cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Different identity issuer assigned to guest account

Lotusmail1
Copper Contributor

‎Dec 22 2022 08:24 AM - edited ‎Dec 22 2022 08:43 AM

‎Dec 22 2022 08:24 AM - edited ‎Dec 22 2022 08:43 AM

Different identity issuer assigned to guest account

Hello there,

I have been noticing a few of my guest accounts created have different identity issuer assigned. Some says "Mail" and some says "ExternalAzureAD" or sometimes "XXX.onmicrosoft.com" I cannot find any information about "Mail" identity issuer though. Is this somehow connected with MSA(Microsoft) as the IDP service and not Azure AD? I read an article about different types of external identity issuer per Microsoft documentation, but not once Mail identity issuer was mentioned.  Any help, guidance or information is greatly appreciated. Thanks and have a great day!

 

Preview file
14 KB
4,053 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by ChristianJBergstrom (MVP)
Vasil Michev

‎Dec 22 2022 09:11 AM

‎Dec 22 2022 09:11 AM

Solution

Re: Different identity issuer assigned to guest account

It's used by the new "one-time passcode" invite type, where identity verification happens over email, kinda.

Read here: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode
0 Likes
Reply
Lotusmail1

‎Dec 22 2022 09:56 AM

‎Dec 22 2022 09:56 AM

Re: Different identity issuer assigned to guest account

Hello Vasil,
Thank you for your quick response. The authentication type assigned for this particular domain/organization was Azure AD per connected org not EOTP (email onetime passcode), and in fact another account from the same domain/organization was assigned ExternalAzureAD for its identity issuer. I don't understand why despite coming from the same domain/organization they have different Identity Issuer. Any thoughts about this? Let me know please. Thanks! Your input is greatly appreciated.

0 Likes
Reply
Mike Crowley

‎Feb 08 2024 02:30 PM

‎Feb 08 2024 02:30 PM

Re: Different identity issuer assigned to guest account

@Lotusmail1 

Perhaps those users were created prior to this change?


To improve external sharing, in October 2021, Microsoft plans to turn on Email one-time passcode authentication for Azure AD by default for all tenants. Like the current ad-hoc sharing, the new mechanism features one-time passcodes. The big difference is that successful authentication results in the automatic creation of Azure AD guest accounts for external users.

https://office365itpros.com/2021/08/17/sharepoint-online-embraces-azure-b2b-collaboration-external-s...

I realize this is an old post, but I kept circling back to it in a search, so I figured I'd add detail for others.

Or perhaps the allowExternalIdToUseEmailOtp value was toggled (from Vasil's article).

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by ChristianJBergstrom (MVP)
Vasil Michev

‎Dec 22 2022 09:11 AM

‎Dec 22 2022 09:11 AM

Solution

Re: Different identity issuer assigned to guest account

It's used by the new "one-time passcode" invite type, where identity verification happens over email, kinda.

Read here: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode

View solution in original post

0 Likes
Reply