cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inviting guest who already has a Microsoft account

RichardBergCNY
Copper Contributor

‎Aug 17 2020 12:01 PM - edited ‎Aug 17 2020 12:24 PM

‎Aug 17 2020 12:01 PM - edited ‎Aug 17 2020 12:24 PM

Inviting guest who already has a Microsoft account

I am the global admin of an Office 365 domain for a small nonprofit.  Of the people who need access to our Sharepoint and Teams channels, only a handful need a foo@mydomain.com identity; most will want "guest" access tied to their existing personal or work email instead.

 

In cases where the guest email has no connection to Microsoft, this seems to work smoothly.

 

However, when I try to add my personal MS Account as a guest, the invite link prompts me to create a new password.  This seems wrong, as this email address has been an MS Account (formerly "Passport") since 1998, used daily for logging into my Windows 10 machines, licensing MS 365 Home, accessing OneDrive, etc.  What am I missing?

RichardBergCNY_0-1597690325540.png

 

Many of my "guests" will have existing Microsoft accounts via their employer, their XBox, etc.  I need to be certain we don't disrupt that access by creating duplicate accounts tied to the same email.

Labels:
8,323 Views
0 Likes
4 Replies
Reply
4 Replies
JimGrisham

‎Sep 13 2020 12:45 PM - edited ‎Sep 13 2020 12:47 PM

‎Sep 13 2020 12:45 PM - edited ‎Sep 13 2020 12:47 PM

Re: Inviting guest who already has a Microsoft account

@RichardBergCNY 

 

First off, this probably doesn't answer your question, but hopefully it provides some insight that someone else can build upon. Also, I don't work for Microsoft.

 

There seem to be two categories of accounts in the Microsoft authentication world (based on my personal experience and the UI of their web and mobile apps):

  1. "Personal" accounts (e.g. 'Passport', @live.com, @outlook.com, etc.)
  2. "Work and school" accounts, which are backed by tenant-based Azure Active Directory instances

Some services only allow login with one type (PowerApps = "Work and school") while others allow both (e.g. Outlook, Excel, MS Edge profile sync).

 

Example scenario:

Let's say I am the administrator of a new tenant called ContosoCharity.org:

  • I set up a new user, Bob, at bob@contosocharity.org
  • Bob's wife, Mary, is COO at Contoso Heavy Industries, and has an existing account on their tenant as mary@contosohi.co.jp.
  • Bob's daughter, Karen, has a Gmail account she uses for school and YouTube, at FictionalKaren@gmail.com.
  • Bob's son, Johnny, has a "personal" Microsoft account that he uses mostly for Xbox and GitHub at FictionalJohnny@live.com.
  • Also, I have set up federation in Azure Active Directory to allow Gmail users to authenticate directly with Google.

Now, all of these folks volunteer for my charity, and Bob is on the board of directors. I share a SharePoint site with Bob and his family members - they each receive an e-mail invitation.

  1. Bob clicks on the invitation,
    1. is prompted for his existing bob@contosocharity.org credentials,
    2. and receives access to the SharePoint site.
    3. His account already existed in AAD so nothing changed there.
  2. Mary clicks on the invitation, 
    1. is prompted for her existing mary@contosohi.co.jp credentials,
    2. receives access to the SharePoint site,
    3. and is added to the contosocharity.org AAD as either (depending on tenant settings?)
      1. mary_contosohi.co.jp#EXT#@contosocharity.org, or ...
      2. mary_contosohi.co.jp#EXT#@contosocharity.onmicrosoft.com
    4. Because her account can be authorized through another AAD tenant, she was not prompted for a _new_ password. The ContosoHI.co.jp AAD remains her authentication provider.
  3. Karen clicks on the invitation,
    1. is redirected to a Google sign-in screen where she logs in with the Google password for her FictionalKaren@gmail.com account
    2. is redirected back to Microsoft and receives access to the SharePoint site,
    3. and is added to the contosocharity.org AAD as either
      1. fictionalkaren_gmail.com#EXT#@contosocharity.org, or ...
      2. fictionalkaren_gmail.com#EXT#@contosocharity.onmicrosoft.com
    4. Because her account was able to be authorized through the Google connection I previously enabled in AAD, she was not prompted for a _new_ password either. Google remains her authentication provider. 
  4. Johnny clicks on the invitation,
    1. is welcomed to Microsoft and asked to set up a new password (the situation of the original thread poster above).
    2. Once complete and verified, he receives access to the SharePoint site,
    3. and is added to the contosocharity.org AAD as either
      1. fictionaljohnny_live.com#EXT#@contosocharity.org, or ...
      2. fictionaljohnny_live.com#EXT#@contosocharity.onmicrosoft.com
    4. Since Microsoft keeps "Personal" accounts separate, Johnny will have to remember and maintain a separate password for contosocharity.org
  5. If one of the external users needs a license to access shared resources, I can purchase one and assign it to them through either the Microsoft Admin Center or the AAD blade on the Azure Portal.
    1. Mary shouldn't need a license at ContosoCharity.org for most things, since she has an Office 365 E5 license at ContosoHI.co.jp already.

