none
Password not synced to Azure AD DS for guest user accounts.

    Question

  • Hello.

    I've set up a RemoteApp environment in Azure using Server 2012R2. I'm using Azure AD DS for authentication. The client also uses Office 365.

    Everything works as normal for company users (normal accounts that use the company's email such as abc@domain.com). They can log into Azure AD/ Office 365 and Azure AD DS (RDWeb) as normal.

    However, I have issues with guest accounts. When I create a user with an external email address, it is created as a guest account. For example, :

    I create a Guest account in Azure: xyz@gmail.com. xyz@gmail.com receives an email from Azure with a link. I click the link and then create a Microsoft account: xyz@gmail.com

    Using the Guest account, I can log into portal.azure.com and change the password.

    When I try to login in to the RDweb page using the guest account (domain\xyz or domain\xyz@gmail.com), the account is denied access due to incorrect username or password.

    If I log into the company's Azure portal as an admin, there is no reset password option for the guest account (this is normal).

    If I try to reset the guest account's password in Azure AD DS (by using RSAT tools on a server), I get the message access denied (which I believe is normal).

    I can, however, go into the Office 365 Admin portal and reset the guest account's password manually. Once I do this, the guest account can log into the RDWeb site using domain\xyz or domain\xyz@gmail.com and access remoteapps. However, the guest account now has two different passwords: one for Azure AD DS (domain account) and one for Azure (Microsoft Account).

    My questions are as follows:

    - Can a Microsoft account password (when used with Azure) sync to Azure AD DS? It doesn't seem to be happening in the case of the guest account xyz@gmail.com

    - Has anyone ever seen the behaviour I have mentioned above, or is it a bug or perhaps I am doing something wrong?

    Thanks very much,

    HA20

    Wednesday, March 22, 2017 4:13 PM

Answers

  • Hi,

    thats, nearly right.

    That shadow/unmanaged tenant has its own domain / id, its more like you intive a user from a company which already has a tenant. But to be able to invite also users to your organizational tenant a tenant is created behind the scenes if the invited user does not belong to a tenant.

    In your tenant you only have a linked object which point to the object in the foreign tenant, so if so user tries to connect to your services it will be redirected to their "home" tenant for auth, and then returns back to your tenant with an auth token.

    And yes, since you dont have the password in your organizational tenant it cannot be synchronized to AAD DS

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by ha20 Thursday, March 23, 2017 2:22 PM
    Thursday, March 23, 2017 12:09 PM

All replies

  • Hi,

    the issue you are facing is normal behavior.

    First, when you Invite someone to your tenant, no Microsoft Account is created, instead for the first user of that Domain a "shadow" tenant (unmanaged tenant) is created and the user with his pw is stored there.

    So in fact it is an organizational account in a different tenant.

    Since you don't have the PW, AAD DS cannot sync the PW from Azure AD

    I think there is no other solution currently beside the workaround you mentioned.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Wednesday, March 22, 2017 4:39 PM
  • Hi Peter,

    Thanks for responding. I checked the directory of both the main organization and the guest account in Azure. They are both the same (same domain and id) and the guest's account seems to be in the organization's directory.

    If I block sign in to the guest user in the organization's Azure, they cannot login to Azure at all (the Microsoft account page keeps trying to redirect to Azure until I get an error page).

    In summary, if I've understood you correctly, the guest user is created in a shadow tenant that is linked to the main (organization) tenant. The shadow tenant has the same domain and id as the main tenant but the password cannot be synced as a result of it being a different tenant?

    Thanks,

    HA20

    Thursday, March 23, 2017 11:52 AM
  • Hi,

    thats, nearly right.

    That shadow/unmanaged tenant has its own domain / id, its more like you intive a user from a company which already has a tenant. But to be able to invite also users to your organizational tenant a tenant is created behind the scenes if the invited user does not belong to a tenant.

    In your tenant you only have a linked object which point to the object in the foreign tenant, so if so user tries to connect to your services it will be redirected to their "home" tenant for auth, and then returns back to your tenant with an auth token.

    And yes, since you dont have the password in your organizational tenant it cannot be synchronized to AAD DS

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by ha20 Thursday, March 23, 2017 2:22 PM
    Thursday, March 23, 2017 12:09 PM
  • Hi Peter,

    Thanks very much.

    Kind Regards,

    HA20

    Thursday, March 23, 2017 2:23 PM