Resetting the Sign-In Address for an Azure AD Guest Account

Posted on by Tony Redmond

Avoiding the Need to Remove and Recreate Guest Accounts

Microsoft 365 applications like Microsoft 365 Groups, Teams, SharePoint Online, and Planner use Azure B2B Collaboration to enable guest user access to their resources. The result is that many tenants have a proliferation of guest accounts to manage. I’ve written quite a few tools to help, including a report of guest accounts and their membership of Microsoft 365 Groups and a comprehensive report of tenant and guest members in Groups and Teams. Management can even be a challenge for guests who want to renounce their membership of a tenant.

In any case, the details of some guest accounts change over their lifetime. On March 2, Microsoft issued documentation for Reset redemption status for a guest user. This doesn’t sound very exciting, but it’s really very interesting because the feature allows tenant administrators to adjust how a guest account is signed into without using the previous technique of removing and recreating an account. The downside of that approach is that access is lost to all the resources available to the guest account like Teams, SharePoint sites, shares to individual documents, and so on. After recreating the account, access must then be regranted for each resource. This process is tedious, especially when the guest features in multiple groups.

Microsoft anticipates that the reset feature will be used in scenarios such as:

  • The user wants to sign in using a different email and identity provider. In other words, they now have a different account. For instance, the user might have moved companies and wishes to continue working with your company (a common scenario for professionals like IT consultants and lawyers).
  • The account for the user in their home tenant has been deleted and recreated. Azure AD won’t recognize the link between the guest account and the user’s new account.
  • The user’s responsibilities have been passed along to another user and they want to assign access to the resources which supported those responsibilities to that user.

Part of the change is performed using the Azure AD portal. The rest is done with PowerShell cmdlets from the Azure AD Preview module, which you can download from the PowerShell Gallery.

Change the Email (Sign-in) Address for a Guest Account

Unlike tenant accounts, guest users don’t use their user principal name to sign in. Instead, they use their email address. To work, the reset feature changes the sign-in name for the guest account and nothing else. The mail user object created in Exchange Online to allow guest users to receive email is also updated.

In this example, I have a guest account for Jacko Winters. The original email address for this account is Flayosc@outlook.com. The guest is a member of multiple teams and shares some SharePoint documents. I want to reassign access to all these resources to another account called Flayosc@yandex.com. It’s an example of the first scenario described above.

The first step is to update the Mail attribute (Email address) for the guest account with the email address you want to use. Do this through the Azure AD portal (Figure 1). The new email address cannot belong to any other mail-enabled object in the tenant, such as another guest account. If it does, Azure AD won’t allow you to update the account.

Updating the email address for a guest account
Figure 1: Updating the email address for a guest account

Moving to PowerShell, connect to Azure AD and get the Azure AD account identifier for the guest account you want to replace.

Connect-AzureAD
$ObjectId = (Get-AzureADUser -SearchString “Jacko Winters”).ObjectId
$ObjectId
558d8cbb-a5a2-4ea1-b950-0d0748ca5634

Now create a new User object and populate it with the object identifier for the account.

$OldUser = New-Object Microsoft.Open.MSGraph.Model.User -ArgumentList $ObjectId
$OldUser

Id                                   OdataType
--                                   ---------
558d8cbb-a5a2-4ea1-b950-0d0748ca5634

Issuing a New Invitation

The next thing to do is check that the values returned from the two commands match. If they do, use the New-AzureADMSInvitation cmdlet to reissue an invitation to the new email address. The identifier for the guest user account is passed in the InvitedUser parameter. The myapps.microsoft.com landing page is a default site showing apps available to a user. Here’s the command I ran:

New-AzureADMSInvitation -InvitedUserEmailAddress Flayosc@yandex.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com" -InvitedUser $OldUser -ResetRedemption $True

Update: Given the deprecation of the Azure AD module in June 2023 (and the disappearance of the ResetRedemption parameter from the New-AzureADMSInvitation cmdlet), you should switch to the Microsoft Graph PowerShell SDK. This code is the equivalent using the Get-MgInvitation cmdlet:

$User = Get-MgUser -Filter "startsWith(mail, 'Flayosc@yandex.com')"
New-MgInvitation `
    -InvitedUserEmailAddress 'Flayosc@yandex.com' `
    -InviteRedirectUrl "http://myapps.microsoft.com" `
    -ResetRedemption `
    -SendInvitationMessage `
    -InvitedUser $User

See this documentation for more information.

