SOLVED

Manual creation of external users

%3CLINGO-SUB%20id%3D%22lingo-sub-40615%22%20slang%3D%22en-US%22%3EManual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40615%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20we%20know%2C%20%22Allow%20sharing%20only%20with%20the%20external%20users%20that%20already%20exist%20in%20your%20organization's%20directory%22%20is%20the%20default%20for%20Groups.%3C%2FP%3E%3CP%3EGiven%20that%26nbsp%3Ba%20customer%20of%20mine%20doesn't%20want%20to%20change%20such%20default%20(and%20in%20general%20doesn't%20want%20to%20use%20PowerShell)%2C%20which%20is%20the%20best%20practice%20for%20them%20to%20create%20in%20advance%20external%20users%20in%20their%20organization's%20directory%20before%20sharing%20items%20with%20such%20external%20users%3F%3C%2FP%3E%3CP%3EI%20guess%20that%20they%20must%20in%20any%20case%20use%20the%20AAD%20portal%2C%20but%20while%26nbsp%3Bthey%20could%20directly%20create%20external%20users%26nbsp%3Bhaving%26nbsp%3BMS%20accounts%2C%20they%20should%20use%20instead%26nbsp%3BB2B%20in%20order%20to%20create%20external%20users%20having%20O365%20accounts.%20Am%20I%20correct%3F%3C%2FP%3E%3CP%3Ecc%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F60%22%20target%3D%22_blank%22%3E%40Juan%20Carlos%20Gonz%C3%A1lez%20Mart%C3%ADn%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-40615%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-43783%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-43783%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20s%20for%20the%20info.%20I'm%20guessing%20that%20my%20invite%20code%20works.%20%3B)I'll%20write%20up%20a%20blog%20post.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-43762%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-43762%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Paul.%3C%2FP%3E%3CP%3EYou%20are%20correct%2C%20external%20users%20can%20see%20only%20SPO%20resources%20and%20not%20EXO%20resources.%3C%2FP%3E%3CP%3EThis%20is%20due%20to%20the%20strict%20licensing%20enforcement%20for%20EXO%3A%20external%20users%20by%20definition%26nbsp%3Bhave%20no%20EXO%20licenses%20and%20therefore%20they%20cannot%20access%20EXO%20resources%20in%20the%20tenant.%3C%2FP%3E%3CP%3EOn%20the%20other%20side%2C%20external%20users%20can%20access%20SPO%20resources%20in%20the%20tenant%26nbsp%3Balso%20if%20they%20have%20not%20SPO%20licenses%3A%20in%20other%20words%2C%20SPO%20licensing%26nbsp%3Bis%20substantially%20not%20enforced.%3C%2FP%3E%3CP%3EAll%20this%20said%2C%20for%20external%20users%20that%20are%20mere%20%22sharing%20targets%22%20of%20SPO%20items%20this%20behaviour%26nbsp%3Bshould%20be%20obvious%3A%20they%20can%20access%20only%20the%20SPO%20items%20that%20have%20been%20shared%20with%20them.%3C%2FP%3E%3CP%3EUnfortunately%2C%20though%2C%26nbsp%3Balso%20external%20members%20of%20Office%20365%20Groups%20(which%20can%20indeed%20acces%20%3CSTRONG%3Eall%3C%2FSTRONG%3Ethe%20SPO%20resources%20of%20the%20Group)%20cannot%20access%20the%20EXO%20resources%20of%20the%20Group%20(they%20can%20only%20receive%20email%20notifications%20for%20every%20message%20posted%20to%20the%20Group%20conversation%20area%2C%20to%20which%20they%20can%20also%20post%20by%20email).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(BTW%2C%20there%20are%20great%20news%20about%20B2B%20in%20AAD.%20Please%20see%20the%20following%20thread%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FAzure-AD-B2B-New-updates-make-cross-business-collab-easy%2Fm-p%2F43639%23M10%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory-B2B%2FAzure-AD-B2B-New-updates-make-cross-business-collab-easy%2Fm-p%2F43639%23M10%3C%2FA%3E)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-43658%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-43658%22%20slang%3D%22en-US%22%3E%3CP%3EI%20coded%20up%20a%20quick%20UI%20in%20my%20%3CA%20href%3D%22https%3A%2F%2Foffice365groupsexplorer.azurewebsites.net%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edeveloper-oriented%20playground%20app%3C%2FA%3E.%20It%20does%20add%20the%20users%20in%20AAD%2C%20but%20I%20have%20to%20admit%20that%20the%20sharing%20experience%20is%20sub-optimal.%20Seems%20the%20external%20user%20can%20only%20see%20site%20%26amp%3B%20files.%20Can't%20see%20conversations%20or%20calendar.