Guest users are getting mailbox for MSA, which can be used to send email with anonymous id.

%3CLINGO-SUB%20id%3D%22lingo-sub-239435%22%20slang%3D%22en-US%22%3ERe%3A%20Guest%20users%20are%20getting%20mailbox%20for%20MSA%2C%20which%20can%20be%20used%20to%20send%20email%20with%20anonymous%20id.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239435%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20answer%20to%20my%20question%20was%20recently%20added%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fgoogle-federation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fgoogle-federation%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-211079%22%20slang%3D%22en-US%22%3EGuest%20users%20are%20getting%20mailbox%20for%20MSA%2C%20which%20can%20be%20used%20to%20send%20email%20with%20anonymous%20id.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211079%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F79817%22%20target%3D%22_blank%22%3E%40microsoft%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETeam%2C%20I%20found%20something%20which%20might%20be%20obvious%20as%20per%20the%20product%20design%2C%20but%20for%20some%20reason%20I%20am%20unable%20to%20understand%20the%20purpose%20of%20getting%20a%20mailbox%20provisioned%20for%20guest%20users%20in%20live%20database.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStep%201%20)%20-%20A%20guest%20user%20is%20invited.%20(from%20any%20platform%20gmail%2C%20yahoo%2C%20etc)%3C%2FP%3E%3CP%3EStep%202)%20-%20User%20will%20accept%20the%20invitation.%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B-%20In%20the%20process%20of%20the%20user%20accepting%20the%20invitation.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B-%20The%20users%20will%20be%20redirected%20to%20the%20invitation%20portal%20with%20referencing%20the%20tenant%20id%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Finvitations.microsoft.com%2Fmsa%2Findex%3Ftenant%3D%23%23%23%23%23-2165-4f23-9162%23%23%23%23%23%23%23fedbac%26amp%3Buser%3Dd0bc87c5-9b50-4b8f-a039-5173e277c148%26amp%3Bticket%3DJpdpZwOuKXpSvxYew0ee4W0N0mpscCq7WiYGqwXrnLY%253D%26amp%3Bver%3D2.0%26amp%3BconsentAccepted%3DFalse%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Finvitations.microsoft.com%2Fmsa%2Findex%3Ftenant%3D%23%23%23%23%23-2165-4f23-9162%23%23%23%23%23%23%23fedbac%26amp%3Buser%3Dd0bc87c5-9b50-4b8f-a039-5173e277c148%26amp%3Bticket%3DJpdpZwOuKXpSvxYew0ee4W0N0mpscCq7WiYGqwXrnLY%253D%26amp%3Bver%3D2.0%26amp%3BconsentAccepted%3DFalse%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20live%20database%20is%20already%20aware%20of%20this%20account%2C%20the%20request%20gets%20completed%20with%20the%20consent%20prompt%20%C3%A0%20%3CSTRONG%3E%3CEM%3E%3CU%3EExpected%20behaviour%3C%2FU%3E%3C%2FEM%3E%3C%2FSTRONG%3E.%3C%2FP%3E%3CP%3ENow%20let%E2%80%99s%20consider%2C%20I%20am%20not%20using%20an%20outlook%2CHotmail%2Clive%20account.%3C%2FP%3E%3CP%3EFor%20testing%20purpose%20I%20used%20a%20gmail%20account%3A-%20%3CA%20href%3D%22mailto%3Atest****%40gmail.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Etest****%40gmail.com%3C%2FA%3E.%3C%2FP%3E%3CP%3EThe%20moment%20I%20clicked%20on%20get%20started%20I%20was%20redirected%20to%20%3CA%20href%3D%22https%3A%2F%2Fsignup.live.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsignup.live.com%3C%2FA%3E%3C%2FP%3E%3CP%3EAnd%20below%20mentioned%20is%20the%20prompt%20that%20I%20received%20%C3%A0%20obvious%20as%20we%20need%20an%20identity.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Untitled.png%22%20style%3D%22width%3A%20399px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F36952iDAE73B4F52233080%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Untitled.png%22%20alt%3D%22Untitled.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20I%20clicked%20on%20yes%2C%20it%20asks%20me%20to%20create%20a%20password%20%C3%A0%20which%20is%20also%20obvious%20since%20there%20is%20a%20new%20account%20getting%20created%20in%20live%20database.%3C%2FP%3E%3CP%3ENow%20since%20the%20account%20is%20created%20a%20consent%20prompt%20will%20appear%20from%20invitations%20portal%20to%20access%20the%20information%20from%20live%20database.%3C%2FP%3E%3CP%3EEverything%20is%20working%20as%20expected.%3C%2FP%3E%3CP%3ENow%20the%20concern%20is%2C%20If%20I%20am%20using%20a%20Gmail%20account%20with%20a%20upn%20of%20%3CA%20href%3D%22mailto%3Atest%23%23%23%23%40gmail.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Etest%23%23%23%23%40gmail.com%3C%2FA%3E.%3CBR%20%2F%3EWith%20the%20same%20UPN%20an%20account%20is%20created%20is%20live%20database%20and%20if%20I%20go%20to%20outlook.com%2C%20I%20can%20sign%20in%20with%20my%20new%20account%20that%20is%20created%20and%20send%20emails.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20sure%20if%20this%20should%20be%20a%20part%20of%20invitation%20process.%3CBR%20%2F%3EBut%20I%20want%20to%20verify%20that%20whether%20MSA%20mailbox%20getting%20associated%20with%20a%20gmail%20id%20that%20exists%20in%20live%20database%20is%20required%20or%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Untitled.png%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F36953i8D9FFF2CBED0B80B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Untitled.png%22%20alt%3D%22Untitled.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20is%20required%20what%20is%20the%20purpose%20of%20this%20mailbox.%3C%2FP%3E%3CP%3EInstead%20there%20should%20be%20a%20prompt%20which%20user%20should%20approve%20or%20deny%20before%20a%20mailbox%20is%20provisioned.%3C%2FP%3E%3CP%3EIf%20we%20think%20from%20security%20prospective%20there%20should%20be%20no%20mailbox%20provisioned%20for%20the%20user%20in%20live%20database%20if%20he%2Fshe%20is%20using%20a%20gmail%2C%20yahoo%20or%20any%20other%20service%20provider.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3CBR%20%2F%3ERishabh%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-211079%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hello @microsoft

