SOLVED

Anonymous Access - User not in the directory

%3CLINGO-SUB%20id%3D%22lingo-sub-3317782%22%20slang%3D%22en-US%22%3EAnonymous%20Access%20-%20User%20not%20in%20the%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3317782%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20company%20uses%20SharePoint%2FOneDrive%20to%20allow%20our%20customers%20the%20ability%20to%20share%20documents%20with%20their%20clients%2C%20also%20allowing%20clients%20to%20upload%20documents%20that%20sync%20back%20into%20our%20product.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20last%203-4%20weeks%2C%20we%20have%20had%20an%20upsurge%20in%20their%20clients%20having%20issues%20accessing%20their%20shared%20folders%20-%20largely%20receiving%20the%20error%20%22%3CI%3EUser%20not%20in%20the%20directory%22%26nbsp%3B%3C%2FI%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVery%20few%20of%20the%20customers%20use%20guest%20access%20in%20SharePoint%2C%20which%20will%20create%20a%20guest%20account%20in%20Azure%20AD%20-%20Therefore%20the%20majority%20are%20using%20anonymous%20access%20to%20allow%20customers%20to%20open%20the%20link%20provided%20to%20them%2C%20enter%20their%20email%20address%20and%20then%20the%20code%20they%20receive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20has%20worked%20for%20quite%20some%20time%20without%20issue.%20Lately%2C%20however%2C%20when%20they%20first%20open%20the%20link%20it%20asks%20for%20an%20email%20and%20password%2C%20then%20displays%20the%20%22%3CI%3EUser%20not%20in%20the%20directory%22%20%3C%2FI%3Eerror.%20During%20testing%2C%20my%20Gmail%20account%20receives%20a%20slightly%20different%20error%20-%20%3CSTRONG%3EThat%20Microsoft%20account%20doesn't%20exist.%20Enter%20a%20different%20account%20or%20get%20a%20new%20one.%20%3C%2FSTRONG%3EIn%20comparison%2C%20my%20Hotmail%20account%20receives%20the%20user%20not%20in%20directory%20error%20as%20well.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOddly%20though%2C%20if%20I%20close%20the%20browser%20and%20open%20the%20link%20again%20and%20then%20enter%20the%20same%20email%20address%2C%20it%20asks%20for%20a%20code...%20once%20I%20enter%20the%20code%2C%20I%20can%20access%20the%20shared%20folders.%20It%20appears%20that%20something%20isn't%20happening%20the%20first%20time%2C%20and%20that%20failure%20prompts%20something%20to%20happen%20so%20access%20is%20given%20on%20the%20second%20attempt.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20look%20at%20the%20access%20permissions%20on%20the%20shared%20folders%2C%20the%20recipient%20is%20there.%20For%20whatever%20reason%2C%20they%20just%20can't%20access%20it....instead%20they%20are%20asked%20to%20enter%20their%20credentials%20and%20receive%20the%20error%2C%20which%20is%20obviously%20frustrating%20for%20them%20and%20not%20ideal%20for%20us.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20different%20browsers%2C%20incognito%20modes%20and%20different%20test%20clients%20with%20different%20emails...%20It's%20very%20inconsistent%2C%20sometimes%20the%20code%20will%20be%20requested%20on%20the%20first%20attempt%2C%20and%20others%20the%20email%20and%20password%20are%20requested.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20hyperlinks%20in%20the%20emails%20are%20renamed%2C%20however%20it%20occurs%20even%20if%20the%20full%20URL%20is%20pasted%20into%20the%20email.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20audit%20log%20scripts%20for%20SharePoint%20that%20I%20have%20come%20across%20don't%20provide%20anything%20that%20points%20to%20what%20happens%20that%20first%20time%2C%20or%20anything%20of%20use%20for%20that%20matter.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20the%20issue%20started%20to%20be%20reported%20on%20a%20more%20frequent%20basis%2C%20this%20article%20was%20very%20much%20fresh%20off%20the%20press%20which%20may%20or%20may%20not%20be%20coincidental%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Ftroubleshoot%2Fsharing-and-permissions%2Ferror-when-external-user-accepts-an-invitation-by-using-another-account%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Ftroubleshoot%2Fsharing-and-permissions%2Ferror-when-external-user-accepts-an-invitation-by-using-another-account%3C%2FA%3E.