Azure AD creates a new invitation to access the resources currently available to the guest account and sends it to the new email address. You’ll see a response like this:

Id                      : 129c1c12-da99-4879-b258-d14b34601d46
InvitedUserDisplayName  :
InvitedUserEmailAddress : Flayosc@yandex.com
SendInvitationMessage   : True
InviteRedeemUrl         : https://login.microsoftonline.com/redeem?rd=https%3a%2f%2finvitations.microsoft.com%2fredeem%
2f%3ftenant%3db662313f-14fc-43a2-9a7a-d2e27f4f3478%26user%3d129c1c12-da99-4879-b258-d14b34601
d46%26ticket%3dLStZd8uAONAIbLNIZyfaUZ91VsRczLbzqbFOeHsonSE%253d%26ver%3d2.0
InviteRedirectUrl       : http://myapps.microsoft.com/
InvitedUser             : class User {Id: 558d8cbb-a5a2-4ea1-b950-0d0748ca5634
OdataType: }

InvitedUserMessageInfo  : class InvitedUserMessageInfo {
                            CcRecipients: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.Recipient]
                            CustomizedMessageBody:
                            MessageLanguage:
                          }

InvitedUserType         : Guest
Status                  : PendingAcceptance
ResetRedemption         : True

Accepting the Reissued Invitation

The invitation arrives at the email address (Figure 2) and the user can accept the invitation to confirm their credentials (set a password) and create an OAuth consent to allow the tenant to read details of the user’s account (Figure 3).

The invitation from Azure B2B Collaboration arrives at the new email address
Figure 2: The invitation from Azure B2B Collaboration arrives at the new email address
Granting consent to access user information
Figure 3: Granting consent to access user information

Once the user consents to the permissions, the Azure AD account is updated to set the UserState property to Accepted and write the date of the redemption in UserStateChangedOn. We now have a fully functional guest account again. The important point is that the object identifier and user principal name for the account do not change. The only thing which changes is the mail address associated with the account.

The Azure AD audit log contains details of the issue (Figure 4) and redemption of the invitation. While the activity tab confirms the target address for the invitation, the target tab confirms the guest account.

Azure AD audit records for the reissued invitation
Figure 4: Azure AD audit records for the reissued invitation

Accessing Resources

In this instance, the guest account has access to several teams and some SharePoint documents. SharePoint access is immediate, including the sites used by Teams. Guest access to Planner also works properly.

After testing that access worked for SharePoint and Planner, I turned to Teams. I expected access to the Teams app to take longer because of the need to complete the process which synchronizes Azure AD with the membership roster used to control access to individual teams. Until this happens, the user is refused access to Teams (Figure 5) and the old email address assigned to the guest account remains visible in Teams (Figure 6). [Note that the display name of the guest account has reverted to Flayosc instead of Jacko Winters]

The guest user can't get into Teams with the new email address
Figure 5: The guest user can’t get into Teams with the new email address
Details of the old email address still present in the Teams membership roster
Figure 6: Details of the old email address still present in the Teams membership roster

Unsurprisingly, because the account information in Teams is now outdated, any attempt to add the guest account as a new member of a team also generates an error (Figure 7).

Error when adding the now-updated Azure AD guest account to a team's membership
Figure 7: Error when adding the now-updated Azure AD guest account to a team’s membership

To try to force synchronization, I updated the display name and several other attributes of the Azure AD account. This had no effect, so I added a couple of new users to the group using Teams to force Teams to refresh its membership roster. The updates flowed through to Azure AD, but nothing happened in Teams.

