Update UserType from portal
Be able to see and change the userType from the portal.
(This is only available in Powershell : example: change from Guest -> member, in order to see the directory as an external user.)
Set-MsolUser -UserPrincipalName xxxhotmail.com#EXTemail@example.com -UserType Member
Updating the status to indicate that this is a valid suggestion and in our backlog for the future. Please keep the comments/votes coming, knowing more about how you intend to use this helps us prioritize and design better features.
In the meantime, here's another powershell command to do this: https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0
Set-AzureADUser -ObjectId $oid -UserType "Member"
Cat Ciric commented
In large enterprises, adding this to the portal (which everyone can access) introduces tremendous risk.
Lester W commented
Such a simple UI change to make, yet this still remains "unplanned"... really?!? Even with 211 votes?
See the attached mock-up...
Ged Harris commented
Hi, we are in a situation where another company has been purchase that already has a Azure tenant. We want to be able to trust across Tenants of Org 1 and Org2 as could be done with ADFS Trusts.
Some on premise application usage requires windows auth so we can use Azure App proxy to convert with Kerberos delegation and they therefore also need a windows credential so need to be full members to have AD account and windows auth on Premise.
This currently requires managing a "Shadow" account" which is unnecessary if a there is a means to trust/link Org 1 Azure account to Org 2 azure account by upgrading Guest to Full member with a Synch domain account retaining B2B SSO access
Currently if they have full AD accounts Synch to Azure AD in Org2, they do not get SSO from Org1 Azure Portal because the accounts are not linked across tenants.
Currently the option of Shadow accounts managed by script or MIM is a step back from previous use of ADFS. I see no way to currently create a trust across 2 org Azure Tenants even if both have ADFS ?
Providing SSO between Azure Tenants while still supporting ON Premise Application auth via synch AD, assists in merging companies and gradually moving from On premise to Azure.
Lester W commented
The way we want to use this is that we have Microsoft consulting in doing some work for us. We have provisioned the consultants as guest users but certain Azure DevOps (formerly VSTS) functions don't work as well, so we want to promote certain guests to member status. Currently we have to do this with PowerShell.
Back in the day's (this is open since Q1 2016 already) it was impossible to grant rights to users not being a member of your directory, therefore you had to change the membership before you would be able to grant them anything.
Today the Guest-user logics changed in the way that you are not able to add a guest anymore, the guest is supposed to enroll himself. Which makes things more complex if you are enrolling people in multiple directories.
Use case today would be to be able to add a guest user without the guest needed to get himself enrolled in the application. (CFR: resent invitation)
Clay Hagler commented
This is a key capability to enable REAL cross organization collaboration
When can we expect this to be addressed?
Don Petry commented
The old portal allowed the addition of an account "from another Azure AD tenant which I manage". These accounts are set to "member" but show the "#EXT#" UPN for external user.
It does not appear possible to add external accounts as "member" in the new portal.
Looking for a clear definition between Guest and (#EXT#) Member to understand if/when/where this will be an issue.
so what the heck? I have invited a person. I've made them global admin since they will eventually run this az subscription. But they still display as "guest." Changing the user type is disabled textbox. Ok Azure you win again - I give up .. so how do I change them from "guest" to "member"?
Rohan Tare commented
Don't make the user as Global Admin. Instead assign as Limited Admin with directory role as Guestinviter. This should work
Hans van den Bogert commented
I don't get this.. currently UserType for a User I want to be an all powerful administrator, is 'Guest'. However, I was able to give the user a directory role of "Global administrator". How can my user be a global administrator but still be a guest?
Are these 2 separate things? Either way, it's really not clear from the portal. For instance, I can create users, groups, list them, etc. But when trying to list/choose the users in a RBAC pane, users don't show up.
Jeff Garcia commented
@Saca, no plans to make this available outside B2B Collaboration feature?