Remember: the user needs to accept and consent the invitation. There's no workaround for this ;)
Related Conversations