Make B2B guest accounts less sensitive to changes in the source AAD/MS account
I have a customer that uses B2B for any partner collaboration they do within their corporate environment.
There were partners that went through the following scenario's:
- They moved their AAD users to another AAD tenant due to a reorganization
- They changed company name and had a new UPN / SignIn
In both cases the B2B account broke down. When the user tries to login they get the error: Sorry, but we’re having trouble with signing you in.
AADSTS50177: User account '' from identity provider 'https://sts.windows.net//' does not exist in tenant '' and cannot access the application '' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Contacting Microsoft Support indicated that the only current way of fixing this is recreating the user. This means figuring out all the permissions and memberships from the old account, creating a new one and then applying the same permissions.
For edge cases and single user impact situations this is not a big deal. For an entire userbase of a partner due to a company rename, it becomes basically a major migration project.
It would be very useful in these cases to be able to update the B2B guest account to accept another source account. This way we can retain the profile. With the AD connector sync, you could control the link between the onprem / AAD account with the immutableId setting. Something similar might be a solution for B2B <-> source accounts as well.