Azure AD B2B: How to bulk add guest users without invitation redemption.


I think most of you are familiar with the concept of Azure AD Business-to-Business (B2B) where you can add users of other companies to your Azure AD tenant. This feature does not require the partner organization to already own or manage their own tenant; you can simply invite every user with an email address.

If the invited user already exists in an Azure AD tenant a guest user is created in your tenant that is linked to this user object in the foreign tenant.

If the invited user does not exists in an Azure AD tenant a shadow/unmanaged tenant is created behind the scenes for that user, additional users from the same domain will then created within this unmanaged tenant.

However, if you add a foreign user to your tenant an invitation mail is send to this user you add and the user has to redeem the invitation. By default, users are created as a guest user, which don’t have any permission (even read directory) in your tenant. Nevertheless, you can assign permissions like application permission, Azure AD or RBAC roles to such users.

There are 4 methods to invite a user as a B2B guest to your tenant:

You can get more details and concepts of Azure B2B on the documentation.

While adding users manually by your or your organization is nice if there are only a small amount of users to invite this can lead to a lot of work if this grow up to hundreds or “multiple” thousands. You might also want to skip the part of invitation redemption so multiple users from your partner organization are added without any further interaction or a notification at all.

Consider the following scenarios for example, which are concepts already discussed with customers:

  • You manage external users already on-premises with your IDM solution (probably MIM I hope) and you want that users to be invited by a PowerShell connector and you want to notify users with your own email about that.

Or

  • You have a trustful partnership with another company and want some people of that company doing the invite to your tenant instead of you. But you are after that responsible to assign permissions to those users.

So, here is how you can archive this:

In order to be able to invite people without redemption you need an account with directory read permission of the partners tenant (the foreign tenant).

This account needs also invite permissions within your tenant (inviting tenant). By default only Global Admins can invite guest users, you can activate an option so that even members (your employees) or guests can invite other users. In addition, there is also an Azure AD role called “Guest Inviter”.

As you can see in the screenshot, there is also an option to disable the restrictions of guest users and they will behave like members (your normal employee account) and for example read all directory objects. That is nothing that we want to have by default for all your guests.

However, we need this permission for the inviting user (in your case a B2B user that will invite additional users) in order to be able to user the Azure AD admin portal (http://portal.azure.com)

This permission is not needed for members of the “Guest Inviter” role if they only want to use PowerShell or the API to invite users. Having both permissions will automatically suppress the invitation redemption instead the user is directly added to your tenant.

So what I did was to invite the first user of my partner company as a member to my tenant and assign him to the “Guest Inviter” role. This user can then be used as a service account for my PowerShell connector of MIM or by one or multiple people of my partners organization to invite additional guest users.

Invite B2B users as a user type member can only be done by PowerShell or the Invitation API:

Connect-AzureAD

New-AzureADMSInvitation -InvitedUserDisplayName "Partner Inviter Account" -InvitedUserEmailAddress "user@partner.com" -SendInvitationMessage $true -InviteRedirectUrl "http://myapps.microsoft.com" -InvitedUserType member

That first user will get the default invitation mail send by Azure AD:

Just redeem that invitation by clicking the “Get Started” link and after that assign the user to the “Guest Inviter” role in Azure AD.

 

Now let’s invite an additional user from that same partner company with the B2B account created before.

Go to the Azure AD admin portal and click “+ New guest user” from the “All Users” menu.

Invite a guest by simply enter his email address and optional an invitation message:

This second invited user will get no invitation mail by default since he was added by a user with read permissions within the foreign tenant, instead he will receive a mail that he was added to the tenant and no further action is needed.

To suppress also this “added user” message you need to invite additional users also by PowerShell and set the parameter “SendInvitationMessage” to false. You can use the Invitation API as well for that.

Having that you can now bulk import users by PowerShell or the Invitation API without further interaction by the guest user and integrate the provisioning into your existing processes.

This should also work the other way around by adding one of your users as the first user to the foreign partner tenant and assign directory read permission to this user there.

Advertisements

About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

6 Responses to Azure AD B2B: How to bulk add guest users without invitation redemption.

  1. Ganesh Nagaretnam says:

    Hi Peter, Thanks for this information. Is there a way to get the information on which guest users have redeemed the invitation. I understood there is a view in Classic portal but would be interested to know if Powershell or Graph API could give this information

    • Peter Stapf says:

      Hello,

      cannot say this for sure.
      You can see it in portal.azure.com on the user properties, there is one attribute for the source of user.
      It can be directly in AzureAD, OnPrem Directory, Guest Account or an un-redeemed guest.
      There you can also resend the mail again by a button.

      I guess that also should be somewhere accessible by Graph but could not find the endpoint.

      /Peter

  2. Zhong says:

    Hi,
    When I did per your document, I found the second invited user is still in “invited user” status when using invitation api . and this user can not do anything. If I use portal to add guest user, the user still can receive the mail which has “Get Start”.
    could you help me.
    the steps is.
    invite a user in outlook.com as member.
    change this user to global admin
    use this user to invite another user in outlook.com.
    this user still need redeem.

    I also find someone has the same issue.
    https://stackoverflow.com/questions/42924715/auto-redeem-invites-in-azure-b2b

    Regards
    Zhong

    • Peter Stapf says:

      Hi,
      I just cheked that again in my demolab subscription and it still works like that.

      You are right, steps are:
      – Invite first user as a usertype member by PowerShell (API should work also)
      – I preferr to give “Guest Inviter” role instead of “Global Admin”
      – Use this user to invite more users

      When I do this user directly has Attribute source set to “External Azure Active Directory” instead of “Invited user” there is also no resend Invitation button under that attribute.

      second invited user is also able to Login without redemption, of course you need to give him some permissions in order to do anything.

      The second invited user should also get this “You have nothing to do mail”

      In that testing again I use the portal to invite the second user but I see no reason why that should not work with PowerShell or API as well.

      /Peter

      • Zhong says:

        Thanks Peter,

        I’ve tried it again, but it still does not work.
        I think maybe it is because the user that I want to add is in outlook.com domain.
        It doesn’t make sense that I can add all outlook.com users to my directory without redeem.

        Thank you very much again.

        Regards,
        Zhong

  3. Peter Stapf says:

    Hi,
    yes I think so also, that came to my mind after my post.
    Depending if the Outlook.com addresses are MSA account or not they will directly added or a “shadow/unmanaged” tenant is created behind the scenes.
    And since it is unmanaged you are not allowed to bulk add other users from that Domain.

    /Peter

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: