Solution for guests accounts with an organisation account without Office365 tenant to be able to login at teams.microsoft.com
I have created several guest accounts following the instructions here:
https://docs.microsoft.com/en-us/microsoftteams/guest-access
Basically,
1. Enabled Guest Access in Office365 Admin Center
2. Added guest account through Azure Active Directory
a. Guest account received email Azure AD "You're invited to the organization"
b. Guest follows the "Get Started" link in the email to create a password
4. Added guest to a Team through Microsoft Teams desktop application
a. Guest account received email Teams "You have been added to a team in Microsoft Teams"
b. Guest follows the "Open Microsoft Teams" link in the email to be sent to teams.microsoft.com
c. Guest is redirected to login.microsoftonline.com
d. Guest logins in using email/password from #2b
e. Guest is redirected to the Teams page and is able to work.
--
When the Guest tries to login directly to Teams - either through teams.microsoft.com or the Teams desktop application - they are redirected first to a login page (login.microsoftonline.com), then after login to an error page:
https://teams.microsoft.com/_#/licenseError?errorCode=UserLicenseNotPresentForbidden
The Guest can still login/access Teams following the "Open Microsoft Teams" link in the #4b email.
Workaround
If the Guest adds the "tenantId" indicated in the #4b/Open Msft Teams email to the Teams URL, for example: https://teams.microsoft.com?tenantId=1234567-89ab-cdef-0123-456789abcdef
1. Guest is redirected to login.microsoftonline.com
2. Guest logs in using username/password
3. Guest is redirected back to https://teams.microsoft.com/_?tenantId=1234567-89ab-cdef-0123-456789abcdef
4. Guest can now access the Team (without the UserLicenseNotPresentForbidden error)
This workaround only works through the Browser - it does not work through the Teams Desktop App, as it is not possible to include the requisite "tenantId" to login. Using the Desktop App always fails with UserLicenseNotPresentForbidden.
When the Guest is logged in using the correct "tenantId", the Teams menu (in the Browser) looks like this:
microsoft-teams-menu.png
If the Guest clicks on the other account under "Your accounts" (abcdef-0123-4567-89ab-cdef012345), the Guest is redirected to the UserLicenseNotPresentForbidden error page.
microsoft-teams-userlicensenotpresent.png
It seems that a Guest has been assigned two different "tenantId"s (or Azure Object IDs), the first is the one created in step #2, the second is the one created in step #4. When the Guest tries to login without specifying the tenantId, login.microsoftonline.com defaults to the tenantId in #2 (which isn't authorized to access Teams).
I see no place in Teams, Office365 Admin Center, or Azure AD to manage these separate 'tenantId's or allow the Guest to login to Teams using the Desktop App.
Jorik Polhuis
shared this idea
If anyone is still hitting this issue, please respond in the comments section of this topic and let me know!
Thanks!
-Warren
25 comments
-
PeterGV
commented
My head hurts from trying to test guest access this past week.
People who have existing AAD accounts(like O365) and have logged in from their AAD joined systems, cannot successfully login as guests for other tenants. It does not work with the app (you get “something went wrong.. try logging out and back in again” during login). It does not work via a browser.
So... this is blocking our use of Teams for a serious project we thought would be great.
-
Scott S
commented
We are currently struggling with this issue as well because we have collaborators who work for other organizations in Azure AD that do not yet provision a Teams license to their staff. The most effective workaround I've found for a bulk invite is using PowerShell to do the guest account invitation. In that invitation, the key piece of information is the -InviteRedirectURL parameter. To retrieve the correct value you must right-click on the Team you are inviting your guests to and select "Get Link". That value is what you use to populate the -InviteRedirectUrl value.
NOTE: While it is possible to programmatically add Guest (or User) accounts to a Group/Team using Add-AzureADGroupMember, there can be a long synchronization delay. I strongly recommend you directly add Guests through the "Manage Team" interface while logged into the Team as an Owner to avoid permissions problems from guests who redeem invitations prior to completion of back-end sync processes. Failure to follow this advice will result in Guests experiencing permission errors when they redeem their invitations and are redirected to the Teams URL.
Example:
#Login via the GUI after running the Connect-AzureAD command. You may need to join the Guest Inviter role if your organization has locked down guest invitations.
Connect-AzureAD
#The example assumes you have a CSV file including header fields called "Name" and "InvitedUserEmailAddress". The Name field is what becomes the display name for the Guest account in Azure AD. Change the path to where your CSV file is located.$invitations = import-csv C:\Temp\bulkguestinvite.csv
$messageInfo = New-Object Microsoft.Open.MSGraph.Model.InvitedUserMessageInfo
$messageInfo.customizedMessageBody = "You are receiving this email invitation at the request of blah blah blah support info etc."
foreach ($email in $invitations)
{New-AzureADMSInvitation `
-InvitedUserEmailAddress $email.InvitedUserEmailAddress `
-InvitedUserDisplayName $email.Name `
-InviteRedirectUrl https://teams.microsoft.com/l/team/19:cd67dcf34917739afdac98f58be6e8d4%40thread.skype/conversations?tenantId=12345679-45644-44e6-bc28-236b1dadd334 `
-InvitedUserMessageInfo $messageInfo `
-SendInvitationMessage $true
} -
James
commented
MSA is not a true guest account.
Please put real guest access on the roadmap. Store all guest data in my tenant.
-
Anonymous
commented
These workarounds and request people are asking are hardly solutions. They are settling for second rate solutions when Microsoft should just do this properly and use the likes of WebEx Teams as the bar of acceptable requirement to interact with quests. Even the concept of having to creat a Guest in AD is asinine! I have two family members both of which have hotmail accounts and I have done exactly what Microsoft said to do settings wise. I have tried sending them messages 1:1 not as a team and it shows the message as delivered but nothing shows up on any of their devices. This is a HUGE fail Microsoft.
