Office 365: Customizing sign-in experience for external users
Microsoft offers a wide range of solutions for collaboration between users both internal and external to your organization.
Some of the options include B2B and B2C where users can authenticate to your resources using e.g. their Facebook account. The article below describes a customization option for Office 365 guest users' invitations.
When creating a guest user account in Azure Active Directory, you have an option of sending a message to your user welcoming them in the organization. The standard invitation displays this message and includes some basic elements of your organization branding.
Azure Active Directory Branding
You can further customize them by applying branding in Azure Portal.
Navigate to Azure Active Directory >> Company branding
On the open page you will be able to modify logo, welcome message, background image for the login page:
The end effect may look like this:
Image Source: https://docs.microsoft.com/en-us/azure/active-directory/b2b/invitation-email-elements
You can find more information and detailed instructions here.
Generating sign-in url with Microsoft Graph
Your requirements may demand more than OOTB branding and here is where Microsoft Graph may come in handy.
Microsoft Graph offers an api endpoint https://graph.microsoft.com/beta/invitations which allows you to create an inviteRedeemUrl without sending the actual email to the users.
In order to see that in action let's use the amazing that is Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer. Sign in on the left-hand side to your organization
One of the following permissions is required to execute the query:
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | User.Invite.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | User.Invite.All, User.ReadWrite.All, Directory.ReadWrite.All |
Make sure you use POST method with the https://graph.microsoft.com/beta/invitations endpoint. In the request body specify the *invitedUserEmailAddress *and inviteRedirectUrl. Since we want to customize the invitation message, add an optional parameter sendInvitationMessage and set it to false. Now your app can use the *inviteRedeemUrl *returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
Generating inviteRedeemUrl with Powershell
You can generate the inviteRedeemUrl also via Powershell with the Azure Active Directory PowerShell for Graph module. If you set the parameter SendInvitationMessage to false, the user will not receive the email with the invitation, but the redeem url will be generated and you can later re-use it in your custom email:
Connect-AzureAD
New-AzureADMSInvitation -InvitedUserDisplayName "arleta via PS" -InvitedUserEmailAddress arletastestMail@mail.com -SendInvitationMessage $false -InviteRedirectUrl "https://testTenant432.sharepoint.com/sites/test"
From the generated response grab the InviteRedeemUrl and use it to create your own invitation:
