Jul 10 2017
- last edited on
Jul 27 2020
We're using AAD and B2B account to allow our partners to access our applications.
One of our customers, to which we've sent an AAD B2B invite got the error message "An unexpected error occurred. Please try again.", after entering the verification code that was sent.
From the image below, I presume a new AAD Tenant was created, as described in the B2B scenarios for accounts that don't have an AAD tenant created yet.
What can be the problem, and how can we help our customer to move forward and gain access to our applications?
Any suggestion is welcome.
Jul 13 2017 02:11 AM
I would open a support ticket through the Azure Portal
Jul 13 2017 09:17 AM
That's what I did :), and still working with MS Support to find out the problem.
Jul 16 2017 11:36 PM
Had this issue as well, workaround I found is to set the country to "United States" (at the page where you pick a password)
Jul 17 2017 04:48 AM
Thanks for the info.
That would be a very wired solution, for now I'm working with MS support to see if we can identify and fix the problem. For the moment we're waitting for our customer to provide us some Fiddler traces to help MS diagnose the situation.
I'll post an update here as soon as I have the problem solved.
Jul 17 2017 06:07 PM
From what I could tell for the situation I had, it had issues creating the Azure AD just-in-time tenant for the invited user's domain when using Australia as the country (it creates the JIT tenant when the first person for each domain signs up). Once one person was signed up using US as the country it worked fine for the rest of them on that domain (and no longer asked for a country to be set).
Jul 18 2017 01:52 AM - edited Jul 18 2017 01:56 AM
Thank you Simon,
I'll point this thread to MS support to see if our problem is related with the solution you describe.
Jul 20 2017 05:27 AM
I got an answer from Microsoft support.
Apparently the domain name reservation was present in a worker and this situation was the reason why the problem was occurring.
MS removed that reservation from the worker and we're now waitting for our customer to try the registration process after new accounts and invites were sent.
I'll update this post as soon as I got a confirmation that this actually solved the problem.
Jul 20 2017 03:59 PM
Does this mean that this will fix all for everyone if it works?
We'll res-send the invitation to clients too, to test this,
will keep this updated,
Jul 21 2017 02:06 AMSolution
No, it means it "unblocked" the Domain reservation of my customer and now he was able to accept the invite. You will need to check with MS support if your situatio is the same.
MS also suggested:
- to delete the accounts in my tenant for that Domain and resend the invites.
- to always accept the invites in an InPrivate/Incognito browser session.
If this error occurs again, create a support ticket with MS so that the domain can be "unblocked" and allow the registration process to succeed. This fix is done per Domain and is not a fix that "unblocks" any other scenarios having the same or a similar issue.
I hope this helps others.
Aug 02 2017 07:03 PM - edited Aug 02 2017 07:08 PM
I think I should keep this thread posted...
After a few conversations with our MS AD support, I reached the following conclusion:
1. last September, MS stopped users with a Organisation/school account to regiter same email for a MS account. ( i actually like this, messy and confusion to have a organisation and personal account sitting for you to choose from...)
2. for a company who's clean with MS, once a first user purchase a subscription from MS, in my case PowerBI for example. MS created a viral tenant for the company domain, say email@example.com and add this first user to the AAD with that tenant.
3. from there the entire domin @mockdomain has become verifed and reserved (as Organisation/school account? need to confirm with my support)
3. the viral tenant has no administrator, so no one can actively add other users of same company to the AAD (I'll circle back to this point shortly)
4. If we send B2B invitation to the very first user firstname.lastname@example.org who purchased the subscription (who has been added to AAD behind secen), he/she can redeem our invitation successfully because their tenant AAd recognise this person.
5. if we send B2B invitation to other users of the same domain say email@example.com, he/she will be redirected to their own AAD for authentication firstly, but as this email is not existed in theire AAD, it couldn't be recognised and will be requested to register a MS account, which is conflicting with point 1., and this is why the user can't pass the verfication code step.
Our Ms tech support suggest that one of the client claim the admin permission of their tenant and add user accordingly as a solution, this is difficult in many situations especially the when the clients have no IT support.
now circle back to point 3, I asked the support if the first purchaser invite all other users within their organisation to the product (PowerBI in my case), will this add their emails to their AAD (i assumed), and will this further enables them to redeem our B2B emails.... the support say 'probably'..., we haven't got any chance to test this...
I will keep this updted, and would like to hear some feedbacks or even answers...
Sep 06 2017 07:24 AM
I am experiencing the same issue. It is causing a lot of headaches as we attempt to collaborate with other organizations. They want to move our files to DropBox or Google Drive because adding external users is so much easier. This is a serious flaw in the Azure B2B system. I don't have time to interface with the IT department of every company I need to collaborate with so that they can take control of their viral tenant and add users, especially if they were just checking O365 out and are not planning on migrating any time soon. Sorry for the complaining, but sometimes I get the impression the MS engineers don't know how weird issues like this affect our direct adoption of these systems.
Recommended solution is just send the invite email even if you don't see the user in the domain's Azure AD, what is the harm? If they don't exist it bounces, if they do the problem is fixed. Same thing with creating the account, create the account only in the inviting AD. If someone is redeeming an invite token, it means the email account exists somewhere, right?
Sep 20 2017 03:08 AM
Sep 20 2017 04:56 PM
No quick solution yet, we were advised to contact the partner company to have their tenant 'admined'.
Since you may adopt B2B, I'll share another case with you, that one of our clients login to office365 with say EmployeID007@abccompany.com; but this 'email address' can't receive email it is just an account to login, they have another real eamil address which is say firstname.lastname@example.org.
in this case, we have to send invitation to EmplyeID007@abccompany.com and put email@example.com to the alternat email filed from azure aad so that they can receive the invitaion, they still need to authenticate with EmplyeID007@abccompany.com.
My overall experience using the B2B is that is not so smooth, hopfully this will be improved in the short future.