question

jvdlinden avatar image
0 Votes"
jvdlinden asked ChrisDymond-7196 commented

More details about 'externalUserState' user property (Microsoft Graph API and Azure AD)

Hi all,

I hope this is the right place to ask my question.
This question is about the "externalUserState" property for users and why this property remains empty for some users.

We have a SharePoint Online site that is being shared with external users.
These users are invited straight from the SharePoint Online website using the Share feature.

I am looking into possibilities to generate a list of external users that contains information such as invitation status, last sign-in date, etc.
I found that the Microsoft Graph API contains a property named "externalUserState" which has the description: "this property represents the invited user's invitation status. For invited users, the state can be PendingAcceptance or Accepted, or null for all other users. " (what does this mean, other users?)
Link: user

When I run the query (https://graph.microsoft.com/v1.0/myorganization/users?$select=displayName,externalUserState,externalUserStateChangeDateTime,userType&$filter= userType eq 'Guest') through Graph Explorer I get the following output.

         {
             "@odata.id": "https://graph.microsoft.com/v2/guid1/directoryObjects/guid2/Microsoft.DirectoryServices.User",
             "displayName": "firstname.lastname1@example.com",
             "externalUserState": null,
             "externalUserStateChangeDateTime": null,
             "userType": "Guest"
         },
         {
             "@odata.id": "https://graph.microsoft.com/v2/guid1/directoryObjects/guid2/Microsoft.DirectoryServices.User",
             "displayName": "FirstName LastName",
             "externalUserState": "Accepted",
             "externalUserStateChangeDateTime": "2019-09-16T08:46:16Z",
             "userType": "Guest"
         }

It caught my eye that one guest user has an empty "externalUserState", and the other shows as "Accepted".
The first user has its email address as displayName, and the other user has its full name as displayName.
Why the difference? Especially in externalUserState. Why is "externalUserState" empty even though this is still an external user? Maybe a silly question: what other options are there for an external user to be created.

I noticed one more difference between these users. There is a user property named "Creation type" in the Azure AD website which "Indicates how the user account was created".
For the first user displayed above (where displayName equals the email address), the field "Creation type" is empty. But for the other user (where displayName equals the actual full name), it says "Invitation". Both are external users but somehow the creation process had been different?

Thanks a lot for all help provided.
Joost

microsoft-graph-users
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @jvdlinden I also found this type Azure AD user in my tenant, I will responed you how to create this type users asap. :)

0 Votes 0 ·

1 Answer

JosephXu-MSFT avatar image
0 Votes"
JosephXu-MSFT answered ChrisDymond-7196 commented

Hi @jvdlinden In Azure AD, we only can invite a external user. So externalUserState and externalUserStateChangeDateTime can't be null. But I have reproduced your problem. We can create a user via MS graph APIs and specify the value of this attribute as guest.

  1. As shown below, I specified that the value of userType is Guest:
    126004-image.png

  2. We can see the Creation type is null.
    125906-image.png

  3. "externalUserState" is null and"externalUserStateChangeDateTime" also is null.
    125974-image.png

  4. But this user is not a real external user, because we can reset this user's password in Azure AD.
    125908-image.png




image.png (38.0 KiB)
image.png (20.7 KiB)
image.png (17.3 KiB)
image.png (27.3 KiB)
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JosephXu-MSFT thanks for looking into this.

I can't seem to normally post a comment (maybe due to formatting conflicts, no error message shown), so I took a screenshot of my reply. Please find it below.

126032-image.png

Thanks for your help!



Update: by the way I also notice that the creationType property differs between those two users in Microsoft Graph. The value shows null for the first user, and "Invitation" for the second user. I have no clue how given the fact how users are invited..

I found this information on the creationType property: Indicates whether the user account was created as a regular school or work account (null), an external account (Invitation), a local account for an Azure Active Directory B2C tenant (LocalAccount) or self-service sign-up using email verification (EmailVerified). Read-only.

0 Votes 0 ·
image.png (55.4 KiB)

Yes, we can't reset password of external users including "Personal account" or "Work or school account". Because they do not belong to our tenants. Generally, users invited through portal will contain creationType property. Is it possible that someone has accidentally modified the user’s information?

0 Votes 0 ·

I'm 100% sure that no one modified the user information.
Quite a lot of users are coming up in my reports from Graph showing an empty value for externalUserState and because of this it is not clear if these user have access to our system. Or for example: if the invitation is still pending, but that it is simply not showing that it is pending.

So basically I still don't know why it is empty and what this means for my information protection reporting.

0 Votes 0 ·
Show more comments