Inviting guest who already has a Microsoft account

%3CLINGO-SUB%20id%3D%22lingo-sub-1594040%22%20slang%3D%22en-US%22%3EInviting%20guest%20who%20already%20has%20a%20Microsoft%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1594040%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20the%20global%20admin%20of%20an%20Office%20365%20domain%20for%20a%20small%20nonprofit.%26nbsp%3B%20Of%20the%20people%20who%20need%20access%20to%20our%20Sharepoint%20and%20Teams%20channels%2C%20only%20a%20handful%20need%20a%20foo%40mydomain.com%20identity%3B%20most%20will%20want%20%22guest%22%20access%20tied%20to%20their%20existing%20personal%20or%20work%20email%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20cases%20where%20the%20guest%20email%20has%20no%20connection%20to%20Microsoft%2C%20this%20seems%20to%20work%20smoothly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20when%20I%20try%20to%20add%20my%20personal%20MS%20Account%20as%20a%20guest%2C%20the%20invite%20link%20prompts%20me%20to%20create%20a%20new%20password.%26nbsp%3B%20This%20seems%20wrong%2C%20as%20this%20email%20address%20has%20been%20an%20MS%20Account%20(formerly%20%22%3CA%20href%3D%22https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FMicrosoft_account%23History%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPassport%3C%2FA%3E%22)%20since%201998%2C%20used%20daily%20for%20logging%20into%20my%20Windows%2010%20machines%2C%20licensing%20MS%20365%20Home%2C%20accessing%20OneDrive%2C%20etc.%26nbsp%3B%20What%20am%20I%20missing%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RichardBergCNY_0-1597690325540.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212795i7243DADCA1190A86%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22RichardBergCNY_0-1597690325540.png%22%20alt%3D%22RichardBergCNY_0-1597690325540.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20of%20my%20%22guests%22%20will%20have%20existing%20Microsoft%20accounts%20via%20their%20employer%2C%20their%20XBox%2C%20etc.%26nbsp%3B%20I%20need%20to%20be%20certain%20we%20don't%20disrupt%20that%20access%20by%20creating%20duplicate%20accounts%20tied%20to%20the%20same%20email.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1594040%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1662179%22%20slang%3D%22en-US%22%3ERe%3A%20Inviting%20guest%20who%20already%20has%20a%20Microsoft%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1662179%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F762282%22%20target%3D%22_blank%22%3E%40RichardBergCNY%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20off%2C%20this%20probably%20doesn't%20answer%20your%20question%2C%20but%20hopefully%20it%20provides%20some%20insight%20that%20someone%20else%20can%20build%20upon.%20Also%2C%20I%20don't%20work%20for%20Microsoft.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20seem%20to%20be%20two%20categories%20of%20accounts%20in%20the%20Microsoft%20authentication%20world%20%3CEM%3E(based%20on%20my%20personal%20experience%20and%20the%20UI%20of%20their%20web%20and%20mobile%20apps)%3C%2FEM%3E%3A%3C%2FP%3E%3COL%3E%3CLI%3E%22Personal%22%20accounts%20(e.g.%20'Passport'%2C%26nbsp%3B%40live.com%2C%20%40outlook.com%2C%26nbsp%3Betc.)%3C%2FLI%3E%3CLI%3E%22Work%20and%20school%22%20accounts%2C%20which%20are%20backed%20by%20tenant-based%20Azure%20Active%20Directory%20instances%3C%2FLI%3E%3C%2FOL%3E%3CP%3ESome%20services%20only%20allow%20login%20with%20one%20type%20(PowerApps%20%3D%20%22Work%20and%20school%22)%20while%20others%20allow%20both%20(e.g.%20Outlook%2C%20Excel%2C%20MS%20Edge%20profile%20sync).