Dec 11 2018 06:17 AM
Dec 11 2018 06:17 AM
Just want to make sure! Company with DomainX use office 365 for some users! If i add a user with user.domainX.com to my team and that user have a license in their tenant it works! If I invite someone on domainX not using office 365 , they get an error using the invite link
Something like this: AADB2B_0001 Can't create an Azure AD account with self-service due to the catalog is federated….
Dec 11 2018 07:49 AM
Dec 11 2018 08:11 AM
Dec 11 2018 10:00 AM
There is no such thing as self-service account provisioning, an admin in the organization needs to provision the account. If the account doesn't exist, the entry will simply remain in your directory as "orphaned" object.
Dec 11 2018 10:56 AM
I was looking at the Set-MsolCompanySettings -AllowEmailVerifiedUsers setting which joins by email validation
Don't know exactly what's happening here but according to this blogpost, it would be possible if the mail address matches the tenant name
Found this MS documentation link about the cmdlet as well! Don't say much though
Dec 11 2018 12:55 PM
@adam deltinger if the company your are connecting to does not use any services based on AzureAD then a tenant gets provisioned and your guests are created within it.
If the company already has AzureAD for something then it's managed by the global admins of that tenant.
Interestingly if you have one of these virally provisioned tenants, then but something with AzureAD you adopt the tenant, and can then manage the accounts created there.
Dec 11 2018 01:03 PM
Dec 11 2018 01:09 PM
If there is already a managed AzureAD then accounts can only be created there by that company, it's admins etc.
If the company has never used AzureAD then accounts get automatically provisioned in a virally provisioned AzureAD tenant for the company.
Dec 11 2018 01:33 PM
Dec 11 2018 01:42 PM
Dec 12 2018 06:16 AM
Any thoughts or experiences regarding this thread and the AllowEmailVerifiedUsers setting?
I'm awaiting the guest user to accept the invite after their admin syncing the user to AAD, but the users invite url is now directing to their tenant :)
Curious about the AllowEmailVerifiedUsers though!
Dec 12 2018 06:20 AM
Dec 12 2018 06:27 AM
yeah, i've heard those scenarios. But in this case I guess the user won't have to be licenced. isn't that basically the same thing as having a 365 license, with teams disabled in this case?
Dec 12 2018 06:29 AM
Dec 12 2018 06:59 AM
Have experienced a few scenarios like this
1.) Like @Chris Webb where the other tenant has 365 but Teams is completely off and the org didn't want Teams, I have invited them as a guest on their MSA account
2.) In the same scenario when the other tenant has 365 but Teams is completely off I managed to convince the org to set up Teams for the user and invited them as a guest
3.) I have also experienced this when adding a guest to our tenant for an org who hasn't used Office 365 at all and someone has gone and created a free Power BI subscription. Had to go remove the domain and blow it away before the user could be added as a guest.
I would agree with everything others have said. If the domain/subdomain is in AAD then the invite will look for the user there. If there was a scenario, let's say, where the domain is in AAD and the org is only using SharePoint with AADC (not teams) and the user wasn't part of their SharePoint site, then the org would need to sync the user on AADC for the user to exist in Azure AD and an Office 365 licence with Teams (I.e. like Business Essentials) would be the optimal add.
Hope that helps.