SPO - Guests inviting Guests - No AAD guest account created

Copper Contributor

Hi All,

 

This lies across two products Azure B2B and SPO.

 

I'm looking to test the "Allow Guests to Share items they don't own" global SPO control.

 

I've noted with New and Existing Guests on a SPO site, that a folder or file can be shared to a guest. During the sharing process, the guest account is created in Azure AD and all is working well with the Azure B2B integration configured.

 

I've then set the allow guests to invite guests - the invitation is sent as expected from one guest to another. However, it looks like the guest inviting another guest doesn't trigger the guest account creation in Azure AD. SPO shows the secondary guest with access to the file, they just cant login receiving the "does not exist in tenant error due to no guest account created. I am sure it would work if I create a guest account for the user in AAD, however, I was hoping it to be the same as a member sharing to a guest to remove additional overhead. 

 

I haven't found any information on this looking through all the docs.microsoft.com articles, is this by design, or does this operate on a really long synchronisation schedule between SPO and AAD? 

 

 Thanks!

2 Replies

Hi @Miike ,

What are the emails from those guest accounts (domains)? Users who do not have Microsoft accounts usually have to enter a passcode to view the document.

 

check it out here: One-time passcode authentication for B2B guest users - Azure AD | Microsoft Docs 

Hi Adin_Calkic,

No issues when testing with guest users and happy generally with Azure B2B integration into SPO/OD4B sharing. Upon tenant members sharing content with external guest users, their AAD account is created via the integration in an invitation pending state until the recipient logs in and completes the workflow to access the required item.

So it looks like this currently:
Tenant User ----> Guest User (Gmail) ----> Document
(Account is created at sharing time in Azure AD awaiting Invitation acceptance)

Then that Guest User is trying to share a document they don't own, given the global external sharing settings this is allowed. They can send an invitation to another guest user.

External User (Gmail) ---> Share File ---> External User (Microsoft Account) ---> Login error (Post Auth to 365).

It's the standard error with an account missing from AAD: User account from identity provider does not exist in tenant and cannot access the application. I expected the behind the scenes provisioning to work when initiated by guests but this could be by design to prevent abuse of sharing to guests who don't already have a tenant account. Just checked AAD ~10 hours later, the guest account hasn't been provisioned, so I don't think its a sync delay.

It's likely a niche scenario!