cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Silently adding Guest users to Azure AD

Ronnie Saini
Copper Contributor

‎Apr 30 2019 08:39 AM - last edited on ‎Jan 14 2022 04:46 PM by

‎Apr 30 2019 08:39 AM - last edited on ‎Jan 14 2022 04:46 PM by

Silently adding Guest users to Azure AD

Here is a use case:

We are planning to migrate our on-premises SharePoint 2013 (Client facing portal) to Office 365 and leverage Azure AD B2B (Guest Users) 

 

Migration Requirements:

- The external user accounts need to be available at the destination to successfully map the content from the source

 

Challenge:

- If we create an external/guest user account in Azure AD, an invitation email goes out for account activation/acceptance of the terms/enrollment in MFA - this may confuse users as migration hasn't started yet and they won't have access to any sites in Office 365 at this point

 

Objective:

- I would like to create external user accounts silently (about 3,000), do the migration/map the content to the newly created accounts - send out an email to external clients about their account activation

- I would like to enable MFA for all the accounts for external users when they first login/activate the account

 

is this possible?

 

 

Labels:
8,769 Views
0 Likes
4 Replies
Reply
4 Replies
Prashant Gupta

‎May 03 2019 10:25 AM

‎May 03 2019 10:25 AM

Re: Silently adding Guest users to Azure AD

Not tested but You can programmatically create guest users using Invitation API and save the the redemption url generated against each guest user name probably in a csv file. Later on you can send email to each guest user with redemption link. In Azure AD, you can configure conditional access (MFA) since start for usertype = guest. When guest user will receive your invitation email and try to redeem the invitation, MFA setup will automatically trigger for the user.
0 Likes
Reply

‎May 06 2019 08:58 AM

‎May 06 2019 08:58 AM

Re: Silently adding Guest users to Azure AD

@Ronnie Saini As per the answer from @Prashant Gupta, you can create the users via PowerShell script, capture the redemption URL and then distribute the redemption URL to the users via another method.

 

We did exactly that. A few lessons we learned:

  1. A process needs to be put in place to "clean up" or "remind" users to complete their registration. Not all users will be available / able to complete the process when you dictate.
    1. Be aware that the PowerShell script will create the object, this is needed in order to assign it to a group / SharePoint site.
    2. This means that if users do not redeem the invitation, you will have artefacts that you need to be aware of / maintain for a period of time.
    3. Users are "funny" creatures. A guest will ignore the redemption email and a few months from now attempt to access your environment. If you did not "clean up" the environment, you need to re-send the invitation. I'm not sure that the redemption URL can be re-created without deleting the object and re-creating the object.
  2. A process needs to be put in place to assist users with resetting their MFA device (in case of loss or theft) or MFA phone number (as you cannot control which MFA option the guest will opt for)
    1. We recommended our guests install the Microsoft Authenticator application on a mobile device as it only uses data for initial download and registration, thereafter you do not require a data connection (in our experience).

Hope this helps. Know that this is not a simple "fire and forget" activity, it requires a lot of reporting, follow-up and monitoring to ensure your users are not significantly impacted.

 

Another point - remember to set the password restrictions for the guest accounts to be the same as for your internal users, else you have two levels to maintain.

 

J

0 Likes
Reply
Corsino

‎Jul 18 2019 09:49 AM - edited ‎Jul 25 2019 06:09 AM

‎Jul 18 2019 09:49 AM - edited ‎Jul 25 2019 06:09 AM

Re: Silently adding Guest users to Azure AD

Per my understanding, you will always send an email to users. If this is the case, you can invite using PowerShell (bulk invitation) with an email template created by you. I have attached the script. Remember: the user needs to accept and consent the invitation. There's no workaround for this ;)
Preview file
12 KB
0 Likes
Reply
Andrea PALAZZI

‎Feb 10 2021 01:41 PM

‎Feb 10 2021 01:41 PM

Re: Silently adding Guest users to Azure AD

@Corsino 

 

Does exist a script that will allow the creation of the  guest user account having an excel file as a source (file1.csv), not sending the invite and create an excel file with inside "DisplayName, email address, reddem link into a target (file2.csv).

 

So we can use outlook later on with the outlook mail merge to send the email we would like to send with nice text picture and so on?

 

Kind regards

 

Andrea

0 Likes
Reply