Troubleshooting Azure Active Directory B2B collaboration

Here are some remedies for common problems with Azure Active Directory (Azure AD) B2B collaboration.

Important

  • Starting July 12, 2021, if Azure AD B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities won’t work until authentications are moved to system web-views. Learn more.
  • Starting September 30, 2021, Google is deprecating embedded web-view sign-in support. If your apps authenticate users with an embedded web-view and you're using Google federation with Azure AD B2C or Azure AD B2B for external user invitations or self-service sign-up, Google Gmail users won't be able to authenticate. Learn more.
  • We've begun rolling out a change to turn on the email one-time passcode feature for all existing tenants and enable it by default for new tenants. We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, if you don't want to allow this feature to turn on automatically, you can disable it. Soon, we'll stop creating new, unmanaged ("viral") Azure AD accounts and tenants during B2B collaboration invitation redemption.

Guest sign-in fails with error code AADSTS50020

When a guest user from an identity provider (IdP) can't sign in to a resource tenant in Azure AD and receives an error code AADSTS50020, there are several possible causes. See the troubleshooting article for error AADSTS50020.

B2B direct connect user is unable to access a shared channel (error AADSTS90071)

When a B2B direct connect sees the following error message when trying to access another organization's Teams shared channel, multi-factor authentication trust settings haven't been configured by the external organization:

The organization you're trying to reach needs to update their settings to let you sign in.

AADSTS90071: An admin from <organization> must update their access settings to accept inbound multifactor authentication.

The organization hosting the Teams shared channel must enable the trust setting for multi-factor authentication to allow access to B2B direct connect users. Trust settings are configurable in an organization's cross-tenant access settings.

An error similar to "Failure to update policy due to object limit" appears while configuring cross-tenant access settings

As you configure cross-tenant access settings, if you receive an error that says “Failure to update policy due to object limit,” you've reached the policy object limit of 25 KB. We're working toward increasing this limit. If you need to be able to calculate how close the current policy is to this limit, do the following:

  1. Open Microsoft Graph Explorer and run the following:

    GET https://graph.microsoft.com/beta/policies/crosstenantaccesspolicy

  2. Copy the entire JSON response and save it as a txt file, for example policyobject.txt.

  3. Open PowerShell and run the following script, substituting the file location in the first line with your text file:

$policy = Get-Content “C:\policyobject.txt”
$maxSize = 1024*25 
$size = [System.Text.Encoding]::UTF8.GetByteCount($policy) 
write-host "Remaining Bytes available in policy object" 
$maxSize - $size 
write-host "Is current policy within limits?" 
if ($size -le $maxSize) { return “valid” }; else { return “invalid” } 

Users can no longer read email encrypted with Microsoft Rights Management Service (OME))

As you configure cross-tenant access settings, if you block access to all apps by default, users will be unable to read emails encrypted with Microsoft Rights Management Service (also known as OME). To avoid this issue, we recommend configuring your outbound settings to allow your users to access this app ID: 00000012-0000-0000-c000-000000000000. If this is the only application you allow, access to all other apps will be blocked by default.

I’ve added an external user but don't see them in my Global Address Book or in the people picker

In cases where external users aren't populated in the list, the object might take a few minutes to replicate.

A B2B guest user isn't showing up in SharePoint Online/OneDrive people picker

The ability to search for existing guest users in the SharePoint Online (SPO) people picker is OFF by default to match legacy behavior.

You can enable this feature by using the setting 'ShowPeoplePickerSuggestionsForGuestUsers' at the tenant and site collection level. You can set the feature using the Set-SPOTenant and Set-SPOSite cmdlets, which allow members to search all existing guest users in the directory. Changes in the tenant scope don't affect already provisioned SPO sites.

My guest invite settings and domain restrictions aren't being respected by SharePoint Online/OneDrive

By default, SharePoint Online and OneDrive have their own set of external user options and don't use the settings from Azure AD. You need to enable SharePoint and OneDrive integration with Azure AD B2B to ensure the options are consistent among those applications.

Invitations have been disabled for directory

If you're notified that you don't have permissions to invite users, verify that your user account is authorized to invite external users under Azure Active Directory > User settings > External users > Manage external collaboration settings:

Screenshot showing the External Users settings.

