Office 365: Office 365 Groups and External / Guest Accounts

  • Article

In support you often have interesting cases come across your desk – and sometimes the questions and situations presented are odd.  On occasion you look at some of them and are like that’s impossible…and that’s what happened here.

In this escalation, the customer was reporting that when they would remove a user from an Office 365 Group (Unified Group) and add a different user – the original user they removed would come back to group membership but the new user was not added.  That’s interesting – a user that was removed successfully would automatically just reappear in the group when a completely different user was added.  Turns out – it actually happened.  Let’s take a look.

I have a test tenant TenantA.onmicrosoft.com.  In this tenant, I create an Office 365 Group named Test.  By default, the group membership contains the group owner and this is reflected in Outlook Web Access.

image

Guest access is enabled for the tenant and a guest account is added.  In this case, the guest account is tmcmichael@domainA.org.  The new guest member is reflected in Outlook Web Access.

image

When a guest account is added to an Office 365 Group and guest account object is first provisioned in Azure Active Directory.  We can see the guest account with Get-MsolUser.

PS C:\Users\timmcmic> Get-MsolUser -SearchString tmcmichael

UserPrincipalName DisplayName isLicensed

----------------- ----------- ----------

tmcmichael_domainA.org#EXT#@tenantA.onmicrosoft.com tmcmichael@domainA.org False

Through a forward synchronization process the guest account is then replicated into Exchange Online as a mail user object.  We can see the mail user object with Get-Recipient.

PS C:\Users\timmcmic> Get-Recipient tmcmichael*

Name RecipientType

---- -------------

tmcmichael_domainA.org#EXT# MailUser

At this time, I will remove the account tmcmichael@domainA.org from the Office 365 Group and save the changes.

image

Although the user was removed from the group – and does not exist in any other group or guest arrangement – the account remains in Azure Active Directory and Exchange Online.

PS C:\Users\timmcmic> Get-MsolUser -SearchString tmcmichael

UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
tmcmichael_domainA.org#EXT#@tenantA.onmicrosoft.com tmcmichael@domainA.org False

PS C:\Users\timmcmic> Get-Recipient tmcmichael*

Name RecipientType
---- -------------
tmcmichael_domainA.org#EXT# MailUser

With the user removed, I will now invite the new user that I wish to grant guest access.  In this instance tmcmichael@domainB.com.

image

The user was added successfully and when refreshing group membership – the user vanishes and the original user appears in the group!  What happened?

image

In this instance, both DomainA.org and DomainB.com both belong to tenantB.onmicrosoft.com.  In tenantB.onmicrosoft.com the recipient TMcMichael has proxy addresses assigned at both TMcMichael@domainA.org and TMcMichael@domainB.com.

PS C:\Users\timmcmic> $a=Get-MsolUser -SearchString tmcmichael

PS C:\Users\timmcmic> $a.ProxyAddresses

smtp:tmcmichael@domainB.com

smtp:tmcmichael@aaa

SMTP:tmcmichael@domainA.org

smtp:tmcmichael@aaa.org

smtp:tmcmichael@aaa.mail.onmicrosoft.com

smtp:tmcmichael@aaa.onmicrosoft.com

smtp:director@aaa.com

smtp:2148@aaa.com

A guest account receives a link to access the group – with the link providing them the permissions to access the group and group data.  In this case, there is no difference between tmcmichael@domainA.org and tmcmichael@domainB.com.  When tmcmichael@domainB.com is added, Azure Active Directory resolves this address and determines that it belongs to the same object that has tmcmichael@domainA.org.  When this occurs, no new guest account is created, the original guest account and mail user are retained, and the membership is updated in Exchange Online.  With the original mail user object being retained, upon refresh the GUI displays the attributes of that mail user, presenting the appearance that the user that we removed was added again and that the user we wanted added did not add.

At this time our product engineering group is investigating alternate ways to handle this as reverting to the same object and failing to show the desired addition causes confusion within the UI.  If you find this confusing and you desire to fix it – the only method to fix this is to remove the guest account from Azure Active Directory and start over.  This will force a new guest account to provision.  Removing the guest account would subsequently remove any access that original account would have via links or emails to all Office 365 properties – you may want to proceed with caution.