 

Team, I found something which might be obvious as per the product design, but for some reason I am unable to understand the purpose of getting a mailbox provisioned for guest users in live database. 

 

Step 1 ) - A guest user is invited. (from any platform gmail, yahoo, etc)

Step 2) - User will accept the invitation.

   - In the process of the user accepting the invitation. 

   - The users will be redirected to the invitation portal with referencing the tenant id,

 

https://invitations.microsoft.com/msa/index?tenant=#####-2165-4f23-9162#######fedbac&user=d0bc87c5-9...

 

If the live database is already aware of this account, the request gets completed with the consent prompt à Expected behaviour.

Now let’s consider, I am not using an outlook,Hotmail,live account.

For testing purpose I used a gmail account:- test****@gmail.com.

The moment I clicked on get started I was redirected to https://signup.live.com

And below mentioned is the prompt that I received à obvious as we need an identity.

 

Untitled.png

 

Once I clicked on yes, it asks me to create a password à which is also obvious since there is a new account getting created in live database.

Now since the account is created a consent prompt will appear from invitations portal to access the information from live database.

Everything is working as expected.

Now the concern is, If I am using a Gmail account with a upn of test####@gmail.com.
With the same UPN an account is created is live database and if I go to outlook.com, I can sign in with my new account that is created and send emails.

 

I am not sure if this should be a part of invitation process.
But I want to verify that whether MSA mailbox getting associated with a gmail id that exists in live database is required or not.

 

Untitled.png

 

If it is required what is the purpose of this mailbox.

Instead there should be a prompt which user should approve or deny before a mailbox is provisioned.

If we think from security prospective there should be no mailbox provisioned for the user in live database if he/she is using a gmail, yahoo or any other service provider.

 

Regards,
Rishabh

 

1 Reply