External Identies confusion

Question

External Identies confusion

KoNasl 21

I noticed some users in our Azure AD are lists as guest but have our domain and tenant information in the UPN.

user_ourdomain_com#EXT#@ourtenant.onmicrosoft.com

I understand that users can be B2B from other tenants or B2C from other sources like Facebook, Gmail, etc but I'm confused as to why these guest users seem to have our exact company info in their UPNs. Are these personal Microsoft accounts that are being registered as guests instead of work / school accounts?

Source for these accounts is also listed as Microsoft Account. Any help would be appreciated.

Accepted answer

0 additional answers

Your answer

Answer 1

Siva-kumar-selvaraj 15,721

Hello @KoNasl ,

Thanks for reaching out and apologies for delayed response.

Azure AD lets you invite external users as guests to your Azure AD tenant. When you invite an external user, Azure AD creates a guest user account in your tenant. These guest user accounts (UserType = Guest) differ from regular Azure AD user accounts (UserType = Member).

The user principal name (UPN) of the guest user account uses a prefix derived from the invitee's email address, combined with the tenant's initial domain—for example: prefix#EXT#@yourtenant.onmicrosoft.com.

Example: User bob@Company portal .com, from directory contoso, is added as an external user in directory fabrikam. This results as a user in fabrikam with UPN bob_contoso.com#EXT#@fabrikam.onmicrosoft.com, but you don't have to worry about that. When they sign in to an application that trusts https:/login.microsoftonline.com/fabrikam.onmicrosoft.com, they simply sign in as bob@Company portal .com and use their normal password from contoso.

Refer to the following links to learn more about:

Properties of an Azure Active Directory B2B collaboration user : https://learn.microsoft.com/en-us/azure/active-directory/external-identities/user-properties
What are the default user permissions in Azure Active Directory for Members and Guests : https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

KoNasl 21 Reputation points

2021-12-01T14:21:11.393+00:00

So does that mean that because our guest accounts have our domain in the prefix portion, this is most likely a personal account that is registered with Microsoft?
Siva-kumar-selvaraj 15,721 Reputation points

2021-12-01T17:30:22.963+00:00

Yes, guest user accounts always have an initial domain (yourtenant>.onmicrosoft.com) linked with the prefix portion of the UPN, and Azure AD natively supports guest users from partner Azure AD tenants as well as various consumers such as Microsoft Account ( MSA Hotmail), Gmail, Facebook, and so on.

To know list of Identity provider supported, refer Azure Active Directory (Azure AD) identity provider for External Identities.

Hope this helps.

---
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Ella Calais 1 Reputation point

2023-05-23T08:05:22.1866667+00:00

@Siva-kumar-selvaraj Thanks for great explanations! Do you have any idea how one should handle gmail email addresses? The "EXT#" part disappears in the UPN, but we get another prefix that is "live.com#", for gmail accounts. So name_gmail.com#EXT#@domain.onmicrosoft.com UPN becomes live.com#******@gmail.com...

Share via

External Identies confusion

0 additional answers

Your answer