Share via

Invitation of guest account via email OTP still works, even after "AllowEmailVerifiedUsers" is set to False

Dipro 20 Reputation points
2023-09-15T05:46:18.7933333+00:00

In my tenant I disabled the "AllowEmailVerifiedUsers" set to false. Now I have a gmail account. There is no MS account associated with it. Also allow onetime passcode is on. So I invite the gmail account. Now clicked on Accept invitation link -> Provided the OTP -> accepted the invite. This is an email verified account. But according to the Attribute "AllowEmailVerifiedAccount - False", this account should not be added. right? Am I missing something? according to the docs AllowEmailVerifiedUsers controls whether users can join the tenant by email validation. Join means by him/herself (self service sign up) or by an admin invitation. Both should not work. Please help me here.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Vasil Michev 124.1K Reputation points MVP Volunteer Moderator
    2023-09-15T07:05:58.9066667+00:00

    That's not how this setting works. It does not apply to Guest users at all. "Email verified" users means a user what has an email address associated with a domain verified in your tenant. I.e. if you have verified contoso.com, any user with email of ******@contoso.com will be able to self-provision an account in your tenant, if this setting is on.

    In contrast, Guest users need to be invited, regardless of the setting value. They will have a "creation method" value of "invitation", whereas self-provisioned users have "EmailVerified".

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.