A common ask is “We wish to enable only named people to join as a guest to our Teams, we don’t want anyone from the organization to invite anyone they like – we need to control this with an internal workflow.” to satisfy this request, we will use native capabilities within Azure Active Directory and Office 365 to enable group owners to add existing external guests to their team/office 365 group. In addition, we will enable only specific people in the organization with the permission to create and add new guests accounts to the directory.
Note: This is the basic example, this can be adapted to more complex workflows of approval/automation to make this more customized to a specific requirement.
In Office 365 Admin Center, navigate to “Services & add-ins”, select “Office 365 Groups” and enable “Let group owners add people outside the organization to groups”
To make sure your guests will also have access to the SharePoint files, enable external sharing using the SharePoint Admin Center. with alignment to our blog theme, we will enable access to Existing accounts only.
We are now ready to limit who can invite external guests. we will configure this using the Azure Active Directory blade in the Azure portal.
Disabling “Members can invite” and “Guests can invite” will effectively achieve our goal – “Admins and users in the guest inviter role can invite”
Finally add assign the “Guest inviter” role to whom ever you need
The configuration is now complete, a Guest Inviter or an Admin can now add new guests to the directory, and follow whatever internal due diligence or workflow prior to that. Using the (new) AzureAD PowerShell module is my personal recommendation, this way the guest user could be silently added to the directory – and an email will not be sent to him. later on an owner of an Office 365 Group or a Microsoft Teams group could add him easily like any other member – and that will trigger the email invite to the external user.
New-AzureADMSInvitation -InvitedUserDisplayName "John Doe (External)" -InvitedUserEmailAddress "firstname.lastname@example.org" -SendInvitationMessage:$false -InviteRedirectUrl "http://just.a.placeholder.local"
Using the Azure AD portal is also available to the guest inviter role if PowerShell is out of the question
And if you’ve wondered, this is the error if someone would try to add a new guest account and they don’t have the proper permissions in Microsoft Teams.
2017-07-27 – I’ve included another important note about adding the “Authentication Methods References” claim
Hi again, this is a quick note for anyone who will try to achieve this. I’m writing this post after the topic has been raised from customers and my colleges.
Here are some of the challenges that might brought to you here
An Azure AD tenant, with a federated domain pointing to an ADFS
ADFS server running 2012 R2 / 2016 with a Multi Factor setup, either with Azure MFA or a 3rd party MFA provider
A conditional access / identity protection policy in Azure AD which should enforce Multi Factor authentication
ADFS 2016 with Azure MFA set as primary authentication
Event ID 364 on the ADFS server – Encountered error during federation passive request. MSIS7042: The same client browser session has made ‘6’ requests in the last ‘4’ seconds
While configuring this, you might get multiple Multi Factor prompts, user performs MFA on-premises, but when redirected back to Azure AD – second factor prompt in cloud is presented. Here’s how you win:
Make sure you configure the federated domain setting in Azure AD with -SupportsMFA $true – this will point Multi Factor“requests” to the ADFS:
In addition to the above you also need to make sure to configure -PromptLoginBehavior Disabled, this will make sure that authentication requests from Azure AD will reach the ADFS “correctly” and won’t cause it to re-authenticate your users:
So you’ve purchased Microsoft’s Enterprise Mobility Suite (EMS) licenses, now you need to assign them to users within your organization. A typical situation will be that you already have Office 365 licensed users, and it make sense that all of them will get EMS licenses too.
To achieve this, I would suggest using an Azure AD group with Dynamic Group membership. in this example, the group will include accounts that match ALL these conditions:
There are some known limitation and inconsistency with user photos synchronization from Active Directory (using the thumbnailPhoto attribute) to Azure AD and Office 365 apps: Exchange, SharePoint and Skype for Business (aka Lync), specifically if you want to upload high resolution photos of your users that will span across all of Office 365 services.
After spending some research time around this issue, here are my findings:
“High Resolution” in our context is a 648 x 648 pixel dimension size JPEG photo
The Active Directory thumbnailPhoto attribute value is limited to about 100KB in size – this will mostly prevent you from uploading a “high resolution” photo
“Common knowledge” around synchronizing the thumbnailPhoto using Directory Synchronization (aka DirSync / AAD Sync/ AAD Connect) to Office 365 / Azure AD is that the attribute should not exceed 10KB, and the recommended photo dimension is 96 x 96 pixels – This is really an “Exchange” limit as far as I know..
When User Photos are stored within Office 365 a web service handles requests for the photo with predefined allowed sizes for example – https://outlook.office365.com/owa/service.svc/s/GetPersonaPhotoemail@example.com&size=HR648x648
Modify this to your email address to try this out
There are quite a few possible sizes, try for example 96×96 and 240×240 to get the idea
SharePoint holds a separate location and also a few versions for it’s images within each users profile folder and is suppose to synchronize those from Exchange Web Services
The Set-UserPhoto cmdlet from Exchange (Online and On-Prem) allows you to save high resolution photos, and integrates with Skype for Business Server 2015 (also for Lync 2013) and SharePoint 2013/2016 – each product with it’s own flow which I’m not going into explaining.
So to summarize at this point, we want to import high resolution photos to our users. If we rely on the thumbnailPhoto attribute value from Active Directory, we will end up with low resolution images (needs more JPEG effect) or inconsistent results if we look on the SharePoint case.
To upload high resolution photos to Office 365, you should use Set-UserPhoto. This approach works great for Exchange Online, Skype for Business and Azure AD. Although promising, my testing (and others..) showed that if your users’ photos were previously synced to SharePoint Online – they will not necessarily be updated using this method.
Here is my take on solving this, in a somewhat chronological order:
If you need your on-premises thumbnailPhoto attribute populated, keep your current practice of maintaining them.