If you've recently modified these settings or assigned the Guest Inviter role to a user, there might be a 15-60 minute delay before the changes take effect.

The user that I invited is receiving an error during redemption

Common errors include:

Invitee’s Admin has disallowed EmailVerified Users from being created in their tenant

When inviting users whose organization is using Azure Active Directory, but where the specific user’s account doesn't exist (for example, the user doesn't exist in Azure AD contoso.com). The administrator of contoso.com may have a policy in place preventing users from being created. The user must check with their admin to determine if external users are allowed. The external user’s admin may need to allow Email Verified users in their domain (see this article on allowing Email Verified Users).

Screenshot of the error stating the tenant doesn't allow email verified users.

External user doesn't exist already in a federated domain

If you're using federation authentication and the user doesn't already exist in Azure Active Directory, the user can't be invited.

To resolve this issue, the external user’s admin must synchronize the user’s account to Azure Active Directory.

External user has a proxyAddress that conflicts with a proxyAddress of an existing local user

When we check whether a user is able to be invited to your tenant, one of the things we check for is for a collision in the proxyAddress. This includes any proxyAddresses for the user in their home tenant and any proxyAddress for local users in your tenant. For external users, we'll add the email to the proxyAddress of the existing B2B user. For local users, you can ask them to sign in using the account they already have.

I can't invite an email address because of a conflict in proxyAddresses

This happens when another object in the directory has the same invited email address as one of its proxyAddresses. To fix this conflict, remove the email from the user object, and also delete the associated contact object before trying to invite this email again.

The guest user object doesn't have a proxyAddress

Sometimes, the external guest user you're inviting conflicts with an existing Contact object. When this occurs, the guest user is created without a proxyAddress. This means that the user won't be able to redeem this account using just-in-time redemption or email one-time passcode authentication.

How does ‘#’, which isn't normally a valid character, sync with Azure AD?

“#” is a reserved character in UPNs for Azure AD B2B collaboration or external users, because the invited account user@contoso.com becomes user_contoso.com#EXT#@fabrikam.onmicrosoft.com. Therefore, # in UPNs coming from on-premises aren't allowed to sign in to the Azure portal.

I receive an error when adding external users to a synchronized group

External users can be added only to “assigned” or “Security” groups and not to groups that are mastered on-premises.

My external user didn't receive an email to redeem

The invitee should check with their ISP or spam filter to ensure that the following address is allowed: Invites@microsoft.com

Note

  • For the Azure service operated by 21Vianet in China, the sender address is Invites@oe.21vianet.com.
  • For the Azure AD Government cloud, the sender address is invites@azuread.us.

I notice that the custom message doesn't get included with invitation messages at times

To comply with privacy laws, our APIs don't include custom messages in the email invitation when:

  • The inviter doesn’t have an email address in the inviting tenant
  • When an appservice principal sends the invitation

If this scenario is important to you, you can suppress our API invitation email, and send it through the email mechanism of your choice. Consult your organization’s legal counsel to make sure any email you send this way also complies with privacy laws.

You receive an “AADSTS65005” error when you try to sign in to an Azure resource

A user who has a guest account can't sign in, and is receiving the following error message:

    AADSTS65005: Using application 'AppName' is currently not supported for your organization contoso.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of contoso.com before the application AppName can be provisioned.

The user has an Azure user account and is a viral tenant who has been abandoned or unmanaged. Additionally, there are no Global Administrators in the tenant.

To resolve this problem, you must take over the abandoned tenant. Refer to Take over an unmanaged directory as administrator in Azure Active Directory. You must also access the internet-facing DNS for the domain suffix in question in order to provide direct evidence that you are in control of the namespace. After the tenant is returned to a managed state, please discuss with the customer whether leaving the users and verified domain name is the best option for their organization.

A guest user with a just-in-time or "viral" tenant is unable to reset their password

If the identity tenant is a just-in-time (JIT) or viral tenant (meaning it's a separate, unmanaged Azure tenant), only the guest user can reset their password. Sometimes an organization will take over management of viral tenants that are created when employees use their work email addresses to sign up for services. After the organization takes over a viral tenant, only an administrator in that organization can reset the user's password or enable SSPR. If necessary, as the inviting organization, you can remove the guest user account from your directory and resend an invitation.

