Share via

More details about 'externalUserState' user property (Microsoft Graph API and Azure AD)

Joost van der Linden 126 Reputation points
2021-08-23T13:16:30.697+00:00

Hi all,

I hope this is the right place to ask my question.
This question is about the "externalUserState" property for users and why this property remains empty for some users.

We have a SharePoint Online site that is being shared with external users.
These users are invited straight from the SharePoint Online website using the Share feature.

I am looking into possibilities to generate a list of external users that contains information such as invitation status, last sign-in date, etc.
I found that the Microsoft Graph API contains a property named "externalUserState" which has the description: "this property represents the invited user's invitation status. For invited users, the state can be PendingAcceptance or Accepted, or null for all other users. " (what does this mean, other users?)
Link: user

When I run the query (https://graph.microsoft.com/v1.0/myorganization/users?$select=displayName,externalUserState,externalUserStateChangeDateTime,userType&$filter= userType eq 'Guest') through Graph Explorer I get the following output. 

        {  
            "@odata.id": "https://graph.microsoft.com/v2/guid1/directoryObjects/guid2/Microsoft.DirectoryServices.User",  
            "displayName": "firstname.lastname1@example.com",  
            "externalUserState": null,  
            "externalUserStateChangeDateTime": null,  
            "userType": "Guest"  
        },  
        {  
            "@odata.id": "https://graph.microsoft.com/v2/guid1/directoryObjects/guid2/Microsoft.DirectoryServices.User",  
            "displayName": "FirstName LastName",  
            "externalUserState": "Accepted",  
            "externalUserStateChangeDateTime": "2019-09-16T08:46:16Z",  
            "userType": "Guest"  
        }

It caught my eye that one guest user has an empty "externalUserState", and the other shows as "Accepted".
The first user has its email address as displayName, and the other user has its full name as displayName.
Why the difference? Especially in externalUserState. Why is "externalUserState" empty even though this is still an external user? Maybe a silly question: what other options are there for an external user to be created.

I noticed one more difference between these users. There is a user property named "Creation type" in the Azure AD website which "Indicates how the user account was created".
For the first user displayed above (where displayName equals the email address), the field "Creation type" is empty. But for the other user (where displayName equals the actual full name), it says "Invitation". Both are external users but somehow the creation process had been different?

Thanks a lot for all help provided.
Joost

Microsoft Security | Microsoft Graph

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JosephXu-MSFT 531 Reputation points
    2021-08-24T08:54:37.027+00:00

    Hi @Joost van der Linden In Azure AD, we only can invite a external user. So externalUserState and externalUserStateChangeDateTime can't be null. But I have reproduced your problem. We can create a user via MS graph APIs and specify the value of this attribute as guest.

    1. As shown below, I specified that the value of userType is Guest:
      126004-image.png
    2. We can see the Creation type is null.
      125906-image.png
    3. "externalUserState" is null and"externalUserStateChangeDateTime" also is null.
      125974-image.png
    4. But this user is not a real external user, because we can reset this user's password in Azure AD.
      125908-image.png

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.