none
AAD can't authenticate external users unless they redeem the invitation?

    Question

  • Hi all

    This is a question regarding addeing and authenticating external users:

    • Background:

    We use OpenID Connect ASP.Net OWIN middleware to sign-in external users who got invited via .csv file (users from partner companies.)

    Their login names(emails) were added to our AAD with “..#EXT#....” extension in the middle immediately but at this time they can't be authenticated by our AAD, typical error message is :

    “We’ received a bad request”

    AADSTS50020: User account 'example@examplegroup.com' from identity provider 'https://sts.windows.net/000000-66ca-49f5-ab38-00000000000/' does not exist in tenant 'SampleApp' and cannot access the application '000000-673a-40a3-9091-000000000000' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

    Once they redeem the inviation following the email, their login names change to the same as their email (#EXT# goes away) and they then are able to got authenticated by our AAD.

    • Question:

    1. Do external users have to follow the redeemption email before they can get passed the AAD authentication?

    2. I was told that I can add external users directly to our AAD, then I can authenticate them programatically without asking them to follow the redeepmtion emails, is the true?

    3. if 2. is true, then I guess I can add external users to AAD without sending them invitation emails?

    any help would be greatly appreciated,

    Thanks

    Wednesday, April 19, 2017 12:46 AM

All replies

  • Hi Chao,

      Thanks for reaching out to us. As you said the sign-in is their email address not #EXT#(not UPN). Ideally the invited user has to go through invitation flow before trying to access the resource. There are two scenario that the user doesn't need go through the invitation flow.

    Scenario 1: If the user already invited for that tenant and when through the invitation. If you invite him again for different resource on the same tenant the invited user doesn't need to go through invitation flow.

    Scenario 2: If the user who is inviting is member in the inviting user's tenant, then invite redemption automatically happens at the invite time itself. So the invited user doesn't need to go through redemption flow.

    Let me know if this answers your question.

    Thanks


    Sorry! No one (including me) own any liability or responsibility for any of my posting.

    • Proposed as answer by DisplayMeAsCW Thursday, April 20, 2017 2:25 AM
    Wednesday, April 19, 2017 5:37 PM
  • Also, take a look at FAQ link: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-faq and look for FAQ "Is there a way to invite the user such that the invitation is automatically redeemed, and the user is just “ready to go”, or will the user always have to click through to the redemption URL?"

    Here is this for general B2B document.: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b 


    Sorry! No one (including me) own any liability or responsibility for any of my posting.

    Wednesday, April 19, 2017 5:46 PM
  • thanks @RamaSubbu SK
    Thursday, April 20, 2017 2:25 AM