Friday, January 26, 2018

AADConnect can block Azure AD B2B invitation

One of the approaches to work with externals of a business partner organization is to administrate full accounts for them in your on-prem Active Directory. With the arrival of Azure AD B2B capability, it is no longer required to have full accounts including password management for the externals; they can now be invited as 'guest' via the concept of "bring your own identity". However, for organizations that have a legacy of earlier external collaboration approach (note: does not necessarily have to be SharePoint based; it can also be for instance via SAP Portal, on-premisse webapplications, ....), an account provisioning conflict may arise.
Situation sketch:
  • Externals of business partner are added as full accounts to your on-prem Active Directory
  • Administrate in AD their own external company email as primary email address; as that is the mailbox they will typically use and monitor
  • Utilize AADConnect to sync on-prem AD accounts to Office 365 / Azure AD
  • Invite externals of same business partner as guest for Azure AD B2B; with their own external company email as identifier...
The result of this situation is error: BadRequest; The object is either sourced from an on prem directory or is undergoing migration
In general, Microsoft states that "duplicate identifying attributes are not allowed in a tenant with AAD Connect" (see Troubleshooting Errors during synchronization). The primary email-address is one of these: "For the proxyAddresses attribute only the value with SMTP:, that is the primary email address, is used for the evaluation". (source)

No comments:

Post a Comment