Jun 19 2017 01:56 PM
I have a couple external users from the same company who are receiving identical error messages when trying to accept SharePoint invites.
Details:
Error message seems generic: Sorry, but we're having trouble signing you in. We received a bad request.... AADSTS70001: Application is disabled.
They previoulsy had access to our sharepoint site.
They tell me they have recently purchased Office 365, but not SharePoint.
They have an Exchange email plan only.
The error message they are receiving makes me believe something is not completely setup in their environment. AAD perhaps? It's a bit out of my area of expertise.
Error page attached. Please send prayers my way, along with any guidance I can give them to help them get into our site...
Jun 25 2017 07:42 AM
Jun 26 2017 05:52 AM
Stephen,
I believe you are correct - they had previously been using an MSA to log into sharepoint prior to adopting O365.
Is there a specific address I can point them to when asking them to log out of their AAD account? They do not have a sharepoint site, so would portal.office.com work for them?
Michael
Jun 26 2017 06:28 AM
I have seen a lot of authentication problems for people having the same username (i.e. email address) for the MSA and the Office 365 (commercial) account.
My advice is to get rid asap from the MSA username. It is actually very easy and, changing the username, they will loose neither their MSA identity, nor all the subscription and services associated with it.
Give a look to this article: https://www.howtogeek.com/277170/how-to-change-the-primary-email-address-for-your-microsoft-account/
Jun 26 2017 06:58 AM
Thanks Salvatore.
One question though about an issue that I don't know how to offer a resolution to these users. We are a business running projects, using sharepoint to distribute documents and send alerts. Previously these external users were signed in with the MSA tied to their work email account. Alerts and notifications wouild go to their work inbox.
If they change the primary email on the MSA, alerts being sent out for a project they are working on for their company are now going to someone's personal, potentially unmonitored inbox.
This seems like a very weak link in the business process.
What is it in their AAD setup that is preventing them from logging into our sharepoint site with their Office 365 / AAD account???
Michael
Jun 26 2017 07:14 AM
In my understanding, the problem is that those users are instantiated in your AAD as MSAs. Hence, if they are logged in to their AAD and try to login to your AAD, Office 365 will automatically try to use their AAD identity for authentication and will fail (also if the username, i.e. the email address, is the same...).
One way to solve the problem, as Stephen adviced, is to sign out their AAD every time they want to access your resources, so they will have the possibility to choose to login to your AAD with their MSA.
AFAIK, though, to solve once for all the problem, they should get rid of their MSA primary email address and you should remove their MSA from your directory and reshare the resources with them using their AAD identity. @Stephen Rice: am I correct?
Jun 26 2017 11:27 AM
If you want the users to sign out, you can have them go to portal.office.com to sign-out or they can signout from inside Exchange. That is the easiest short term solution to unblock your partners.
Salvatore is correct for the long term approach though. Purge the MSA guest accounts from your directory (can be done in AAD directory or in O365 portal) and then reinvite them to all resources they need access to.
Hope that helps!
Stephen Rice
OneDrive Program Manager II
Oct 05 2018 08:05 PM
Are there any plans to simplify the registration process for external users? - the big issues seems to be that most non technical people have no idea if their account is MSA or AAD. it would be better for a sharpoint online registration if there was just one option which checked both databases and flagged up if there was more than one account linked to the email address
Oct 08 2018 06:42 PM
Hi @Chris Mullan,
This is something we absolutely want to make as easy and simple as possible. We're continuing to work with the Azure Active Directory team to solve these types of issues as they come up. Thanks!
Stephen Rice
OneDrive Program Manager II