Issues:

 

User confusion: people using "personal" Microsoft accounts to access "Work or school"-type resources / tenants / domains

 

SharePoint. Anything based upon SharePoint seems to hate these external users. In the web UI, the user panel on the top-right screen shows the 'ugly' AAD version of their username (e.g. mary_contosohi.co.jp#EXT#@contosocharity.onmicrosoft.com ), and it is currently impossible to for these users to log in using certain mobile apps (e.g. PowerApps with a data connection to a SharePoint list) even though those same users can access the exact same resources perfectly fine using the web apps. This appears to be at least partly because the mobile apps (at least on iOS, such as Authenticator) don't accept the # character as a valid part of a username.

 

Conclusion:

 

Your guests with Microsoft accounts through their employers should probably be fine.

 

Apologies for not being able to help further; I'm still struggling to understand this all and get it implemented myself. Best of luck to you!

 

 - Jim

 

(If anyone has any further insight, please add to this discussion or cross-post/link as necessary. - Thanks!)

0 Likes
Reply
matthias_fleschuetz_ntt

‎Apr 14 2021 02:57 AM

‎Apr 14 2021 02:57 AM

Re: Inviting guest who already has a Microsoft account

Hi @JimGrisham


thanks for this very detailed explanation. We are facing an issue with your setup of "Johnny" (having already an "Live" or "Home" account), maybe MSFT has changed something here?

All other scenarios (guest has MSFT org / tenant account / guest has no MSFT account at all) are working fine. 

 

  • We are inviting this guest through GraphAPI
  • GraphAPI creates a AAD guest account:
    guest_something.tld#EXT#@#EXT#@tenant.onmicrosoft.com
  • User receives an invitation mail
  • User clicks on invitation mail link and receives link that an account with that email is already existing and user shall select another address

 

Do you have any experience on this?

0 Likes
Reply
JimGrisham

‎Apr 19 2021 10:48 AM

‎Apr 19 2021 10:48 AM

Re: Inviting guest who already has a Microsoft account

Not directly. I did have an issue once, though, where a user (beth@contosocharity,org) had guest access the SharePoint site of a third party. ContosoCharity.org was switched to a new tenant, but Beth (even though her e-mail address remained unchanged) could not access that 3rd party SharePoint site, even if their admins removed her access and re-invited her. It took someone from MSFT support deleting some cached settings on their SharePoint site before this would work.

Have you tried creating an _entirely new_ e-mail account (e.g. at Gmail), and then inviting that to your service? That won’t help the user you’re trying to onboard, but it might help identify the scope of the problem.

Otherwise, I recommend just escalating this to MSFT support.

P.S. it may just be a typo in your message, but the account name you mentioned contains the string “#EXT#” _twice_.

From your description, it also looks like the account creation attempt may be happening twice (in steps 2 and 4 of your list). Can you leave out step 2 (where the AAD guest account is created) and just send the invitation? Alternatively, for troubleshooting purposes, if you manually reset the password of the guest account above, can this user now log on without using the invitation link?
0 Likes
Reply
matthias_fleschuetz_ntt

‎Apr 19 2021 11:56 PM

‎Apr 19 2021 11:56 PM

Re: Inviting guest who already has a Microsoft account

Thanks a lot, it turned out that it seems that it is really an issue with that particular live-/microsoft-account account (very strange orphan tenant in the background...).

We tried it out with a new fresh outlook.com address and there it worked.
1 Like
Reply