Azure B2B guest users licensing question
Hello, I am working on Azure B2B in order to add guest users in my Azure AD tenant. I am wondering how to know the following information? https://docs.microsoft.com/en-us/azure/active-directory/b2b/licensing-guidance The document explains: "B2B guest user licensing is automatically calculated and reported based on the 1:5 ratio. Additionally, guest users can use free Azure AD features with no additional licensing requirements. Guest users have access to free Azure AD features even if you don’t have any paid Azure AD licenses." As reported here: https://azure.microsoft.com/en-us/pricing/details/active-directory/my guest users use only free Azure AD features, such as: User provisioning User and group management (add/update/delete) So my question is, the 1:5 ratio is also applied for free Azure AD features? Am I subject to this ratio even if guest users use free AAD features? Can I see somewhere on the portal if I exceed this limit? Thank you. Nicolas
MS Teams in Cross-Tenant synchronization
Hello! I am using Cross-Tenant synchronization (preview) to synchronize two tenants (A and B). I have created a configuration to send the users from Tenant A to Tenant B. In the "Provision Azure Active Directory Users" mapping, the "Usertype" attribute is set to Member and in the "showInAddressList" attribute is set to True. After these settings, in outlook the migrated users appear in the GAL/search bar and work perfectly, showing data, status and sending e-mails normally. In Microsoft Teams, the migrated users appear in the GAL with all their data, but no status and the messages do not arrive at their destination. Is this normal for the tool? If yes, is there any way to hide these migrated users only in Ms Teams? I am worried about the end user sending messages to these migrated users and not being able to contact them. Regards,External Guest User licensing demystified
HI To looking at https://docs.microsoft.com/bs-latn-ba/azure/active-directory/b2b/licensing-guidance could I confirm the following please: The fact my guest users each have an Azure P1 license on their source tenant is irrelevant. On the target tenant they can be freely invited and not need additional licenses. Again if we rely on the MFA setup on their target tenant we still don't need additional licences If we want each external user to be a member of a dynamic AD group on the target tenant, then an additional Azure AD P1 license is required for on the target tenant, for every 5 guest users. Again as with point 4) if we wanted to enable MFA on our target tenant for all guest users .
Invitation redemption failed
We have started getting "Invitation redemption failed An error has occurred. Please retry again shortly." error for newly invited gmail users. This was working perfectly fine last week. We have raised ticket with Microsoft however they are still investigating. Can someone please assist here. Thanks, ManojAllowing an external org to access my application (registered in azure ad) with their credentials?
Hi all, I have created a single tenant application that works well for my organisation, however I need to add another organisation (external) to be able to use my application. The organisation that I want to add has an Azure AD. Hence my goal is to enable for people from the 2nd organisation to be able to sign into my app without needing to register. How am I suppose to go about this? I've looked into the "app registrations" page but have not seen such ability and I've looked online to find a solution to this problem to no avail. I'm aware I will need to change the application to "multi-tenant" and also change the urls from tenant specific to /common. However, I have no idea how to go about enabling a specific organisation to be able to access my application (while not allowing other orgs) and use my app after signing on using their microsoft org credentials without registration. I'm looking for suggestions on how I should go about this, or a resource I can use to do this as I'm a bit lost on how to do this - still a bit of a noobie with Azure AD. Appreciate any help! Thanks,
Lost access to B2B organization after tenant migration
Hi. We recently migrated to a new tenant. Several users, including myself, have lost access to other organizations' Team(s) they were invited to. Our tenant name changed (and of course our onmicrosoft.com email addresses), but not our company email addresses. Using the original redemption email link does not work. I am assuming now that these are connected to the tenant and not just the email. How can we gain access to our external partners? (We are not all accessing the same company.) I also assume the organization will have to reinvite people. But how would they go about doing that? Looking at our own Azure AD and external profiles, I do not see a way to resend an invitation. TIA (Edited to update title)Cross-tenant synchronization unable to provisioning group
Hello, I'm trying to sync some groups from a tenant to another, but the log return this error: Result Skipped Description Group '31d81b35-5725-40f5-9242-02a100363959' will be skipped. EntityTypeNotSupported SkipReason EntityTypeNotSupported ReportableIdentifier 31d81b35-5725-40f5-9242-02a100363959 This issue occurs with any kind of group, m365 or security. Users seems works. What could I do to address this issue?
Guest MFA - require register phone as well as authenticator app
Hi all So I am aware of cross-tenant MFA settings and we are testing this feature, but it does not help in all scenarios e.g. guest has AAD but doesn't have MFA enforced in their home tenant. So Guests are forced to register for MFA in our tenant using a conditional access policy. This uses the authenticator app by default, unless they click the text 'I want to set up a different method' at the bottom (which no one notices). Now using the app for Guests is problematic. Frequently they change phones and forget to move their authenticator app over, resulting in loss of access. When that happens, they have no way of getting back in since the app is their only authentication method. They don't have the number of our helpdesk since they are external, so don't know how to call support and get their authentication methods reset. So they basically get locked out forever and just give up try to access content shared with them. So I would like to do one of the following: Force them to add a phone number upon first registration Change phone number to default, before app registration Or better still - use email as a fall back, since we already have their external email address they could just be sent a one-time code. I think the last option is the best, since SMS is not exactly secure. There is an option 'email one-time passcode for guests', however this only applies to Guests who don't have an AAD or MS account. It would be great if this option also applied to AAD guests who lost their app. Does anyone know a way around this situation? We can't ask guests to go in via myapps, switch tenants, and add a method, that's just not going to happen. Thanks Hal
