Retrieving Azure Active Directory Guest Invites

Azure, Azure Active Directory

Azure Active Directory B2B has the ability to invite guest users. This allows you to invite users from other Azure AD tenants into your tenant so that you can grant them access to resources in your tenant (Azure RBAC, Office 365, Azure DevOps, etc.). When you add a guest user, they will be emailed an invite, and when they click on this and accept the invite, the guest tenant will now be displayed in their tenant selector in Azure.

AAD Selector

This is great if the guest user has an email associated with their account. But what do you do if the user doesn’t have an email account? This is more common than you might think, particularly if you invite users to access Azure resources with RBAC. It is common practice in many companies to have separate admin/privileged accounts for managing privileged resources. These privileged accounts differ from the account the user uses for day-to-day work and often won’t have a mailbox associated with them. We need to take an extra step to retrieve the invite for these scenarios.

Retrieving Invites

The first thing to realise is that the invite sent to the user doesn’t have anything to do with creating the guest account. As soon as you invite the guest user into your tenant, they have access. They don’t need to accept the invitation. It is entirely possible for you to provide them with the URL of your AAD, like below:

https://portal.azure.com/signin/index/@directoryName

This link will open the Azure portal, connected to that tenant, and the guest user will be able to sign in. However, this is a pain long term. The guest user needs to remember the URL or bookmark it and use it each time they want to access the tenant. The better option is to get the tenant into the tenant switcher menu. This is the point of accepting the invite; it adds it to your list of available tenants.

To do this, after you invite the guest user, you can retrieve the invite URL, which you can pass on to the user. They can go to this URL, the same URL they would have obtained in the email, and accept the invite. Retrieving this needs to be done in the tenant the user has been invited into by someone who has access to users in that tenant. The easiest way is to do this when you invite the user.

A new experience is rolling out to the portal for AAD user management, so I will document this process in both views.

Current (legacy) portal view

  • In the Azure Portal, open up the Azure Active Directory pane
  • Got to Users and locate the guest user you invited (or invite them now)
  • On the user dashboard pane, you should see an “Invite Accepted” setting, with the value probably set to no and a “manage” link

User Pane

  • Click the manage link
  • In the window that opens, in the “resend invite” section, change the radio button to “yes”, then respond “yes” to the confirmation window.
  • This will resend the email but also generate an invitation URL on the screen

Invite

  • Copy the URL and send it to the user through whatever means you prefer. The user can open the URL as the account you invited and accept the invite. Once they do, the tenant will appear in their tenant switcher.

Preview (new) experience

  • In the Azure Portal, open up the Azure Active Directory pane
  • Got to Users and locate the guest user you invited (or invite them now)
  • At the bottom of the screen is a “B2B collaboration” box with a “Mange (resend invitation / reset status)” link

Reset Box

  • Click the manage link
  • In the window that opens, in the “resend invite” section, change the radio button to “yes”, then respond “yes” to the confirmation window.
  • This will resend the email but also generate an invitation URL on the screen

Invite

  • Copy the URL and send it to the user through whatever means you prefer. The user can open the URL as the account you invited and accept the invite. Once they do, the tenant will appear in their tenant switcher.