One of the approaches to work with externals of a business partner organization is to administrate full accounts for them in your on-prem Active Directory. With the arrival of Azure AD B2B capability, it is no longer required to have full accounts including password management for the externals; they can now be invited as 'guest' via the concept of "bring your own identity". However, for organizations that have a legacy of earlier external collaboration approach (note: does not necessarily have to be SharePoint based; it can also be for instance via SAP Portal, on-premisse webapplications, ....), an account provisioning conflict may arise.
Situation sketch:
- Externals of business partner are added as full accounts to your on-prem Active Directory
- Administrate in AD their own external company email as primary email address; as that is the mailbox they will typically use and monitor
- Utilize AADConnect to sync on-prem AD accounts to Office 365 / Azure AD
- Invite externals of same business partner as guest for Azure AD B2B; with their own external company email as identifier...
In general, Microsoft states that "duplicate identifying attributes are not allowed in a tenant with AAD Connect" (see Troubleshooting Errors during synchronization). The primary email-address is one of these: "For the proxyAddresses attribute only the value with SMTP:, that is the primary email address, is used for the evaluation". (source)
No comments:
Post a Comment