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EExample%20scenario%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ELet's%20say%20I%20am%20the%20administrator%20of%20a%20new%20tenant%20called%20ContosoCharity.org%3A%3C%2FP%3E%3CUL%3E%3CLI%3EI%20set%20up%20a%20new%20user%2C%20Bob%2C%20at%20%3CA%20href%3D%22mailto%3Abob%40contosocharity.org%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ebob%40contosocharity.org%3C%2FA%3E%3C%2FLI%3E%3CLI%3EBob's%20wife%2C%20Mary%2C%20is%20COO%20at%20Contoso%20Heavy%20Industries%2C%20and%20has%20an%20existing%20account%20on%20their%20tenant%20as%20%3CA%20href%3D%22mailto%3Amary%40contosohi.co.jp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emary%40contosohi.co.jp%3C%2FA%3E.%3C%2FLI%3E%3CLI%3EBob's%20daughter%2C%20Karen%2C%20has%20a%20Gmail%20account%20she%20uses%20for%20school%20and%20YouTube%2C%20at%20%3CA%20href%3D%22mailto%3AFictionalKaren%40gmail.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFictionalKaren%40gmail.com%3C%2FA%3E.%3C%2FLI%3E%3CLI%3EBob's%20son%2C%20Johnny%2C%20has%20a%20%22personal%22%20Microsoft%20account%20that%20he%20uses%20mostly%20for%20Xbox%20and%20GitHub%20at%20%3CA%20href%3D%22mailto%3AFictionalJohnny%40live.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFictionalJohnny%40live.com%3C%2FA%3E.%3C%2FLI%3E%3CLI%3EAlso%2C%20I%20have%20set%20up%20federation%20in%20Azure%20Active%20Directory%20to%20allow%20Gmail%20users%20to%20authenticate%20directly%20with%20Google.%3C%2FLI%3E%3C%2FUL%3E%3CP%3ENow%2C%20all%20of%20these%20folks%20volunteer%20for%20my%20charity%2C%20and%20Bob%20is%20on%20the%20board%20of%20directors.%20I%20share%20a%20SharePoint%20site%20with%20Bob%20and%20his%20family%20members%20-%20they%20each%20receive%20an%20e-mail%20invitation.%3C%2FP%3E%3COL%3E%3CLI%3EBob%20clicks%20on%20the%20invitation%2C%3COL%3E%3CLI%3Eis%20prompted%20for%20his%20existing%20%3CA%20href%3D%22mailto%3Abob%40contosocharity.org%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ebob%40contosocharity.org%3C%2FA%3E%26nbsp%3Bcredentials%2C%3C%2FLI%3E%3CLI%3Eand%20receives%20access%20to%20the%20SharePoint%20site.%3C%2FLI%3E%3CLI%3EHis%20account%20already%20existed%20in%20AAD%20so%20nothing%20changed%20there.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EMary%20clicks%20on%20the%20invitation%2C%26nbsp%3B%3COL%3E%3CLI%3Eis%20prompted%20for%20her%20existing%20%3CA%20href%3D%22mailto%3Amary%40contosohi.co.jp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emary%40contosohi.co.jp%3C%2FA%3E%26nbsp%3Bcredentials%2C%3C%2FLI%3E%3CLI%3Ereceives%20access%20to%20the%20SharePoint%20site%2C%3C%2FLI%3E%3CLI%3Eand%20is%20added%20to%20the%20contosocharity.org%20AAD%20as%20either%20(depending%20on%20tenant%20settings%3F)%3COL%3E%3CLI%3Emary_contosohi.co.jp%23EXT%23%40contosocharity.org%2C%20or%20...%3C%2FLI%3E%3CLI%3Emary_contosohi.co.jp%23EXT%23%40contosocharity.onmicrosoft.com%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EBecause%20her%20account%20can%20be%20authorized%20through%20another%20AAD%20tenant%2C%20she%20was%20not%20prompted%20for%20a%20_new_%20password.%20The%26nbsp%3B%3CEM%3EContosoHI.co.jp%3C%2FEM%3E%26nbsp%3BAAD%20remains%20her%20authentication%20provider.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EKaren%20clicks%20on%20the%20invitation%2C%3COL%3E%3CLI%3Eis%20redirected%20to%20a%20Google%20sign-in%20screen%20where%20she%20logs%20in%20with%20the%20Google%20password%20for%20her%20%3CA%20href%3D%22mailto%3AFictionalKaren%40gmail.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFictionalKaren%40gmail.com%3C%2FA%3E%26nbsp%3Baccount%3C%2FLI%3E%3CLI%3Eis%20redirected%20back%20to%20Microsoft%20and%20receives%20access%20to%20the%20SharePoint%20site%2C%3C%2FLI%3E%3CLI%3Eand%20is%20added%20to%20the%20%3CEM%3Econtosocharity.org%3C%2FEM%3E%20AAD%20as%20either%3COL%3E%3CLI%3Efictionalkaren_gmail.com%23EXT%23%40contosocharity.org%2C%20or%20...%3C%2FLI%3E%3CLI%3Efictionalkaren_gmail.com%23EXT%23%40contosocharity.onmicrosoft.com%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EBecause%20her%20account%20was%20able%20to%20be%20authorized%20through%20the%20Google%20connection%20I%20previously%20enabled%20in%20AAD%2C%20she%20was%20not%20prompted%20for%20a%20_new_%20password%20either.