How can we improve Azure Active Directory?

Update UserType from portal

Be able to see and change the userType from the portal.
(This is only available in Powershell : example: change from Guest -> member, in order to see the directory as an external user.)

Set-MsolUser -UserPrincipalName xxxhotmail.com#EXT#@xxxhotmail.onmicrosoft.com -UserType Member

214 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Frederik De Ryck shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

11 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Ged Harris commented  ·   ·  Flag as inappropriate

    Hi, we are in a situation where another company has been purchase that already has a Azure tenant. We want to be able to trust across Tenants of Org 1 and Org2 as could be done with ADFS Trusts.
    Some on premise application usage requires windows auth so we can use Azure App proxy to convert with Kerberos delegation and they therefore also need a windows credential so need to be full members to have AD account and windows auth on Premise.
    This currently requires managing a "Shadow" account" which is unnecessary if a there is a means to trust/link Org 1 Azure account to Org 2 azure account by upgrading Guest to Full member with a Synch domain account retaining B2B SSO access
    Currently if they have full AD accounts Synch to Azure AD in Org2, they do not get SSO from Org1 Azure Portal because the accounts are not linked across tenants.
    Currently the option of Shadow accounts managed by script or MIM is a step back from previous use of ADFS. I see no way to currently create a trust across 2 org Azure Tenants even if both have ADFS ?
    Providing SSO between Azure Tenants while still supporting ON Premise Application auth via synch AD, assists in merging companies and gradually moving from On premise to Azure.

  • Lester W commented  ·   ·  Flag as inappropriate

    The way we want to use this is that we have Microsoft consulting in doing some work for us. We have provisioned the consultants as guest users but certain Azure DevOps (formerly VSTS) functions don't work as well, so we want to promote certain guests to member status. Currently we have to do this with PowerShell.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Hi Elisabeth,

    Back in the day's (this is open since Q1 2016 already) it was impossible to grant rights to users not being a member of your directory, therefore you had to change the membership before you would be able to grant them anything.

    Today the Guest-user logics changed in the way that you are not able to add a guest anymore, the guest is supposed to enroll himself. Which makes things more complex if you are enrolling people in multiple directories.

    Use case today would be to be able to add a guest user without the guest needed to get himself enrolled in the application. (CFR: resent invitation)

  • Don Petry commented  ·   ·  Flag as inappropriate

    The old portal allowed the addition of an account "from another Azure AD tenant which I manage". These accounts are set to "member" but show the "#EXT#" UPN for external user.

    It does not appear possible to add external accounts as "member" in the new portal.

    Looking for a clear definition between Guest and (#EXT#) Member to understand if/when/where this will be an issue.

  • Rick commented  ·   ·  Flag as inappropriate

    so what the heck? I have invited a person. I've made them global admin since they will eventually run this az subscription. But they still display as "guest." Changing the user type is disabled textbox. Ok Azure you win again - I give up .. so how do I change them from "guest" to "member"?

  • Rohan Tare commented  ·   ·  Flag as inappropriate

    Don't make the user as Global Admin. Instead assign as Limited Admin with directory role as Guestinviter. This should work

  • Hans van den Bogert commented  ·   ·  Flag as inappropriate

    I don't get this.. currently UserType for a User I want to be an all powerful administrator, is 'Guest'. However, I was able to give the user a directory role of "Global administrator". How can my user be a global administrator but still be a guest?
    Are these 2 separate things? Either way, it's really not clear from the portal. For instance, I can create users, groups, list them, etc. But when trying to list/choose the users in a RBAC pane, users don't show up.

Feedback and Knowledge Base