question

AbhishekSharma-7079 avatar image
0 Votes"
AbhishekSharma-7079 asked azure-cxp-api edited

Active Directory Guest User login

Hi,
I have an Azure Active Directory and an App registration (SPA) under it.

My Issue is - When a guest user is Invited to the Active Directory,
they are able to login to the active directory (or the App) without even accepting the AD Invitation.
Is this the desired behavior?

azure-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AbhishekSharma-7079 , does the user receive a "Review Permissions" page as mentioned here? Or any other prompt? Are you sending out an invitation email or a direct link? Different guest methods have different behaviors so I'm trying to see which one you used. Did you follow a document to set it up? Please let me know and I can assist you further.

Thank you,
James


0 Votes 0 ·

Hi @JamesHamil-MSFT thanks for following up!

I am using Microsoft Graph endpoint to send a Guest User AD Invite via Email

Graph Invite Api
Doc followed - https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http
URL - https://graph.microsoft.com/v1.0/invitations

This adds the Guest User to my AAD.
(The invitation status being pending acceptance until the invited user don't open their Email and accept the Invite)

I want to force my users to accept Invite only through Email and not when they try to SignIn directly to AAD or SPA registered in my AAD.

I understand that when users try to login directly (without visiting their email and accepting) they are prompted for Invite Redeem to AAD popup during the SignIn flow itself.

P.S - Pardon if my explanation is unclear or If I am missing something.

0 Votes 0 ·

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @AbhishekSharma-7079 ,

Based on the statement from SO: "My problem - But if a user tries to SignIn directly to https://portal.azure.com or my SPA (without/before accepting the invitation sent to their Email) they are prompted "Review Permissions" page for getting added to AAD but after that they are not redirected to inviteRedirectUrl."

It may be that the SPA is a multi-tenant app and when the user is accessing it without being added as guest user, they only get the Consent page directly while accessing the app and after providing the consent, the app gets added to that user's home tenant.

Is the SPA a multi-tenant app? If so, please see if the above case is true. If not please let me know!

Thank you,
James

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.