%20Am%20I%20doing%20it%20wrong%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-42010%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-42010%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20to%20know.%3C%2FP%3E%3CP%3ENevertheless%2C%20I%20would%20rather%20like%20to%20have%20a%20UI%20for%20manually%20creating%20O365%20external%20users%2C%20one%20by%20one%2C%20like%20it%20is%20already%20possible%20(and%20mandatory)%26nbsp%3Bto%20do%20today%26nbsp%3Bfor%20MSA%20external%20users.%3C%2FP%3E%3CP%3EThis%20would%20be%20a%20boon%20for%20small%20organizations%20that%20need%20to%20create%20only%20a%20handful%20of%20external%20users%20and%20don't%20even%20know%20what%20a%20CSV%20is%20(let%20alone%20an%20API...).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-41982%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41982%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20this%20is%20changing%20for%20B2B.%3C%2FP%3E%3CP%3EThe%20CSV%20option%20is%20being%20replaced%20with%20an%20API%20which%20is%20part%20of%20the%20Office%20Graph.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.io%2Fen-us%2Fdocs%2Fapi-reference%2Fbeta%2Fresources%2Finvitation%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.io%2Fen-us%2Fdocs%2Fapi-reference%2Fbeta%2Fresources%2Finvitation%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20was%20announced%20at%20Ignite%20and%20still%20in%20beta%20but%20good%20to%20know%20it%20is%20there%20for%20testing%20and%20a%20way%20forward%20with%20B2B.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fchannel9.msdn.com%2Fevents%2FIgnite%2F2016%2FBRK3108%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fchannel9.msdn.com%2Fevents%2FIgnite%2F2016%2FBRK3108%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40770%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40770%22%20slang%3D%22en-US%22%3EEy%20Salvatore%2C%3CBR%20%2F%3ESorry%2C%20I%20missunderstood%20your%20question%20%3A-(...you%20are%20right%2C%20it's%20not%20possible%20to%20manually%20add%20users%20from%20other%20Office%20365%20tenant%20in%20Azure%20AD.%20You%20need%20to%20use%20the%20B2B%20approach%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40762%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40762%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Juan.%20The%20problem%20is%20not%20with%20hotmail.com%20(and%20similar%20MSA)%26nbsp%3Busers%2C%20the%20problem%20is%20with%20O365%20accounts.%3C%2FP%3E%3CP%3EHow%20do%20I%20manually%20add%20to%20AAD%20an%20O365%20account%20(from%20another%20tenant)%20as%20external%20user%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40661%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40661%22%20slang%3D%22en-US%22%3EHello%20Salvatore%2C%3CBR%20%2F%3EThat%20sounds%20very%20strange...I%20have%20just%20added%20a%20hotmail.com%20user%20in%20the%20Azure%20AD%20portal%20with%20no%20problems%20using%20the%20manual%20approach%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40658%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40658%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Juan.%3C%2FP%3E%3CP%3EUnfortunately%2C%26nbsp%3Bwhen%20they%20add%20users%20manually%20(using%20Azure%20AD%20Portal)%20it%20appears%20that%20while%20they%20can%20add%20directly%20individual%20MS%20accounts%2C%20they%20are%20instead%20forced%20to%20use%20the%20B2B%20procedure%20(i.e.%20the%20CSV)%20even%20to%20add%20a%20single%20O365%20(external)%20account.%3C%2FP%3E%3CP%3EIn%20other%20words%2C%26nbsp%3Bthey%20have%20not%20found%20a%20way%20in%20the%20AAD%20portal%20to%20add%20manually%20just%20one%20(f.e.)%20O365%20external%20account%20without%20having%20to%20create%20a%20CSV%20for%20the%20B2B%20procedure.%3C%2FP%3E%3CP%3ECan%20you%20confirm%3F%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-40642%22%20slang%3D%22en-US%22%3ERe%3A%20Manual%20creation%20of%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-40642%22%20slang%3D%22en-US%22%3EEy%20Salvatore%2C%20IMHO%20you%20are%20correct%20...only%20downside%20of%20Azure%20B2B%20is%20that%20it's%20limited%20to%20professional%20accounts...of%20course%2C%20customer%20can%20manually%20add%20the%20users%20using%20Azure%20AD%20Portal%3C%2FLINGO-BODY%3E
Highlighted
Trusted Contributor

