Invitation of guest account via email OTP still works, even after "AllowEmailVerifiedUsers" is set to False

Dipro 20 Reputation points

In my tenant I disabled the "AllowEmailVerifiedUsers" set to false. Now I have a gmail account. There is no MS account associated with it. Also allow onetime passcode is on. So I invite the gmail account. Now clicked on Accept invitation link -> Provided the OTP -> accepted the invite. This is an email verified account. But according to the Attribute "AllowEmailVerifiedAccount - False", this account should not be added. right? Am I missing something? according to the docs AllowEmailVerifiedUsers controls whether users can join the tenant by email validation. Join means by him/herself (self service sign up) or by an admin invitation. Both should not work. Please help me here.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,659 questions
Azure Active Directory External Identities
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 79,631 Reputation points MVP

    That's not how this setting works. It does not apply to Guest users at all. "Email verified" users means a user what has an email address associated with a domain verified in your tenant. I.e. if you have verified, any user with email of will be able to self-provision an account in your tenant, if this setting is on.

    In contrast, Guest users need to be invited, regardless of the setting value. They will have a "creation method" value of "invitation", whereas self-provisioned users have "EmailVerified".

    0 comments No comments

0 additional answers

Sort by: Most helpful