%20Google%20remains%20her%20authentication%20provider.%26nbsp%3B%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EJohnny%20clicks%20on%20the%20invitation%2C%3COL%3E%3CLI%3Eis%20welcomed%20to%20Microsoft%20and%20asked%20to%20set%20up%20a%20new%20password%20(the%20situation%20of%20the%20original%20thread%20poster%20above).%3C%2FLI%3E%3CLI%3EOnce%20complete%20and%20verified%2C%20he%20receives%20access%20to%20the%20SharePoint%20site%2C%3C%2FLI%3E%3CLI%3Eand%20is%20added%20to%20the%20%3CEM%3Econtosocharity.org%3C%2FEM%3E%20AAD%20as%20either%3COL%3E%3CLI%3Efictionaljohnny_live.com%23EXT%23%40contosocharity.org%2C%20or%20...%3C%2FLI%3E%3CLI%3Efictionaljohnny_live.com%23EXT%23%40contosocharity.onmicrosoft.com%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3ESince%20Microsoft%20keeps%20%22Personal%22%20accounts%20separate%2C%20Johnny%20will%20have%20to%20remember%20and%20maintain%20a%20separate%20password%20for%20%3CEM%3Econtosocharity.org%3C%2FEM%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EIf%20one%20of%20the%20external%20users%20needs%20a%20license%20to%20access%20shared%20resources%2C%20I%20can%20purchase%20one%20and%20assign%20it%20to%20them%20through%20either%20the%20%3CEM%3EMicrosoft%20Admin%20Center%3C%2FEM%3E%20or%20the%20AAD%20blade%20on%20the%20%3CEM%3EAzure%20Portal%3C%2FEM%3E.%3COL%3E%3CLI%3EMary%20shouldn't%20need%20a%20license%20at%20%3CEM%3EContosoCharity.org%3C%2FEM%3E%20for%20most%20things%2C%20since%20she%20has%20an%20%3CEM%3EOffice%20365%20E5%3C%2FEM%3E%20license%20at%20%3CEM%3EContosoHI.co.jp%3C%2FEM%3E%20already.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CSTRONG%3EIssues%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3EUser%20confusion%3C%2FU%3E%3A%20people%20using%20%22personal%22%20Microsoft%20accounts%20to%20access%20%22Work%20or%20school%22-type%20resources%20%2F%20tenants%20%2F%20domains%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3ESharePoint%3C%2FU%3E.%20Anything%20based%20upon%20SharePoint%20seems%20to%20%3CU%3Ehate%3C%2FU%3E%20these%20external%20users.%20In%20the%20web%20UI%2C%20the%20user%20panel%20on%20the%20top-right%20screen%20shows%20the%20'ugly'%20AAD%20version%20of%20their%20username%20(e.g.%20%3CA%20href%3D%22mailto%3Amary_contosohi.co.jp%23EXT%23%40contosocharity.onmicrosoft.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Emary_contosohi.co.jp%23EXT%23%40contosocharity.onmicrosoft.com%3C%2FA%3E%20)%2C%20and%20it%20is%20currently%20impossible%20to%20for%20these%20users%20to%20log%20in%20using%20certain%20mobile%20apps%20(e.g.%20PowerApps%20with%20a%20data%20connection%20to%20a%20SharePoint%20list)%20even%20though%20those%20same%20users%20can%20access%20the%20exact%20same%20resources%20perfectly%20fine%20using%20the%20web%20apps.%20This%20appears%20to%20be%20at%20least%20partly%20because%20the%20mobile%20apps%20(at%20least%20on%20iOS%2C%20such%20as%20Authenticator)%20don't%20accept%20the%20%23%20character%20as%20a%20valid%20part%20of%20a%20username.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EConclusion%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20guests%20with%20Microsoft%20accounts%20through%20their%20employers%20should%20probably%20be%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApologies%20for%20not%20being%20able%20to%20help%20further%3B%20I'm%20still%20struggling%20to%20understand%20this%20all%20and%20get%20it%20implemented%20myself.%20Best%20of%20luck%20to%20you!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B-%20Jim%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E(If%20anyone%20has%20any%20further%20insight%2C%20please%20add%20to%20this%20discussion%20or%20cross-post%2Flink%20as%20necessary.%20-%20Thanks!)%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