A guest user is unable to use the AzureAD PowerShell V1 module

As of November 18, 2019, guest users in your directory (defined as user accounts where the userType property equals Guest) are blocked from using the AzureAD PowerShell V1 module. Going forward, a user will need to either be a member user (where userType equals Member) or use the AzureAD PowerShell V2 module.

In an Azure US Government tenant, I can't invite a B2B collaboration guest user

Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see Azure Active Directory Premium P1 and P2 Variations.

If you need to collaborate with an Azure AD organization that's outside of the Azure US Government cloud, you can use Microsoft cloud settings (preview) to enable B2B collaboration.

Invitation is blocked due to cross-tenant access policies

When you try to invite a B2B collaboration user in another Microsoft Azure cloud, this error message will appear if B2B collaboration is supported between the two clouds but is blocked by cross-tenant access settings. The settings that are blocking collaboration could be either in the B2B collaboration user’s home tenant or in your tenant. Check your cross-tenant access settings to make sure you’ve added the B2B collaboration user’s home tenant to your Organizational settings and that your settings allow B2B collaboration with the user. Then make sure an admin in the user’s tenant does the same.

Invitation is blocked due to disabled Microsoft B2B Cross Cloud Worker application

Rarely, you might see this message: “This action can't be completed because the Microsoft B2B Cross Cloud Worker application has been disabled in the invited user’s tenant. Please ask the invited user’s admin to re-enable it, then try again.” This error means that the Microsoft B2B Cross Cloud Worker application has been disabled in the B2B collaboration user’s home tenant. This app is typically enabled, but it might have been disabled by an admin in the user’s home tenant, either through PowerShell or the portal (see Disable how a user signs in). An admin in the user’s home tenant can re-enable the app through PowerShell or the Azure portal. In the portal, search for “Microsoft B2B Cross Cloud Worker” to find the app, select it, and then choose to re-enable it.

Redemption is blocked due to cross-tenant access settings

A B2B collaboration user could see this message when they try to redeem a B2B collaboration invitation: “This invitation is blocked by cross-tenant access settings. Admins in both your organization and the inviter’s organization must configure cross-tenant access settings to allow the invitation.” This error can occur when cross-tenant policies are changed between the time the invitation was sent to the user and the time the user redeems it. Check your cross-tenant access settings to make sure B2B collaboration is properly configured, and make sure an admin in the user’s tenant does the same.

I receive the error that Azure AD can't find the aad-extensions-app in my tenant

When you're using self-service sign-up features, like custom user attributes or user flows, an app called aad-extensions-app. Do not modify. Used by AAD for storing user data. is automatically created. It's used by Azure AD External Identities to store information about users who sign up and custom attributes collected.

If you accidentally deleted the aad-extensions-app, you have 30 days to recover it. You can restore the app using the Azure AD PowerShell module.

  1. Launch the Azure AD PowerShell module and run Connect-AzureAD.
  2. Sign in as a global administrator for the Azure AD tenant that you want to recover the deleted app for.
  3. Run the PowerShell command Get-AzureADDeletedApplication.
  4. Find the application in the list where the display name begins with aad-extensions-app and copy its ObjectId property value.
  5. Run the PowerShell command Restore-AzureADDeletedApplication -ObjectId {id}. Replace the {id} portion of the command with the ObjectId from the previous step.

You should now see the restored app in the Azure portal.

A guest user was invited successfully but the email attribute isn't populating

Let's say you inadvertently invite a guest user with an email address that matches a user object already in your directory. The guest user object is created, but the email address is added to the otherMail property instead of to the mail or proxyAddresses properties. To avoid this issue, you can search for conflicting user objects in your Azure AD directory by using these PowerShell steps:

  1. Open the Azure AD PowerShell module and run Connect-AzureAD.
  2. Sign in as a global administrator for the Azure AD tenant that you want to check for duplicate contact objects in.
  3. Run the PowerShell command Get-AzureADContact -All $true | ? {$_.ProxyAddresses -match 'user@domain.com'}.
  4. Run the PowerShell command Get-AzureADContact -All $true | ? {$_.Mail -match 'user@domain.com'}.

Next steps

Get support for B2B collaboration