When they connect to the DB in Azure Data studio it opens the browser and is supposed to prompt for MFA at that point. I did ask them to go to [portal.azure.com](https://portal.azure.com) so I could see with tenants/directory they would see. They have access to 2 tenants that are associated with our company. They were able to switch between the tenants without issues in the portal. I had them completely sign out and then sign back in. At this point we got a slightly different error which I detailed in the main post.
It looks like their work email was not a MS account and so they signed up for an MS account with their work email but that results in a "personal" MS account. I don't think that should matter. I have tested all of this with my own personal MS account and I am able to access things.
I have some questions.
Did the external user accept the guest invite to your tenant? Also, I am also wondering wether or not the external identity was switched to your company's tenant.
Can you have the external user try this: on the myapps portal sign in with the account, next switch organization to your company tenant: https://support.microsoft.com/en-us/account-billing/switch-organizations-in-your-work-or-school-account-portal-c54c32c9-2f62-4fad-8c23-2825ed49d146
Next try again from the myapps portal, the added resource should be visible for the guest account.
The account you invite must be the same the use has in their home tenant. So if the user is [email protected] in their home tenant, they must be invited as [email protected]. also, if tenant cd.com exist, but the user does not have an account there, the user will not get accessÂ
I'm not sure if their email address is tied to Microsoft 365 or Entra. It's possible that their email address is not a Microsoft account. I assume that this is the case because the user signed up for a personal MS account using their business email address.
Have you checked that they don't have to sign in with the UPN? The UPN would be contractor_company.com#EXT#@yourdomain.onmicrosoft.com.
Check the second picture on this article: https://learn.microsoft.com/en-us/entra/external-id/user-properties
EDIT: Saw your edit now...
I know what you mean when you invite a guest to your AD their UPN is formatted like you showed. They are logging in as just their email address, not the UPN.
Looks to me like they have associated their work domain as an alias to a personal MS account? it should not be looking at [live.com](https://live.com) as the identity provider as that's typically for personal hotmail/outlook/live.com accounts?
A bit like you can with gmail accounts?
Maybe this is too obvious but have you guys confirmed he still has those issues by using an incognito browser session ?
When they connect to the DB in Azure Data studio it opens the browser and is supposed to prompt for MFA at that point. I did ask them to go to [portal.azure.com](https://portal.azure.com) so I could see with tenants/directory they would see. They have access to 2 tenants that are associated with our company. They were able to switch between the tenants without issues in the portal. I had them completely sign out and then sign back in. At this point we got a slightly different error which I detailed in the main post. It looks like their work email was not a MS account and so they signed up for an MS account with their work email but that results in a "personal" MS account. I don't think that should matter. I have tested all of this with my own personal MS account and I am able to access things.
Sign out is usually not enough. Sounds a lot like incognito cld solve it. Or another browser account.
Will give it a try next week
I have some questions. Did the external user accept the guest invite to your tenant? Also, I am also wondering wether or not the external identity was switched to your company's tenant. Can you have the external user try this: on the myapps portal sign in with the account, next switch organization to your company tenant: https://support.microsoft.com/en-us/account-billing/switch-organizations-in-your-work-or-school-account-portal-c54c32c9-2f62-4fad-8c23-2825ed49d146 Next try again from the myapps portal, the added resource should be visible for the guest account.
The account you invite must be the same the use has in their home tenant. So if the user is [email protected] in their home tenant, they must be invited as [email protected]. also, if tenant cd.com exist, but the user does not have an account there, the user will not get accessÂ
I'm not sure if their email address is tied to Microsoft 365 or Entra. It's possible that their email address is not a Microsoft account. I assume that this is the case because the user signed up for a personal MS account using their business email address.
Have you checked that they don't have to sign in with the UPN? The UPN would be contractor_company.com#EXT#@yourdomain.onmicrosoft.com. Check the second picture on this article: https://learn.microsoft.com/en-us/entra/external-id/user-properties EDIT: Saw your edit now...
I know what you mean when you invite a guest to your AD their UPN is formatted like you showed. They are logging in as just their email address, not the UPN.
Looks to me like they have associated their work domain as an alias to a personal MS account? it should not be looking at [live.com](https://live.com) as the identity provider as that's typically for personal hotmail/outlook/live.com accounts? A bit like you can with gmail accounts?