Allow a "Guest User" to be converted to a different account type
Allow new "Guest User" entry to be converted to a different account type.
We have encountered the situation where a OneDrive share was granted to a user outside our tenant, which in turn then created this new "Guest User" entry in the system with the SMTP address. Later this user was requested to be added as a MailContact, but due to the fact the SMTP address existed already, it would not allow us to create. Deleting the user from Guest Users would remove all shared file access. Need a solution for this.
• You are unable to create a MailContact using the SMTP address of an external user that has already been added as a “guest user” to an Office 365 Group.
• If you create the MailContact first, you are able to add the same address as a “guest user”.
• You can only have one object in Exchange Online with a give primary SMTP address. This is because Exchange uses the primary SMTP address to route email to the recipient.
• If you add a “guest user” to an Office 365 Group, there has to be an Exchange Recipient object for that user. If there isn’t one, one will be created for you (RecipientType “MailUser”, RecipientTypeDetails “GuestMailUser”).
• Delete the “guest user” MailUser object in Exchange Online
Get-MailUser firstname.lastname@example.org | Remove-MailUser
• Create the MailContact
• Add the MailContact to the Office 365 Group
Note: this is an issue, as the “guest user” may have already been granted access to multiple SharePoint resources and this will remove that access.
I need to put a guest user into an exchange group for distribution. Your workaround is useless as he has access to some documents already and still needs access.. Whats the workaround for the workaround
Jon Scarpa commented
Microsoft please allow these guest accounts to be merged with domain accounts. It is a problem when a user shares a OneDrive link with a vendor, then we later give that vendor an AD account in our system to allow them to access certain resources. Thank you.
P. D. Förster commented
Also ran into this issue today when I tried to add a guest mail user to a distribution list. However, only Mail contacts are allowed.
If someone's interested in an explanation why this is not possible, see https://techcommunity.microsoft.com/t5/office-365/how-do-i-add-a-guest-mail-user-to-adress-lists-or-create-a-mail/m-p/134800#
I would like to be able to convert a guest user into a normal o365 user, making their guest email a secondary email and bringing all contact information into the new domain user account.
Paul Matthews commented
We have been having issues where the "guest User" can no longer log into our tenant. The only option is to remove them from Contacts, and everywhere else in the tenant. E.g, SharePoint Sites, user profiles, Azure AD, Azure AD deleted users, all the hidden Userinformation list in ShaarePoint etc. Then invite the Guest user again. I have had a couple of support calls with Microsoft about this, and the case ends with this information as the resolution:
"This is behavior by design as all objects in Azure AD have to be unique.
You cannot have 2 objects with the same email address.
When you invite one of your contacts to your content in O365, it actually creates a completely new guest user object in your environment and since the email address which is supposed to be populated in the email attribute is already in use by the contact, the email address does not get populated.
The only way to resolve this issue at the moment is to eliminate any conflicts that are in place, by removing the conflicting email contact and re-invite the user to your content."
This clearly is a bug where the two parts of Azure get's a conflict, which must flag up in some bit of code, but never flagged up to the Azure Administrator of the tenant.
The first comment works perfect - much better than deleting the external user! Thank you for posting this. (Set-MailUser -Identity <Identityofmailuser> -EmailAddresses $Null)
There is a less drastic work around, you can simply null the proxyaddresses attribute for the mail user. (Set-MailUser -Identity <Identityofmailuser> -EmailAddresses $Null). This is essentially what happens if you create the contact first anyway.
This is also a challenge for us.
We are performing a T2T migration, this is essentially a merger, bringing the smaller company into the bigger. The target has all the source tenant users in as Guests. We wish to change the guest user type in the target tenant, and then see if we can connect the accounts via AADC to complete the identity piece. Therefore the user would not lose access to all their sharepoint resources.
Philipp Zimmer commented
Thank you for this Workaround. We have the same problem here. Is there a chance Microsoft is going to fix this?
Alex Schwerzmann commented
Same behaviour you can find in Teams: If you invite the external user that is already registered as a Mail Enabled User (New-MailUser --> which is finally an AD User-Object), you won't be able to collaborate any further with that contact, because access to any company resource would require licensing of that external contact (because it's listed in your own tenant's Azure AD as an User Object...). A nice solution from Microsoft for closer collaboration on a tenant's core contacts/MailUser-Objects would be more than welcome!
Ian Caldwell commented
Agreed, we are trying to manage our external contacts (i.e. preferred consultants, key business partners, etc) - who are sometimes added as guests to 365 resources before we have a chance to add them as proper contacts. Admin should have option to add guest users to 365 contacts without having to delete all existing sharing permissions.
Gavin Bollard commented
This is a serious design flaw on Microsoft's part. We rely extensively on Distribution Groups for notifications.but can't add guests to those groups. We've got systems which require the creation of guest users for authentication and login.
We've already set up our guest systems and have been running them for a while. We don't want to have to delete all of our users and recreate them just so that we can get them into distribution groups. It simply doesn't make sense.
Becca L commented
This is extremely poor design on Microsoft's end. People connected to an organization are going to have multiple roles, and their involvement will change over time. This is a huge barrier to contact management and the workaround really isn't an option if organizations want to present themselves as even somewhat organized. For us, the workaround simply isn't an option because of how unprofessional it would make us appear. (Would you want to contact a new board member saying we have to revoke and then re-grant his access to files on SharePoint, because we can't add him to a distribution list otherwise?)
There's simply no way that this "feature" would ever be useful and it creates a world of problems. Please, please fix this.
Hiroshi Yajima commented
This is also a problem for us.
Since we are a group company and tenants are divided, we are trying coordination of address books.
We register other user as Contact, but if someone invite other user to the site beforehand, it will be registered in guest user and can not be registered in Contact.
In order to register for Contact, it is necessary to delete the guest once and invite it to the site again, which is very burdensome.
If you have the same account between Contact and guest, please treat it integrally cast as one piece.
Andrew Hydle commented
This is a major problem for us as well as we have people who move back and forth between different tenants and need a contact or mailbox eventually. If someone shares with one of these people we have to delete the Guest User account and create our account which dumps all of their shares. Seems these should be made so they dont interfere with regular accounts.
Chris King commented
This is also a major problem if a standard "Mail User" (security principal + contact) is assigned a license and thus converted to a User Mailbox. Unlike on-prem, Exchange Online does this conversion automatically and deletes the Contact attributes of the Mail User, including external SMTP address. That would all be fine if there were a way to convert the User Mailbox back to a Mail User, but there is absolutely no way to do it. The security principal must be deleted and recreated. Terrible design.