%20We%20can%20see%20who%20the%20link%20is%20shared%20with%20and%20it's%20%3CI%3Ethat%3C%2FI%3E%20account%20receiving%20the%20error.%20Having%20to%20re-invite%20each%20time%20is%20simply%20not%20a%20solution%20to%20the%20problem%2C%20not%20that%20I%20see%20external%20users%20show%20in%20the%20SharePoint%20shell%20anyway.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20short%20-%20Why%20are%20anonymous%20users%20being%20asked%20for%20a%20password%20when%20they%20should%20be%20asked%20for%20a%20code.%20Has%20something%20changed%20recently%20that%20interferes%20with%20anonymous%20access%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20any%20of%20you%20could%20provide%20some%20guidance%20on%20where%20I%20can%20look%20or%20what%20may%20be%20the%20cause%20it%20would%20be%20very%20much%20appreciated%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3317782%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOneDrive%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3339333%22%20slang%3D%22en-US%22%3ERe%3A%20Anonymous%20Access%20-%20User%20not%20in%20the%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3339333%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1381374%22%20target%3D%22_blank%22%3E%40marc_4621%3C%2FA%3E%26nbsp%3BHello%2C%20external%20SharePoint%20sharing%20and%20OTP%20has%20been%20adjusted%20from%20time%20to%20time%20and%20the%20behavior%20will%20look%20different%20in%20tenants%20depending%20on%20the%20configured%20settings.%20To%20make%20the%20whole%20sharing%20process%20as%20smooth%20as%20possible%20I%20would%20verify%201)%20that%20the%20EOTP%20(Email%20one-time%20passcode)%20feature%20in%20Azure%20AD%20is%20toggled%20to%20%22Enabled%22.%202)%20Enable%20the%20Azure%20AD%20B2B%20OneDrive%20and%20SharePoint%20integration.%3C%2FP%3E%0A%3CP%3EYou%20can%20read%20more%20about%20these%20two%20features%20here.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Fone-time-passcode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOne-time%20passcode%20authentication%20for%20B2B%20guest%20users%20-%20Azure%20AD%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsharepoint%2Fsharepoint-azureb2b-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20B2B%20integration%20for%20SharePoint%20%26amp%3B%20OneDrive%20-%20SharePoint%20in%20Microsoft%20365%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3384148%22%20slang%3D%22en-US%22%3ERe%3A%20Anonymous%20Access%20-%20User%20not%20in%20the%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3384148%22%20slang%3D%22en-US%22%3EHi%20Christian%2C%20thanks%20for%20the%20response.%3CBR%20%2F%3EI%20actually%20spoke%20to%20Microsoft%20support%20about%20this%20and%20they%20provided%20the%20same%20guidance%20as%20what%20you%20have%20done%20here.%3CBR%20%2F%3EThe%20one-time%20code%20was%20already%20enabled%2C%20however%20we%20disabled%20the%20B2B%20in%20our%20environment%20when%20we%20first%20started%20to%20test%20the%20reported%20issues...%20safe%20to%20say%20that%20customers%20will%20just%20need%20to%20enable%20that%20at%20this%20point%20I%20believe.%3CBR%20%2F%3EThey%20also%20asked%20that%20we%20clear%20out%20people%20and%20groups%20in%20OneDrive%20due%20to%20the%20test%20accounts%20already%20being%20in%20there%2C%20so%20for%20accounts%20that%20were%20earlier%20provided%20access%20they%20may%20need%20to%20be%20removed%20and%20readded.%3CBR%20%2F%3EOnce%20done%2C%20the%20accounts%20worked..%20Hotmail%20account%20didn't%20need%20a%20code%20(Microsoft%20account)%2C%20Gmail%20account%20needed%20to%20enter%20the%20code.%3CBR%20%2F%3ESeems%20happier%20now%2C%20will%20see%20how%20things%20go.%3CBR%20%2F%3EThanks%20again%2C%3CBR%20%2F%3EMarc%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3384609%22%20slang%3D%22en-US%22%3ERe%3A%20Anonymous%20Access%20-%20User%20not%20in%20the%20directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3384609%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20update!%20Try%20this%20on%20an%20already%20added%20user%2C%20if%20you%20have%20any%20left%20at%20this%20point%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Freset-redemption-status%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fexternal-identities%2Freset-redemption-status%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

