Solution for guests accounts with an organisation account without Office365 tenant to be able to login at teams.microsoft.com
I have created several guest accounts following the instructions here:
https://docs.microsoft.com/en-us/microsoftteams/guest-access
Basically,
Enabled Guest Access in Office365 Admin Center
Added guest account through Azure Active Directory
a. Guest account received email Azure AD "You're invited to the organization"
b. Guest follows the "Get Started" link in the email to create a password
- Added guest to a Team through Microsoft Teams desktop application
a. Guest account received email Teams "You have been added to a team in Microsoft Teams"
b. Guest follows the "Open Microsoft Teams" link in the email to be sent to teams.microsoft.com
c. Guest is redirected to login.microsoftonline.com
d. Guest logins in using email/password from #2b
e. Guest is redirected to the Teams page and is able to work.
--
When the Guest tries to login directly to Teams - either through teams.microsoft.com or the Teams desktop application - they are redirected first to a login page (login.microsoftonline.com), then after login to an error page:
https://teams.microsoft.com/_#/licenseError?errorCode=UserLicenseNotPresentForbidden
The Guest can still login/access Teams following the "Open Microsoft Teams" link in the #4b email.
Workaround
If the Guest adds the "tenantId" indicated in the #4b/Open Msft Teams email to the Teams URL, for example: https://teams.microsoft.com?tenantId=1234567-89ab-cdef-0123-456789abcdef
Guest is redirected to login.microsoftonline.com
Guest logs in using username/password
Guest is redirected back to https://teams.microsoft.com/_?tenantId=1234567-89ab-cdef-0123-456789abcdef
Guest can now access the Team (without the UserLicenseNotPresentForbidden error)
This workaround only works through the Browser - it does not work through the Teams Desktop App, as it is not possible to include the requisite "tenantId" to login. Using the Desktop App always fails with UserLicenseNotPresentForbidden.
When the Guest is logged in using the correct "tenantId", the Teams menu (in the Browser) looks like this:
microsoft-teams-menu.png
If the Guest clicks on the other account under "Your accounts" (abcdef-0123-4567-89ab-cdef012345), the Guest is redirected to the UserLicenseNotPresentForbidden error page.
microsoft-teams-userlicensenotpresent.png
It seems that a Guest has been assigned two different "tenantId"s (or Azure Object IDs), the first is the one created in step #2, the second is the one created in step #4. When the Guest tries to login without specifying the tenantId, login.microsoftonline.com defaults to the tenantId in #2 (which isn't authorized to access Teams).
I see no place in Teams, Office365 Admin Center, or Azure AD to manage these separate 'tenantId's or allow the Guest to login to Teams using the Desktop App.
Jorik Polhuis
shared this idea
If anyone is still hitting this issue, please respond in the comments section of this topic and let me know!
Thanks!
-Warren
34 comments
-
Gaute Alvestad
commented
Hi. This is still an issue. We have b2c tenant w/users which we invite to a different tenant w/teams. The issue at hand, I am assuming, is that the apps are only retrieving the tenantid/license of the b2c tenant, and is not discovering it's a guest in a different tenant. (As Jorik explains)
It works fine in browser, where we can define the tenantId, https://teams.microsoft.com/_?tenantId={tenantid} or https://teams.microsoft.com/dl/launcher/launcher.html?url=%2f_%23%2fl%2fteam%2fconversations%3ftenantId={tentantId}&type=team&suppressPrompt=true
I have even gotten it to work with the windows desktop app, by editing the config file for the app.
Powershell: (xxxx-Guid is the teams tenantid)
$FileContent=Get-Content -Path "$ENV:APPDATA\Microsoft\Teams\desktop-config.json"
$JSONObject=ConvertFrom-Json -InputObject $FileContent# Update config object
$JSONObject.upnWindowUserUpn = ""$JSONObject.homeTenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$JSONObject.guestTenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$JSONObject.userOid = "";
$JSONObject.userTid = "";# Stop teams prosses
Get-Process Teams | Stop-Process -Force# Update config file
$NewFileContent=$JSONObject | ConvertTo-Json -Compress
$NewFileContent | Set-Content -Path "$ENV:APPDATA\Microsoft\Teams\desktop-config.json"# Start teams client
Start-Process -FilePath "$ENV:LOCALAPPDATA\Microsoft\Teams\current\teams.exe"But this (editing config file) is sadly not possible on iOS and other "closed" devices.
So it is possible, if we had the possiblity to define the tenantId in the app. Something like "fallbackTenantId" or "defaultTenantId". Could be under advanced settings or someting.
-
SjoerdV
commented
still a problem indeed! please fix it by adding the tenantid parameter in the original invitation email, this way we can just say to Guest Users (or their managers): "please use the original link in the original invitation email to get into Teams in the right tenant". And treating all types of Guest Users (OTP, MSA, ext-AAD) as OTP accounts would be a step in the right direction, this way there would only be one way of managing all these type of accounts, and if you want to use licenses cross-tenant (ext-AAD), make it in such a way that this is only being done on the back-end, we do not want to bore end-users with license errors, do we ;-)
-
jonatan
commented
still a problem, please fix asap!
-
Thomas van der Elsen
commented
Still an issue here. Org doesn't have 365 but user is a guest on another. Email link opens Teams app to sign in, and on signing up it says there are no Team orgs yet. No ability to select tenant, and it seems the email link that works to access Teams on a desktop, does not work on a mobile (presumably the app is ignoring the tenant id).
-
Anonymous
commented
Getting an issue at 2b step. It seems to bypass this for a new user and goes to page for teams tenant. Shows 1 teams group in this instance that new user was invited to and errors back when user clicks on it.
-
Mark Rogalski
commented
I am having issues like this as well with some users, but not with others.
