My app has B2B users that have transitioned from Azure Commerical Cloud to GCC High.
Both we and the remote tenant have configured the appropriate settings for cross-tenant access and cross-cloud access, and everything works perfectly well for new users.
However, old users that were previously on the commercial cloud are not able to login. Resetting the user's invite redemption status does not work -- the user gets the error:
Access is blocked by your organization
Your tenant administrator has restricted which organizations can be accessed. Contact your IT department to request access to the undefined organization.
Message: AADST500212: The user's adminstrator has set an outbound access policy that does not allow access to the resource tenant.
On my sign-in logs, I do not see this sign-in attempt at all, even though the user is clicking on the invite I just sent them. The invite redemption status remains in status PendingAcceptance.
I believe that somehow the B2B user is being directed to login to their old directory, even though on my end I have reset the redemption status and all the properties that I can see indicate otherwise. The B2B user even tried it in an incognito window, with the same result.
Is there anything I (or my B2B client's admins) can do to resolve this?
My only workaround is to delete all the Azure AD users and recreate them, which works but isn't an ideal solution.