We have users in AD who are technically external users but have been given internal user IDs so they can log into our terminal for a piece of proprietary software. No problems there, but recently we have been trying to invite them to groups in Teams as guests.
One of our employees is sending invites to users via their email. No problems until we invite these users that exist in our AD. We can't send them an invite because they are technically in our AD and it throws an error. (The email we'd use to invite them is also listed in the email field in AD.) When we add them as a member, they aren't able to see the group in Teams we've added them to. They also have SSO on their side, so they login with their IDs, not the ones listed in our AD.
Add to the fact that we've got Duo set up for our 365 tenant so any access to any products will force 2fa. So I set the ID into the security group to be pulled into Duo, but then set them as bypass because it was trying to send a code to an email that doesn't exist.
The IDs in AD have been around forever to access our terminal, so we didn't add them recently. End users also don't want to use a second email just to be able to access our Teams groups.
Not sure how to approach this or if we've painted ourselves into a corner.