Azure AD B2B: How to bulk add guest users without invitation redemption.

Update: This does not work anymore as described, see my updated blog post on B2B redemption.


I think most of you are familiar with the concept of Azure AD Business-to-Business (B2B) where you can add users of other companies to your Azure AD tenant. This feature does not require the partner organization to already own or manage their own tenant; you can simply invite every user with an email address.

If the invited user already exists in an Azure AD tenant a guest user is created in your tenant that is linked to this user object in the foreign tenant.

If the invited user does not exists in an Azure AD tenant a shadow/unmanaged tenant is created behind the scenes for that user, additional users from the same domain will then created within this unmanaged tenant.

However, if you add a foreign user to your tenant an invitation mail is send to this user you add and the user has to redeem the invitation. By default, users are created as a guest user, which don’t have any permission (even read directory) in your tenant. Nevertheless, you can assign permissions like application permission, Azure AD or RBAC roles to such users.

There are 4 methods to invite a user as a B2B guest to your tenant:

You can get more details and concepts of Azure B2B on the documentation.

While adding users manually by your or your organization is nice if there are only a small amount of users to invite this can lead to a lot of work if this grow up to hundreds or “multiple” thousands. You might also want to skip the part of invitation redemption so multiple users from your partner organization are added without any further interaction or a notification at all.

Consider the following scenarios for example, which are concepts already discussed with customers:

  • You manage external users already on-premises with your IDM solution (probably MIM I hope) and you want that users to be invited by a PowerShell connector and you want to notify users with your own email about that.


  • You have a trustful partnership with another company and want some people of that company doing the invite to your tenant instead of you. But you are after that responsible to assign permissions to those users.

So, here is how you can archive this:

In order to be able to invite people without redemption you need an account with directory read permission of the partners tenant (the foreign tenant).

This account needs also invite permissions within your tenant (inviting tenant). By default only Global Admins can invite guest users, you can activate an option so that even members (your employees) or guests can invite other users. In addition, there is also an Azure AD role called “Guest Inviter”.

As you can see in the screenshot, there is also an option to disable the restrictions of guest users and they will behave like members (your normal employee account) and for example read all directory objects. That is nothing that we want to have by default for all your guests.

However, we need this permission for the inviting user (in your case a B2B user that will invite additional users) in order to be able to user the Azure AD admin portal (

This permission is not needed for members of the “Guest Inviter” role if they only want to use PowerShell or the API to invite users. Having both permissions will automatically suppress the invitation redemption instead the user is directly added to your tenant.

So what I did was to invite the first user of my partner company as a member to my tenant and assign him to the “Guest Inviter” role. This user can then be used as a service account for my PowerShell connector of MIM or by one or multiple people of my partners organization to invite additional guest users.

Invite B2B users as a user type member can only be done by PowerShell or the Invitation API:


New-AzureADMSInvitation -InvitedUserDisplayName "Partner Inviter Account" -InvitedUserEmailAddress "" -SendInvitationMessage $true -InviteRedirectUrl "" -InvitedUserType member

That first user will get the default invitation mail send by Azure AD:

Just redeem that invitation by clicking the “Get Started” link and after that assign the user to the “Guest Inviter” role in Azure AD.


Now let’s invite an additional user from that same partner company with the B2B account created before.

Go to the Azure AD admin portal and click “+ New guest user” from the “All Users” menu.

Invite a guest by simply enter his email address and optional an invitation message:

This second invited user will get no invitation mail by default since he was added by a user with read permissions within the foreign tenant, instead he will receive a mail that he was added to the tenant and no further action is needed.

To suppress also this “added user” message you need to invite additional users also by PowerShell and set the parameter “SendInvitationMessage” to false. You can use the Invitation API as well for that.

Having that you can now bulk import users by PowerShell or the Invitation API without further interaction by the guest user and integrate the provisioning into your existing processes.

This should also work the other way around by adding one of your users as the first user to the foreign partner tenant and assign directory read permission to this user there.

