Stephen,

I believe you are correct - they had previously been using an MSA to log into sharepoint prior to adopting O365.

Is there a specific address I can point them to when asking them to log out of their AAD account?  They do not have a sharepoint site, so would portal.office.com work for them?

Michael

I have seen a lot of authentication problems for people having the same username (i.e. email address) for the MSA and the Office 365 (commercial) account.

My advice is to get rid asap from the MSA username. It is actually very easy and, changing the username, they will loose neither their MSA identity, nor all the subscription and services associated with it.

Give a look to this article: https://www.howtogeek.com/277170/how-to-change-the-primary-email-address-for-your-microsoft-account/

Thanks Salvatore.

One question though about an issue that I don't know how to offer a resolution to these users.  We are a business running projects, using sharepoint to distribute documents and send alerts.  Previously these external users were signed in with the MSA tied to their work email account.  Alerts and notifications wouild go to their work inbox.

If they change the primary email on the MSA, alerts being sent out for a project they are working on for their company are now going to someone's personal, potentially unmonitored inbox.

This seems like a very weak link in the business process.

What is it in their AAD setup that is preventing them from logging into our sharepoint site with their Office 365 / AAD account???

Michael

In my understanding, the problem is that those users are instantiated in your AAD as MSAs. Hence, if they are logged in to their AAD and try to login to your AAD, Office 365 will automatically try to use their AAD identity for authentication and will fail (also if the username, i.e. the email address, is the same...).

One way to solve the problem, as Stephen adviced, is to sign out their AAD every time they want to access your resources, so they will have the possibility to choose to login to your AAD with their MSA.

AFAIK, though, to solve once for all the problem, they should get rid of their MSA primary email address and you should remove their MSA from your directory and reshare the resources with them using their AAD identity. @Stephen Rice: am I correct?

If you want the users to sign out, you can have them go to portal.office.com to sign-out or they can signout from inside Exchange. That is the easiest short term solution to unblock your partners.

Salvatore is correct for the long term approach though. Purge the MSA guest accounts from your directory (can be done in AAD directory or in O365 portal) and then reinvite them to all resources they need access to. 

Hope that helps!

Stephen Rice

OneDrive Program Manager II

Are there any plans to simplify the registration process for external users? - the big issues seems to be that most non technical people have no idea if their account is MSA or AAD. it would be better for a sharpoint online registration if there was just one option which checked both databases and flagged up if there was more than one account linked to the email address

Hi @Chris Mullan,

This is something we absolutely want to make as easy and simple as possible. We're continuing to work with the Azure Active Directory team to solve these types of issues as they come up. Thanks!

Stephen Rice

OneDrive Program Manager II