Aug 17 2020 12:01 PM - edited Aug 17 2020 12:24 PM
I am the global admin of an Office 365 domain for a small nonprofit. Of the people who need access to our Sharepoint and Teams channels, only a handful need a foo@mydomain.com identity; most will want "guest" access tied to their existing personal or work email instead.
In cases where the guest email has no connection to Microsoft, this seems to work smoothly.
However, when I try to add my personal MS Account as a guest, the invite link prompts me to create a new password. This seems wrong, as this email address has been an MS Account (formerly "Passport") since 1998, used daily for logging into my Windows 10 machines, licensing MS 365 Home, accessing OneDrive, etc. What am I missing?
Many of my "guests" will have existing Microsoft accounts via their employer, their XBox, etc. I need to be certain we don't disrupt that access by creating duplicate accounts tied to the same email.
Sep 13 2020 12:45 PM - edited Sep 13 2020 12:47 PM
First off, this probably doesn't answer your question, but hopefully it provides some insight that someone else can build upon. Also, I don't work for Microsoft.
There seem to be two categories of accounts in the Microsoft authentication world (based on my personal experience and the UI of their web and mobile apps):
Some services only allow login with one type (PowerApps = "Work and school") while others allow both (e.g. Outlook, Excel, MS Edge profile sync).
Example scenario:
Let's say I am the administrator of a new tenant called ContosoCharity.org:
Now, all of these folks volunteer for my charity, and Bob is on the board of directors. I share a SharePoint site with Bob and his family members - they each receive an e-mail invitation.
Issues:
User confusion: people using "personal" Microsoft accounts to access "Work or school"-type resources / tenants / domains
SharePoint. Anything based upon SharePoint seems to hate these external users. In the web UI, the user panel on the top-right screen shows the 'ugly' AAD version of their username (e.g. mary_contosohi.co.jp#EXT#@contosocharity.onmicrosoft.com ), and it is currently impossible to for these users to log in using certain mobile apps (e.g. PowerApps with a data connection to a SharePoint list) even though those same users can access the exact same resources perfectly fine using the web apps. This appears to be at least partly because the mobile apps (at least on iOS, such as Authenticator) don't accept the # character as a valid part of a username.
Conclusion:
Your guests with Microsoft accounts through their employers should probably be fine.
Apologies for not being able to help further; I'm still struggling to understand this all and get it implemented myself. Best of luck to you!
- Jim
(If anyone has any further insight, please add to this discussion or cross-post/link as necessary. - Thanks!)
Apr 14 2021 02:57 AM
Hi @JimGrisham,
thanks for this very detailed explanation. We are facing an issue with your setup of "Johnny" (having already an "Live" or "Home" account), maybe MSFT has changed something here?
All other scenarios (guest has MSFT org / tenant account / guest has no MSFT account at all) are working fine.
Do you have any experience on this?
Apr 19 2021 10:48 AM
Apr 19 2021 11:56 PM