As we know, "Allow sharing only with the external users that already exist in your organization's directory" is the default for Groups.

Given that a customer of mine doesn't want to change such default (and in general doesn't want to use PowerShell), which is the best practice for them to create in advance external users in their organization's directory before sharing items with such external users?

I guess that they must in any case use the AAD portal, but while they could directly create external users having MS accounts, they should use instead B2B in order to create external users having O365 accounts. Am I correct?

cc @Juan Carlos González Martín

10 Replies
Highlighted
Ey Salvatore, IMHO you are correct ...only downside of Azure B2B is that it's limited to professional accounts...of course, customer can manually add the users using Azure AD Portal
Highlighted

Thanks Juan.

Unfortunately, when they add users manually (using Azure AD Portal) it appears that while they can add directly individual MS accounts, they are instead forced to use the B2B procedure (i.e. the CSV) even to add a single O365 (external) account.

In other words, they have not found a way in the AAD portal to add manually just one (f.e.) O365 external account without having to create a CSV for the B2B procedure.

Can you confirm?

 
Highlighted
Hello Salvatore,
That sounds very strange...I have just added a hotmail.com user in the Azure AD portal with no problems using the manual approach
Highlighted

Hi Juan. The problem is not with hotmail.com (and similar MSA) users, the problem is with O365 accounts.

How do I manually add to AAD an O365 account (from another tenant) as external user?

Highlighted
Best Response confirmed by Salvatore Biscari (Trusted Contributor)
Solution
Ey Salvatore,
Sorry, I missunderstood your question :-(...you are right, it's not possible to manually add users from other Office 365 tenant in Azure AD. You need to use the B2B approach
Highlighted

Well this is changing for B2B.

The CSV option is being replaced with an API which is part of the Office Graph.

https://graph.microsoft.io/en-us/docs/api-reference/beta/resources/invitation

 

It was announced at Ignite and still in beta but good to know it is there for testing and a way forward with B2B.

 

https://channel9.msdn.com/events/Ignite/2016/BRK3108

 

Highlighted

Good to know.

Nevertheless, I would rather like to have a UI for manually creating O365 external users, one by one, like it is already possible (and mandatory) to do today for MSA external users.

This would be a boon for small organizations that need to create only a handful of external users and don't even know what a CSV is (let alone an API...).

Highlighted

I coded up a quick UI in my developer-oriented playground app. It does add the users in AAD, but I have to admit that the sharing experience is sub-optimal. Seems the external user can only see site & files. Can't see conversations or calendar. Am I doing it wrong?

Highlighted

Hi Paul.

You are correct, external users can see only SPO resources and not EXO resources.

This is due to the strict licensing enforcement for EXO: external users by definition have no EXO licenses and therefore they cannot access EXO resources in the tenant.

On the other side, external users can access SPO resources in the tenant also if they have not SPO licenses: in other words, SPO licensing is substantially not enforced.

All this said, for external users that are mere "sharing targets" of SPO items this behaviour should be obvious: they can access only the SPO items that have been shared with them.

Unfortunately, though, also external members of Office 365 Groups (which can indeed acces all the SPO resources of the Group) cannot access the EXO resources of the Group (they can only receive email notifications for every message posted to the Group conversation area, to which they can also post by email).

 

(BTW, there are great news about B2B in AAD. Please see the following thread: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/Azure-AD-B2B-New-updates-make-cros...)

Highlighted

Thank s for the info. I'm guessing that my invite code works. ;) I'll write up a blog post.