Internal Users show as ExternalAzureAD Federated

T.H. Kleintjens 6 Reputation points
2022-09-29T11:25:32.01+00:00

We've configured B2B collaboration with the tenant of another organisation affiliated with us, however I'm noticing now that a few of our internal users have their Identity Provider set to ExternalAzureAD and the internal domain. They also have an additional X500 address added to their account that points to our domain and the OU External, however that OU does not exist in our AD. We are using DirectorySync and have a hybrid setup with Exchange towards Azure.

As a result we are unable to add these specific users (who are in different security groups) to a Teams Shared channel as somehow Teams thinks these users are external, yet B2B is restricted to the tenant of this other organisation.

  • Checking our locally hosted Exchange doesn't show this X500 value on the user objects. Nor am I able to remove them manually from Exchange online since we're in a hybrid situation.
  • When I try to reset their B2B invitation status, it also fails with an error: Failed to reset invitation status of x500:/o=<domain>/ou=external (fydibohf25spdlt)/cn=recipients/cn=<id>
  • Using Powershell's New-MgInvitation generates an error about permissions, but I seem to be unable to add permissions to Graph for Powershell.

Does anyone have tips on how to convert these users back to their original state?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,850 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. T.H. Kleintjens 6 Reputation points
    2022-09-30T13:48:37.697+00:00

    Resolved this by using the Graph Invitation API, first adding an external address to their account then resetting the invite status with the following guideline.
    https://learn.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status

    1 person found this answer helpful.