-
Anonymous
commented
Come on Microsoft, your Teams Guest user capabilities in true Microsoft fashion is HORRIBLE! Take a look how simple a feature rich WebEx Teams has made inviting and interacting with non-users of WebEx Teams either in a Team or 1:1 and use that as what you need to implement. I was about to deploy Microsoft Teams to my customer base (I’m an MSP) but I can’t recommend doing so because the limitations imposed on Guest/Free Users compared to WebEx Teams who has this functionality rather nailed vs this MS sh*+ show.
-
SimonS
commented
Given Azure AD Support for Google Logins (via google IDP), Apparently the issue is with logins is identifying the correct organization/tenant, such that I knows what Teams Organization to login to.
Given the Google IDP setup all works it very frustrating that one can't extend guest access to Google users event though once can get then into the Azure AD.
Launching Teams, and entering the google account has the use propped with the correct authentication provider screen (google), and it accepts the password, and starts to render the Teams main window and then crashes...
-
J
commented
i came across this issue too. guest user cannot use ms teams because their original organisation prohibits the use of ms teams. Can we use the workaround provided in this post, and update the desktop app to accept the redirect team id? e.g. use QR code to enable teams to log in with a different tenant id, or add an .config or .ini file, or command line to accept the id?
-
Anonymous
commented
In layman's terms - in my experience anyone with an existing Microsoft account somewhere that gets invited as a guest to MS Teams has an awful time getting in. It's happened so much that I add them as provisioned users, eat the $5 and then kill them when the project is over. MS please fix this so it's as smooth as Slack.
-
Peter Rozek
commented
Getting this same issue while trying to join another company's team. I'll direct them here.
-
Anonymous
commented
Same issue as others. Meeting guests who have O365 accounts, but don't have Teams enabled in their tenant are getting the lovely "You're missing out!" message when they click the meeting link. Pasting the meeting link into a incognito/private browser and joining via web app seems to work, but this is pretty trash.
Every single day I stumble on a new issue with Teams.
-
Heikki
commented
Having this issue with ios teams and guest login. Pc Desktop and chrome web logins are working in (latter works in ipad too)
The guest has 0365 account, but not teams. Still she is recognized via her o365 account rather than as guest when trying to sign up in ios Teams app as guest. And the error is ”you’re missing ou ask your admin...” -
Ian Caldwell
commented
Argh! I just hit this guest access issue today for the first time. There is no way to know which external people have Office 365 business subscriptions - possibly only Outlook - but then they get hit by a brick wall "you're missing out ask your admin to enable microsoft teams". So far, the workaround is not working for us, trying to force the tenant ID for Teams.
We have configured our Office 365 tenant to be as open and sharing as possible, guests are enabled for everywhere with the highest level of access possible.
-
Mac Cabillo
commented
Thanks for the workaround. But having the same issue when using the desktop app
-
JB
commented
Same "UserLicenseNotPresentForbidden" problem here when a guest tries to login directly over https://teams.microsoft.com or the desktop app!
FYI Guest Access is enabled in the Office Admin portal. (Services and Add-ins > Microsoft Teams)
-
Anonymous
commented
Can confirm my guest users cannot use the mobile app. They get a licensing error
-
Dan Smith
commented
I can confirm that we're hitting this issue as well.
- Created an Azure AD user account (no license in Office 365)
- Added to Team (success)
- Attempted to logon to teams.microsoft.com
- The team UI is shown for a split-second and then replaced with a splash page asking the user to tell the "administrator" to enable Teams for the tenant. -
Chris Webb
commented
Still having this same issues and it's a huge issue. There are some e-mail login's people use that some how fall under a work account and these people have no clue that it's hosted on o365 or azuread. Because of this they have no control and those tenants don't have or allow Teams so because of this they cannot access any other Tenant's Team as a guest, so constantly having to create new MSA accounts to invite people to Teams which is less than ideal, especially when they want e-mail notifications sent to their primary e-mail address. Trying to test changing the "alternate e-mail" address on their guest account in my tenant, but I don't think this works and is a bandaid approach.
What really needs to happen is when joining as a guest, it doesn't check if Teams is licensed and or turned on with their homed accounts. This would fix this problem.
Also a secondary issue with this, they have a work account and a MSA account with same address. This wouldn't be an issue other than the fact that the Teams Client defaults to their work account once switched to the guest tenant and accepting the B2B/guest account, so you cannot join the Team in this instance with the personal account and then your back at step one with having to either create a new account or change the login alias for the original account. Both not great user experiences and causing a tons of wasted support time in my org.
-
Jacob Rosengren
commented
We have the sam problem with other parts of our company that is not using the same Office365 subscription.
-
Seb Herrmann
commented
Guest access user experience for MS teams is very poor. We have this issue as well, and it's preventing further adoption of our Teams / and external collaboration with partners as it's so clunky and difficult for a users to gain seamless access to Teams.
The work around to use the link in original email does work, but it's not practical for guest access. Please address / update us on this issue progress. -
Chris Webb
commented
Hi Warren, getting same issue. The problem is users don't know they have office 365, or users that have both MSA and O365 account with same e-mail are running into this issue. It seems even if you pick personal account login the desktop client still tries to login to the work account and you get the "Please enable teams" error , or no license etc. because it's trying to use the work account and not the MSA account. I know having them change their MSA account primary alias fixes this but it's rough to have them do that and reinvite their new alias etc.