Hi All, I need to know which Azure object I need to create to allow 1000+ users from .CSV file below: First Name, Last Name, Email, PhoneNumber These are my criteria: Login : using their own email address (not from my accepted email domains) Security : 2FA/MFA enforced (hence I assume a Minimum of M365 F1 license is required. Access Resource / URL : Share Point online that is managed and created by my internal team. I'm also using Hybrid OnPremise AD DS - Azure AD sync (PHS), using Azure AD Connect. So I wonder which object to create: Synchronized OnPremise AD Mail User New-AzureADUser (AzureAD) Azure AD MS Invite user New-AzureADMSInvitation (AzureAD) Azure Guest User: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-invite-powershell Thank you in advance.

You need to create Guest users, which is what the last two methods address (well, they're the same method really). As for enforcing MFA, you will need to create a CA policy scoped to said users, or all Guest users.

Bulk Create Azure AD object to allow login with personal email address and secured with MFA/2FA?

Accepted answer

Vasil Michev 95,666 Reputation points MVP

2022-03-28T06:22:09.217+00:00

You need to create Guest users, which is what the last two methods address (well, they're the same method really). As for enforcing MFA, you will need to create a CA policy scoped to said users, or all Guest users.
Please sign in to rate this answer.

1 person found this answer helpful.
EnterpriseArchitect 4,761 Reputation points

2022-03-28T06:37:38.627+00:00

Hi Vasil,

I wanted the user FirstName.LastName@Stuff .com to log in using the email address FirstName.LastName@Stuff .com, enforced by the 2FA/MFA.
And all emails are sent to FirstName.LastName@Stuff .com mailbox.

But then I got this error:

Request was unsuccessful. Details: The domain portion of the userPrincipalName property is invalid. You must use one of the verified domain names in your organization.

Vasil Michev 95,666 Reputation points MVP

2022-03-28T08:54:50.733+00:00

Guests users are associated with other Azure AD organizations. For "consumer" accounts, such as Gmail, you will need the OTP flow: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode
For Google in particular, you can also setup external federation: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/google-federation
But that's not possible for "consumer" accounts in general, just specific ones.

EnterpriseArchitect 4,761 Reputation points

2022-03-28T13:30:23.487+00:00

Thank you @Vasil Michev .

create a CA policy scoped to said users

How can I create or target the Conditional Access policy after the Guest user has been invited in Bulk using https://learn.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite ?

Vasil Michev 95,666 Reputation points MVP

2022-03-28T14:49:07.827+00:00

Once you invite the user, there will be a matching Guest account object in your directory. You can then add all such users to a Group and scope a CA policy to said group. Or force it on all Guest users: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-tutorial-require-mfa

EnterpriseArchitect 4,761 Reputation points

2022-03-28T22:57:10.037+00:00

Many thanks, Vasil for your assistance in this thread.
Sign in to comment

Bulk Create Azure AD object to allow login with personal email address and secured with MFA/2FA?

0 additional answers