Get-AzureADGroupMember -ObjectId b647d5ff-3bda-4333-b768-7990084569b6

ObjectId                             DisplayName                   UserPrincipalName
--------                             -----------                   -----------------
cff4cd58-1bb8-4899-94de-795f656b4a18 Tony Redmond                  Tony.Redmond@office365itpros.com
b3eeaea5-409f-4b89-b039-1bb68276e97d Ben Owens (Business Director) Ben.Owens@office365itpros.com
a6bfb216-e88c-4f1f-86d7-04747e5fc686 Ben James                     Ben.James@Office365itpros.com
9ba20686-f869-46e8-85a2-00ec8a035e48 James Joyce                   James.Joyce@office365itpros.com
acb778e8-f587-45de-ae3a-e76007e043b2 Paul Howett                   Paul.Howett@office365itpros.com
98dda855-5dc3-4fdc-8458-cbc494a5a774 Sean Landy                    Sean.Landy@office365itpros.com
6b52fba5-349e-4624-88cd-d790883fe4c4 Ken Bowers                    Ken.Bowers@office365itpros.com
558d8cbb-a5a2-4ea1-b950-0d0748ca5634 Jacko Winters                 flayosc_outlook.com#EXT#@office365itpro

Get-AzureADuser -ObjectId 558d8cbb-a5a2-4ea1-b950-0d0748ca5634 | ft mail, displayname, objectid

Mail               DisplayName   ObjectId
----               -----------   --------
flayosc@yandex.com Jacko Winters 558d8cbb-a5a2-4ea1-b950-0d0748ca5634

The Original email address can’t be used to sign into Teams either. Eventually, after a couple of days, Teams synchronized with Azure AD and the updated account details became visible in Teams. However, the updated account could not sign into Teams.

Come Home to Teams

Working with the Azure AD development group, the problem was diagnosed to due to the way Teams tries its best to bring a user to their home tenant. In the case of guest users, Teams uses the sign in address to locate the tenant and headed off to the wrong place. When using an explicit redirect to the tenant identifier, like https://teams.microsoft.com/?tenantId=c662313f-14fc-43a2-9a7a-d2e27f4f3478, the user can connect.

Obviously, there’s some work for Teams to do to cope when administrators assign new email addresses to guest accounts, but at least the problem is known, and Microsoft will no doubt fix the issue soon.

All this work for a few lines in Chapter 13 of the Office 365 for IT Pros eBook. It just goes to prove how much work and effort the writing team puts in to keeping content accurate, refreshed, and updated. Subscribe now to receive monthly updates of goodness.

10 Replies to “Resetting the Sign-In Address for an Azure AD Guest Account”

  1. Have MS fixed the teams issue yet? We have a guest user who has been given a new domain and not losing teams access is essential

    Reply

  2. Hi,

    1. Are the permissions for B2B limited/locked to just these 3 pieces of information no matter what? Is it possible for a vendor or tenant to request more permission then the following? Also do you know if we can prevent the “photo” from being sent to the “External Tenant”? That seems like possible PII information.
    -Name
    -Email
    -Photo

    2. Do you know if it is possible to create an allow-list so that users can only become apart of Organizations as Guests that the home tenant defines? Trying to reduce the wild-west.

    Reply

    1. You don’t have any control over the tenants someone can join as a guest. Tenants can create a whitelist of the tenants they’ll accept guests from (Azure AD admin center – external identities) but not the other way round. And once someone is a guest, they can update their photo (or the host tenant can update their photo).

      Reply

  4. Interesting read here, thanks.
    Can you change the UPN for the Guest account to remove #EXT#@domainname or is that required for backend AAD purposes as i presume?

    Reply

  5. I encountered the following errors trying to use this method to change a guest account’s primary email address: New-AzureADMSInvitation : A parameter cannot be found that matches parameter name ‘ResetRedemption’.
    It appears that the ResetRedemption parameter has been removed from New-AzureADMSInvitation. If I remove this parameter, I get a different error:
    New-AzureADMSInvitation -InvitedUserEmailAddress -SendInvitationMessage $True -InviteRedirectUrl “http://myapps.microsoft.com” -InvitedUser $OldUser
    New-AzureADMSInvitation : Error occurred while executing NewAzureADMSInvitation
    Code: BadRequest
    Message: This user has already been invited to the directory using . If you want to generate a new
    invitation link for this user, please call invitation again without the user object.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.