Azure Active Directory B2B collaboration invitation redemption
Redemption through the invitation email
When you add a guest user to your directory by using the Azure portal, an invitation email is sent to the guest in the process. You can also choose to send invitation emails when you’re using PowerShell to add guest users to your directory. Here’s a description of the guest’s experience when they redeem the link in the email.
- The guest receives an invitation email that's sent from Microsoft Invitations.
- The guest selects Get Started in the email.
- If the guest doesn't have an Azure AD account, a Microsoft Account (MSA), or an email account in a federated organization, they're prompted to create an MSA (unless the one-time passcode feature is enabled, which doesn’t require an MSA).
- The guest is guided through the consent experience described below.
Redemption through a direct link
As an alternative to the invitation email, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the Azure portal or PowerShell. Then you can use any of the customizable ways to deploy applications to users, including direct sign-on links. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.
The direct link must be tenant-specific. In other words, it must include a tenant ID or verified domain so the guest can be authenticated in your tenant, where the shared app is located. A common URL like https://myapps.microsoft.com won’t work for a guest because it will redirect to their home tenant for authentication. Here are some examples of direct links with tenant context:
There are some cases where the invitation email is recommended over a direct link. If these special cases are important to your organization, we recommend that you invite users by using methods that still send the invitation email:
- The user doesn’t have an Azure AD account, an MSA, or an email account in a federated organization. Unless you're using the one-time passcode feature, the guest needs to redeem the invitation email to be guided through the steps for creating an MSA.
- Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). In this case, the user must click the redemption URL in the invitation email.
- The user may sign in with an alias of the email address that was invited. (An alias is an additional email address associated with an email account.) In this case, the user must click the redemption URL in the invitation email.
Consent experience for the guest
When a guest signs in to access resources in a partner organization for the first time, they're guided through the following pages.
The guest reviews the Review permissions page describing the inviting organization's privacy statement. A user must Accept the use of their information in accordance to the inviting organization's privacy policies to continue.
For information about how you as a tenant administrator can link to your organization's privacy statement, see How-to: Add your organization's privacy info in Azure Active Directory.
Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.
In your directory, the guest's Invitation accepted value changes to Yes. If an MSA was created, the guest’s Source shows Microsoft Account. For more information about guest user account properties, see Properties of an Azure AD B2B collaboration user.