Guest users are getting mailbox for MSA, which can be used to send email with anonymous id.

Hello nikita, 

Team, I found something which might be obvious as per the product design, but for some reason I am unable to understand the purpose of getting a mailbox provisioned for guest users in live database. 

Step 1 ) - A guest user is invited. (from any platform gmail, yahoo, etc)

Step 2) - User will accept the invitation.

   - In the process of the user accepting the invitation. 

   - The users will be redirected to the invitation portal with referencing the tenant id,

https://invitations.microsoft.com/msa/index?tenant=#####-2165-4f23-9162#######fedbac&user=d0bc87c5-9b50-4b8f-a039-5173e277c148&ticket=JpdpZwOuKXpSvxYew0ee4W0N0mpscCq7WiYGqwXrnLY%3D&ver=2.0&consentAccepted=False

If the live database is already aware of this account, the request gets completed with the consent prompt à Expected behaviour.

Now let’s consider, I am not using an outlook,Hotmail,live account.

For testing purpose I used a gmail account:- mailto:test****@gmail.com.

The moment I clicked on get started I was redirected to https://signup.live.com

And below mentioned is the prompt that I received à obvious as we need an identity.

Once I clicked on yes, it asks me to create a password à which is also obvious since there is a new account getting created in live database.

Now since the account is created a consent prompt will appear from invitations portal to access the information from live database.

Everything is working as expected.

Now the concern is, If I am using a Gmail account with a upn of mailto:test####@gmail.com.
With the same UPN an account is created is live database and if I go to outlook.com, I can sign in with my new account that is created and send emails.

I am not sure if this should be a part of invitation process.
But I want to verify that whether MSA mailbox getting associated with a gmail id that exists in live database is required or not.

If it is required what is the purpose of this mailbox.

Instead there should be a prompt which user should approve or deny before a mailbox is provisioned.

If we think from security prospective there should be no mailbox provisioned for the user in live database if he/she is using a gmail, yahoo or any other service provider.

Regards,
Rishabh