Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

AAD B2B account creation failure - "An unexpected error occurred. Please try again"

Copper Contributor

Hi,

 

We're using AAD and B2B account to allow our partners to access our applications.

One of our customers, to which we've sent an AAD B2B invite got the error message "An unexpected error occurred. Please try again.", after entering the verification code that was sent.

 

From the image below, I presume a new AAD Tenant was created, as described in the B2B scenarios for accounts that don't have an AAD tenant created yet.

 

What can be the problem, and how can we help our customer to move forward and gain access to our applications?

 

Any suggestion is welcome.

 

Thanks!

 

aad.png

15 Replies

I would open a support ticket through the Azure Portal

Hi Dean,

 

That's what I did :), and still working with MS Support to find out the problem.

 

Thanks,

Nelson

Had this issue as well, workaround I found is to set the country to "United States" (at the page where you pick a password)

Hi Simon,

 

Thanks for the info.

That would be a very wired solution, for now I'm working with MS support to see if we can identify and fix the problem. For the moment we're waitting for our customer to provide us some Fiddler traces to help MS diagnose the situation.

I'll post an update here as soon as I have the problem solved.

 

Thanks!

From what I could tell for the situation I had, it had issues creating the Azure AD just-in-time tenant for the invited user's domain when using Australia as the country (it creates the JIT tenant when the first person for each domain signs up). Once one person was signed up using US as the country it worked fine for the rest of them on that domain (and no longer asked for a country to be set).

Thank you Simon,

 

I'll point this thread to MS support to see if our problem is related with the solution you describe.

 

Thanks!

Hi,

 

I got an answer from Microsoft support.

Apparently the domain name reservation was present in a worker and this situation was the reason why the problem was occurring.

MS removed that reservation from the worker and we're now waitting for our customer to try the registration process after new accounts and invites were sent.

I'll update this post as soon as I got a confirmation that this actually solved the problem.

 

Nelson Morais

Thanks Nelson

Does this mean that this will fix all for everyone if it works?

 

We'll res-send the invitation to clients too, to test this,

 

will keep this updated,

Thanks

Chao

best response confirmed by Nelson Morais (Copper Contributor)
Solution

Hi Chao,

 

No, it means it "unblocked" the Domain reservation of my customer and now he was able to accept the invite. You will need to check with MS support if your situatio is the same.

 

MS also suggested:

- to delete the accounts in my tenant for that Domain and resend the invites.

- to always accept the invites in an InPrivate/Incognito browser session.

 

My conclusion:

If this error occurs again, create a support ticket with MS so that the domain can be "unblocked" and allow the registration process to succeed. This fix is done per Domain and is not a fix that "unblocks" any other scenarios having the same or a similar issue.

 

I hope this helps others.

 

Nelson Morais

Thanks Nelson

I think I should keep this thread posted...

After a few conversations with our MS AD support, I reached the following conclusion:

1.  last September, MS stopped users with a Organisation/school account to regiter same email for a MS account. ( i actually like this, messy and confusion to have a organisation and personal account sitting for you to choose from...)

 

2. for a company who's clean with MS, once a first user purchase a subscription from MS, in my case PowerBI for example. MS created a viral tenant for the company domain, say firstperson@mockdomain.com.au and add this first user to the AAD with that tenant.

 

3. from there the entire domin @mockdomain has become verifed and reserved (as Organisation/school account? need to confirm with my support)

 

3. the viral tenant has no administrator, so no one can actively add other users of same company to the AAD (I'll circle back to this point shortly)

 

4. If we send B2B invitation to the very first user firstperson@mockdomain.com.au who purchased the subscription (who has been added to AAD behind secen), he/she can redeem our invitation successfully because their tenant AAd recognise this person.

 

5. if we send B2B invitation to other users of the same domain say fifth@mockdomain.com.au, he/she will be redirected to their own AAD for authentication firstly, but as this email is not existed in theire AAD, it couldn't be recognised and will be requested to register a MS account, which is conflicting with point 1., and this is why the user can't pass the verfication code step.

 

Our Ms tech support suggest that one of the client claim the admin permission of their tenant and add user accordingly as a solution, this is difficult in many situations especially the when the clients have no IT support.

 

now circle back to point 3, I asked the support if the first purchaser invite all other users within their organisation to the product (PowerBI in my case), will this add their emails to their AAD (i assumed), and will this further enables them to redeem our B2B emails.... the support say 'probably'..., we haven't got any chance to test this...

 

I will keep this updted, and would like to hear some feedbacks or even answers...

thanks

 

 

 

 

 

 

 

I am experiencing the same issue. It is causing a lot of headaches as we attempt to collaborate with other organizations. They want to move our files to DropBox or Google Drive because adding external users is so much easier. This is a serious flaw in the Azure B2B system. I don't have time to interface with the IT department of every company I need to collaborate with so that they can take control of their viral tenant and add users, especially if they were just checking O365 out and are not planning on migrating any time soon. Sorry for the complaining, but sometimes I get the impression the MS engineers don't know how weird issues like this affect our direct adoption of these systems. 

Recommended solution is just send the invite email even if you don't see the user in the domain's Azure AD, what is the harm? If they don't exist it bounces, if they do the problem is fixed. Same thing with creating the account, create the account only in the inviting AD. If someone is redeeming an invite token, it means the email account exists somewhere, right?

Your findings are very interesting Chao, did you get any clarity to it?

We are investigating using the B2B but are really concerned about how these "viral" or just-in-time AAD tenants are just spinned off and then no-one is managing them after they are created. Our clients are usually small companies who don't use AAD or don't even have know-how about it. I don't want our IT to become contact point of their users and their sign-in problems.

No quick solution yet, we were advised to contact the partner company to have their tenant 'admined'.

 

Since you may adopt B2B, I'll share another case with you, that one of our clients login to office365 with say EmployeID007@abccompany.com; but this 'email address' can't receive email it is just an account to login, they have another real eamil address which is say employeerealemail@abc.com.

 

in this case, we have to send invitation to EmplyeID007@abccompany.com and put employeerealemail@abc.com to the alternat email filed from azure aad so that they can receive the invitaion, they still need to authenticate with EmplyeID007@abccompany.com.

 

My overall experience using the B2B is that is not so smooth, hopfully this will be improved in the short future.

 

thanks

@Nelson Morais - Do you know how they remove the worker we have the same problem

Hi @vabby547, check my reply marked as answer. The problem was solved via Microsoft support.
1 best response

Accepted Solutions
best response confirmed by Nelson Morais (Copper Contributor)
Solution

Hi Chao,

 

No, it means it "unblocked" the Domain reservation of my customer and now he was able to accept the invite. You will need to check with MS support if your situatio is the same.

 

MS also suggested:

- to delete the accounts in my tenant for that Domain and resend the invites.

- to always accept the invites in an InPrivate/Incognito browser session.

 

My conclusion:

If this error occurs again, create a support ticket with MS so that the domain can be "unblocked" and allow the registration process to succeed. This fix is done per Domain and is not a fix that "unblocks" any other scenarios having the same or a similar issue.

 

I hope this helps others.

 

Nelson Morais

View solution in original post