-
Gwapo
commented
I have my verified domain in my tenant but we are using Gsuite for email. Now I have a Gsuite user (under the same domain) that would like to add in Teams. Apparently I can't add that user as a guest because the system is trying to look up the email address within O365 users which does not really exist in O365 since again it is in Gsuite.
-
amardeep Bhingardeve
commented
I wish to remove guest account from teams desktop App, Please guide
-
Graham Snow
commented
Added a new Guest user to our tenant for the first time today. Still seeing this problem.
-
PeterGV
commented
My head hurts from trying to test guest access this past week.
People who have existing AAD accounts(like O365) and have logged in from their AAD joined systems, cannot successfully login as guests for other tenants. It does not work with the app (you get “something went wrong.. try logging out and back in again” during login). It does not work via a browser.
So... this is blocking our use of Teams for a serious project we thought would be great.
-
Scott S
commented
We are currently struggling with this issue as well because we have collaborators who work for other organizations in Azure AD that do not yet provision a Teams license to their staff. The most effective workaround I've found for a bulk invite is using PowerShell to do the guest account invitation. In that invitation, the key piece of information is the -InviteRedirectURL parameter. To retrieve the correct value you must right-click on the Team you are inviting your guests to and select "Get Link". That value is what you use to populate the -InviteRedirectUrl value.
NOTE: While it is possible to programmatically add Guest (or User) accounts to a Group/Team using Add-AzureADGroupMember, there can be a long synchronization delay. I strongly recommend you directly add Guests through the "Manage Team" interface while logged into the Team as an Owner to avoid permissions problems from guests who redeem invitations prior to completion of back-end sync processes. Failure to follow this advice will result in Guests experiencing permission errors when they redeem their invitations and are redirected to the Teams URL.
Example:
#Login via the GUI after running the Connect-AzureAD command. You may need to join the Guest Inviter role if your organization has locked down guest invitations.
Connect-AzureAD
#The example assumes you have a CSV file including header fields called "Name" and "InvitedUserEmailAddress". The Name field is what becomes the display name for the Guest account in Azure AD. Change the path to where your CSV file is located.$invitations = import-csv C:\Temp\bulkguestinvite.csv
$messageInfo = New-Object Microsoft.Open.MSGraph.Model.InvitedUserMessageInfo
$messageInfo.customizedMessageBody = "You are receiving this email invitation at the request of blah blah blah support info etc."
foreach ($email in $invitations)
{New-AzureADMSInvitation `
-InvitedUserEmailAddress $email.InvitedUserEmailAddress `
-InvitedUserDisplayName $email.Name `
-InviteRedirectUrl https://teams.microsoft.com/l/team/19:cd67dcf34917739afdac98f58be6e8d4%40thread.skype/conversations?tenantId=12345679-45644-44e6-bc28-236b1dadd334 `
-InvitedUserMessageInfo $messageInfo `
-SendInvitationMessage $true
} -
James
commented
MSA is not a true guest account.
Please put real guest access on the roadmap. Store all guest data in my tenant.
-
Anonymous
commented
These workarounds and request people are asking are hardly solutions. They are settling for second rate solutions when Microsoft should just do this properly and use the likes of WebEx Teams as the bar of acceptable requirement to interact with quests. Even the concept of having to creat a Guest in AD is asinine! I have two family members both of which have hotmail accounts and I have done exactly what Microsoft said to do settings wise. I have tried sending them messages 1:1 not as a team and it shows the message as delivered but nothing shows up on any of their devices. This is a HUGE fail Microsoft.
-
Anonymous
commented
Come on Microsoft, your Teams Guest user capabilities in true Microsoft fashion is HORRIBLE! Take a look how simple a feature rich WebEx Teams has made inviting and interacting with non-users of WebEx Teams either in a Team or 1:1 and use that as what you need to implement. I was about to deploy Microsoft Teams to my customer base (I’m an MSP) but I can’t recommend doing so because the limitations imposed on Guest/Free Users compared to WebEx Teams who has this functionality rather nailed vs this MS sh*+ show.
-
SimonS
commented
Given Azure AD Support for Google Logins (via google IDP), Apparently the issue is with logins is identifying the correct organization/tenant, such that I knows what Teams Organization to login to.
Given the Google IDP setup all works it very frustrating that one can't extend guest access to Google users event though once can get then into the Azure AD.
Launching Teams, and entering the google account has the use propped with the correct authentication provider screen (google), and it accepts the password, and starts to render the Teams main window and then crashes...
-
J
commented
i came across this issue too. guest user cannot use ms teams because their original organisation prohibits the use of ms teams. Can we use the workaround provided in this post, and update the desktop app to accept the redirect team id? e.g. use QR code to enable teams to log in with a different tenant id, or add an .config or .ini file, or command line to accept the id?
-
Anonymous
commented
In layman's terms - in my experience anyone with an existing Microsoft account somewhere that gets invited as a guest to MS Teams has an awful time getting in. It's happened so much that I add them as provisioned users, eat the $5 and then kill them when the project is over. MS please fix this so it's as smooth as Slack.
-
Peter Rozek
commented
Getting this same issue while trying to join another company's team. I'll direct them here.
-
Anonymous
commented
Same issue as others. Meeting guests who have O365 accounts, but don't have Teams enabled in their tenant are getting the lovely "You're missing out!" message when they click the meeting link. Pasting the meeting link into a incognito/private browser and joining via web app seems to work, but this is pretty trash.
Every single day I stumble on a new issue with Teams.
-
Heikki
commented
Having this issue with ios teams and guest login. Pc Desktop and chrome web logins are working in (latter works in ipad too)
The guest has 0365 account, but not teams. Still she is recognized via her o365 account rather than as guest when trying to sign up in ios Teams app as guest. And the error is ”you’re missing ou ask your admin...”