I am the global admin of an Office 365 domain for a small nonprofit.  Of the people who need access to our Sharepoint and Teams channels, only a handful need a foo@mydomain.com identity; most will want "guest" access tied to their existing personal or work email instead.

 

In cases where the guest email has no connection to Microsoft, this seems to work smoothly.

 

However, when I try to add my personal MS Account as a guest, the invite link prompts me to create a new password.  This seems wrong, as this email address has been an MS Account (formerly "Passport") since 1998, used daily for logging into my Windows 10 machines, licensing MS 365 Home, accessing OneDrive, etc.  What am I missing?

RichardBergCNY_0-1597690325540.png

 

Many of my "guests" will have existing Microsoft accounts via their employer, their XBox, etc.  I need to be certain we don't disrupt that access by creating duplicate accounts tied to the same email.

1 Reply
Highlighted

@RichardBergCNY 

 

First off, this probably doesn't answer your question, but hopefully it provides some insight that someone else can build upon. Also, I don't work for Microsoft.

 

There seem to be two categories of accounts in the Microsoft authentication world (based on my personal experience and the UI of their web and mobile apps):

  1. "Personal" accounts (e.g. 'Passport', @live.com, @outlook.com, etc.)
  2. "Work and school" accounts, which are backed by tenant-based Azure Active Directory instances

Some services only allow login with one type (PowerApps = "Work and school") while others allow both (e.g. Outlook, Excel, MS Edge profile sync).

 

Example scenario:

Let's say I am the administrator of a new tenant called ContosoCharity.org:

  • I set up a new user, Bob, at bob@contosocharity.org
  • Bob's wife, Mary, is COO at Contoso Heavy Industries, and has an existing account on their tenant as mary@contosohi.co.jp.
  • Bob's daughter, Karen, has a Gmail account she uses for school and YouTube, at FictionalKaren@gmail.com.
  • Bob's son, Johnny, has a "personal" Microsoft account that he uses mostly for Xbox and GitHub at FictionalJohnny@live.com.
  • Also, I have set up federation in Azure Active Directory to allow Gmail users to authenticate directly with Google.

Now, all of these folks volunteer for my charity, and Bob is on the board of directors. I share a SharePoint site with Bob and his family members - they each receive an e-mail invitation.

  1. Bob clicks on the invitation,
    1. is prompted for his existing bob@contosocharity.org credentials,
    2. and receives access to the SharePoint site.
    3. His account already existed in AAD so nothing changed there.
  2. Mary clicks on the invitation, 
    1. is prompted for her existing mary@contosohi.co.jp credentials,
    2. receives access to the SharePoint site,
    3. and is added to the contosocharity.org AAD as either (depending on tenant settings?)
      1. mary_contosohi.co.jp#EXT#@contosocharity.org, or ...
      2. mary_contosohi.co.jp#EXT#@contosocharity.onmicrosoft.com
    4. Because her account can be authorized through another AAD tenant, she was not prompted for a _new_ password. The ContosoHI.co.jp AAD remains her authentication provider.
  3. Karen clicks on the invitation,
    1. is redirected to a Google sign-in screen where she logs in with the Google password for her FictionalKaren@gmail.com account
    2. is redirected back to Microsoft and receives access to the SharePoint site,
    3. and is added to the contosocharity.org AAD as either
      1. fictionalkaren_gmail.com#EXT#@contosocharity.org, or ...
      2. fictionalkaren_gmail.com#EXT#@contosocharity.onmicrosoft.com
    4. Because her account was able to be authorized through the Google connection I previously enabled in AAD, she was not prompted for a _new_ password either. Google remains her authentication provider. 
  4. Johnny clicks on the invitation,
    1. is welcomed to Microsoft and asked to set up a new password (the situation of the original thread poster above).
    2. Once complete and verified, he receives access to the SharePoint site,
    3. and is added to the contosocharity.org AAD as either
      1. fictionaljohnny_live.com#EXT#@contosocharity.org, or ...
      2. fictionaljohnny_live.com#EXT#@contosocharity.onmicrosoft.com
    4. Since Microsoft keeps "Personal" accounts separate, Johnny will have to remember and maintain a separate password for contosocharity.org
  5. If one of the external users needs a license to access shared resources, I can purchase one and assign it to them through either the Microsoft Admin Center or the AAD blade on the Azure Portal.
    1. Mary shouldn't need a license at ContosoCharity.org for most things, since she has an Office 365 E5 license at ContosoHI.co.jp already.

Issues:

 

User confusion: people using "personal" Microsoft accounts to access "Work or school"-type resources / tenants / domains

 

SharePoint. Anything based upon SharePoint seems to hate these external users. In the web UI, the user panel on the top-right screen shows the 'ugly' AAD version of their username (e.g. mary_contosohi.co.jp#EXT#@contosocharity.onmicrosoft.com ), and it is currently impossible to for these users to log in using certain mobile apps (e.g. PowerApps with a data connection to a SharePoint list) even though those same users can access the exact same resources perfectly fine using the web apps. This appears to be at least partly because the mobile apps (at least on iOS, such as Authenticator) don't accept the # character as a valid part of a username.

 

Conclusion:

 

Your guests with Microsoft accounts through their employers should probably be fine.

 

Apologies for not being able to help further; I'm still struggling to understand this all and get it implemented myself. Best of luck to you!

 

 - Jim

 

(If anyone has any further insight, please add to this discussion or cross-post/link as necessary. - Thanks!)