Author: Peter Stapf

Senior Consultant Identity and Access

19 thoughts on “Azure AD B2B: How to bulk add guest users without invitation redemption.”

  1. Hi Peter, Thanks for this information. Is there a way to get the information on which guest users have redeemed the invitation. I understood there is a view in Classic portal but would be interested to know if Powershell or Graph API could give this information

    1. Hello,

      cannot say this for sure.
      You can see it in on the user properties, there is one attribute for the source of user.
      It can be directly in AzureAD, OnPrem Directory, Guest Account or an un-redeemed guest.
      There you can also resend the mail again by a button.

      I guess that also should be somewhere accessible by Graph but could not find the endpoint.


  2. Hi,
    When I did per your document, I found the second invited user is still in “invited user” status when using invitation api . and this user can not do anything. If I use portal to add guest user, the user still can receive the mail which has “Get Start”.
    could you help me.
    the steps is.
    invite a user in as member.
    change this user to global admin
    use this user to invite another user in
    this user still need redeem.

    I also find someone has the same issue.


    1. Hi,
      I just cheked that again in my demolab subscription and it still works like that.

      You are right, steps are:
      – Invite first user as a usertype member by PowerShell (API should work also)
      – I preferr to give “Guest Inviter” role instead of “Global Admin”
      – Use this user to invite more users

      When I do this user directly has Attribute source set to “External Azure Active Directory” instead of “Invited user” there is also no resend Invitation button under that attribute.

      second invited user is also able to Login without redemption, of course you need to give him some permissions in order to do anything.

      The second invited user should also get this “You have nothing to do mail”

      In that testing again I use the portal to invite the second user but I see no reason why that should not work with PowerShell or API as well.


      1. Thanks Peter,

        I’ve tried it again, but it still does not work.
        I think maybe it is because the user that I want to add is in domain.
        It doesn’t make sense that I can add all users to my directory without redeem.

        Thank you very much again.


  3. Hi,
    yes I think so also, that came to my mind after my post.
    Depending if the addresses are MSA account or not they will directly added or a “shadow/unmanaged” tenant is created behind the scenes.
    And since it is unmanaged you are not allowed to bulk add other users from that Domain.


  4. I have managed to get the guest through B2B but I would like to get the details such as the Job title and Job Location from the partner Azure. Is that possible? Is there a way how I can get these details such as in the case of claims?

  5. I cannot use the guest account to run “New-AzureADMSInvitation” in the foreign tenant. Did you really run this command instead of using UI?

  6. The command need to be run in your own tenant to invite the account from the foreign tenant that later on will invite additional people to your tenant.
    At least you need need 1 account with read permission in the foreign tenant and guest inviter role in your tenant.

  7. Hi, you said “you need an account with directory read permission of the partners tenant”. My account is an existing AzureAD, create like member (not guest in resource domain). Steps for me are good :
    – Invite first user as a usertype member by PowerShell (API should work also)
    – I preferr to give “Guest Inviter” role instead of “Global Admin”
    – Use this user to invite more users

    This is not work, i need to redeem. What about “you need an account with directory read permission of the partners tenant” ? The user is standard user in partner tenant, what requierement do i need to make sure it has read permission ?

    1. Just a comment, it seems that “Directory Reader” role vanished from role that can be delegated to user in AzureAD, so who to make user “Directory Reader” ?

  8. In fact the steps I mentioned in my blog post are no longer necessary, since the update to the B2B experience and behavior from 14 May 2018:

    No need to have the account be a user with reader permissions in the tenant you want invite people from. You just need to be a guest inviter in your tenant (target tenant).

    There is no real bulk import any more but something similar. just invite the user, without sending a mail, those invited users can go directly to the application and has to consent to read his profile after that the redemption is also done behind the scenes and the user has access to the application.

    1. how can i change the logo in the azure active directory invitation email like yours where u have your “cloud lab” logo shown above

      1. Hi,the logo comes from the branding feature of your tenant.
        You can define a small logo beside the background picture there that appears in such mails as well as in the access panel for example.
        But it can be that microsoft has changed the mail templates in the meantime, have not checked that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.