 

Hi Everyone,

 

Our company uses SharePoint/OneDrive to allow our customers the ability to share documents with their clients, also allowing clients to upload documents that sync back into our product. 

 

In the last 3-4 weeks, we have had an upsurge in their clients having issues accessing their shared folders - largely receiving the error "User not in the directory" 

 

Very few of the customers use guest access in SharePoint, which will create a guest account in Azure AD - Therefore the majority are using anonymous access to allow customers to open the link provided to them, enter their email address and then the code they receive.

 

This has worked for quite some time without issue. Lately, however, when they first open the link it asks for an email and password, then displays the "User not in the directory" error. During testing, my Gmail account receives a slightly different error - That Microsoft account doesn't exist. Enter a different account or get a new one. In comparison, my Hotmail account receives the user not in directory error as well. 

 

Oddly though, if I close the browser and open the link again and then enter the same email address, it asks for a code... once I enter the code, I can access the shared folders. It appears that something isn't happening the first time, and that failure prompts something to happen so access is given on the second attempt. 

 

If I look at the access permissions on the shared folders, the recipient is there. For whatever reason, they just can't access it....instead they are asked to enter their credentials and receive the error, which is obviously frustrating for them and not ideal for us. 

 

I have tried different browsers, incognito modes and different test clients with different emails... It's very inconsistent, sometimes the code will be requested on the first attempt, and others the email and password are requested. 

 

The hyperlinks in the emails are renamed, however it occurs even if the full URL is pasted into the email. 

 

The audit log scripts for SharePoint that I have come across don't provide anything that points to what happens that first time, or anything of use for that matter. 

 

When the issue started to be reported on a more frequent basis, this article was very much fresh off the press which may or may not be coincidental - https://docs.microsoft.com/en-us/sharepoint/troubleshoot/sharing-and-permissions/error-when-external.... We can see who the link is shared with and it's that account receiving the error. Having to re-invite each time is simply not a solution to the problem, not that I see external users show in the SharePoint shell anyway. 

 

In short - Why are anonymous users being asked for a password when they should be asked for a code. Has something changed recently that interferes with anonymous access? 

 

If any of you could provide some guidance on where I can look or what may be the cause it would be very much appreciated 

3 Replies
best response confirmed by marc_4621 (New Contributor)
Solution

@marc_4621 Hello, external SharePoint sharing and OTP has been adjusted from time to time and the behavior will look different in tenants depending on the configured settings. To make the whole sharing process as smooth as possible I would verify 1) that the EOTP (Email one-time passcode) feature in Azure AD is toggled to "Enabled". 2) Enable the Azure AD B2B OneDrive and SharePoint integration.

You can read more about these two features here.

 

One-time passcode authentication for B2B guest users - Azure AD | Microsoft Docs

 

Azure AD B2B integration for SharePoint & OneDrive - SharePoint in Microsoft 365 | Microsoft Docs

Hi Christian, thanks for the response.
I actually spoke to Microsoft support about this and they provided the same guidance as what you have done here.
The one-time code was already enabled, however we disabled the B2B in our environment when we first started to test the reported issues... safe to say that customers will just need to enable that at this point I believe.
They also asked that we clear out people and groups in OneDrive due to the test accounts already being in there, so for accounts that were earlier provided access they may need to be removed and readded.
Once done, the accounts worked.. Hotmail account didn't need a code (Microsoft account), Gmail account needed to enter the code.
Seems happier now, will see how things go.
Thanks again,
Marc
Thanks for the update! Try this on an already added user, if you have any left at this point :)

https://docs.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status