Resolved this by using the Graph Invitation API, first adding an external address to their account then resetting the invite status with the following guideline.
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status
Internal Users show as ExternalAzureAD Federated
We've configured B2B collaboration with the tenant of another organisation affiliated with us, however I'm noticing now that a few of our internal users have their Identity Provider set to ExternalAzureAD and the internal domain. They also have an additional X500 address added to their account that points to our domain and the OU External, however that OU does not exist in our AD. We are using DirectorySync and have a hybrid setup with Exchange towards Azure.
As a result we are unable to add these specific users (who are in different security groups) to a Teams Shared channel as somehow Teams thinks these users are external, yet B2B is restricted to the tenant of this other organisation.
- Checking our locally hosted Exchange doesn't show this X500 value on the user objects. Nor am I able to remove them manually from Exchange online since we're in a hybrid situation.
- When I try to reset their B2B invitation status, it also fails with an error: Failed to reset invitation status of x500:/o=<domain>/ou=external (fydibohf25spdlt)/cn=recipients/cn=<id>
- Using Powershell's New-MgInvitation generates an error about permissions, but I seem to be unable to add permissions to Graph for Powershell.
Does anyone have tips on how to convert these users back to their original state?
1 answer
Sort by: Most helpful
-
T.H. Kleintjens 6 Reputation points
2022-09-30T13:48:37.697+00:00