How do you change an Office 365 identity to an external identity?

Question

How do I change (downgrade or convert) an existing Office 365 user to a guest user with an external identity?

I can change a user's User Type from 'Member' to 'Guest' in the Azure Active Directory admin centre but I also want to effectively replace the member's existing identity with that from an external identity provider (e.g. Google or Facebook or Outlook).

By way of an example, we currently have a guest user:

alice@contoso.com

(pretend contoso.com is our domain)

I now want Alice to access our Office 365 environment using her alice4522@gmail.com identity, while ideally preserving her existing group memberships, etc.

I note the User Principal Name is an editable field. I also note users with an external identity have a UPN that looks like this:

alice4522_hotmail.com#EXT#@contoso.onmicrosoft.com

New guest users (external users) are, however, sent a system-generated email invite to join our environment and I don't think I can simply modify the UPN field--can I?

Can anyone offer any guidance for this scenario?

Answer 1

So, I think the following link about Azure B2B relationships will help: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/user-properties

You can change the 'User Type' for the user, but this is only in reference to the user's relationship to your organization. It doesn't have anything to do with the user's identity provider, which is what you actually want to change. You likely do not want to change the user's type, unless their relationship to your organization is changing.

You are asking to switch a user's identity provider from your organization's Azure AD directory, to an external identity provider, like google.com, facebook.com, or another Azure AD directory. The identity provider is known as the 'Issuer' when you look at the user in Azure AD. It's defined in the document I linked above.

If I understand correctly, your Issuer should currently say yourtenant.onmicrosoft.com or something like that. You want to change it to google.com or facebook.com. In this case, I believe you need to update the user's mail attribute to set it to the user's external email address. Then, you can reset the invitation status and the user will receive a new invite to their external email and be able to redeem the invitation using the external identity provider, which will update the accounts Issuer property as you want.

In my use case this works, but it doesn't match your use case exactly. In my case, we absorbed another organization and when we added their AD domain to our AD, it automatically took over their AD user accounts and switched their UPN to the #EXT# version. So, you may also need to update the UPN so that it matches the format you referenced: username_externaldomain#EXT#@yourtenantdomain i.e. first.last_google.com#EXT#yourorg.onmicrosoft.com. Also update the mail attribute and reset the invitation. In our case, when we reset the invitation and they redeemd it, the Issuer changed to External Azure AD indicating they were now authenticated by our Azure AD rather than their own and they now login using their organizational account in our AD.

You can change the user's mail attribute through the Graph API. The invitation can be reset by opening the properties of the user in Azure AD then use the manage option next to the 'Invitation accepted' status. Choose to Reset invitation status. Or, perhaps, you may need to use the Resend invite option. Whichever is available considering the user's status.