Create a guest user in my tenant automatically when user signs up via Microsoft SSO.

Stanislav Savchuk 0 Reputation points
2023-11-03T11:25:10.7566667+00:00

I've registered an app in the Microsoft Entra ID that supports account type Accounts in any identity provider or organizational directory (for authenticating users with user flows).

When I'm using URL https://login.microsoftonline.com/.../oauth2/authorize?client_id=…, I can only use the SSO for users that were previously invited as guest users to my tenant.

How do I properly setup the Microsoft Entra ID, so that any user can sign up via Microsoft SSO using the given Microsoft Entra ID App and OAuth2 link without being previously invited to the tenant as a guest user?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 19,950 Reputation points Microsoft External Staff Moderator
    2023-11-06T13:34:40.7966667+00:00

    Hi @Stanislav Savchuk

    Thank you for posting this in Microsoft Q&A.

    I understand you are trying to set up a guest user in your tenant automatically when a user signs up via Microsoft SSO. To do this follow the below steps.

    First You have to Enable self-service sign-up:
    1.Login to Microsoft entra ID
    2.In the left menu, click External Identities -> External collaboration settings.
    3.Toggle Yes to Enable guest self-service sign up via user flows
    4.Click Save

    User's image

    Create user flow for self-service sign-up:
    1.Click User flows in the left menu ->Select New user flow
    2.Enter a Name for the user flow. The name is automatically prefixed with B2X_1_
    3.Select Identity Providers. Azure AD is the default identity provider, which means that users are able to sign up by default with an Azure AD account.
    4.Under User attributes, choose the attributes you want to collect from the user. For additional attributes, click on Show more.
    5.Click Create.
    User's image

    Select the layout of the attribute collection form:

    1. Browse to Identity > External Identities > User flows.
    2. Select the self-service sign-up user flow from the list.
    3. Under Customize, select Page layouts.
    4. The attributes you chose to collect are listed. To change the order of display, select an attribute, and then select Move up, move down, move to top, or move to bottom.
    5. Select Save.

    Add applications to the self-service sign-up user flow:

    1.Select the self-service sign-up user flow from the list.
    2.In the left menu, under Use -> select Applications.
    3.Select Add application ->Search for the application and click Select.

    User's image

    You can simply provide the application URL to the guest user for them to sign-up.
    When user tries to login with their own credentials, they will get an error ‘This account does not exist in this organization'. This means that the user who is part of a different Azure AD tenant doesn’t exist in the home tenant which the application is part of.
    User's image

    The user clicks on the Create new account button and enters their email address and password. Review the screen and click accept for the permissions requested before moving on.
    After user signs up via Microsoft SSO, that user added as guest user in your tenant automatically.

    For your reference: Add a self-service sign-up user flow to an app.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.