Table of Contents
Avoiding the Need to Remove and Recreate Guest Accounts
Microsoft 365 applications like Microsoft 365 Groups, Teams, SharePoint Online, and Planner use Entra ID B2B Collaboration to enable guest user access to their resources. The result is that many tenants have a proliferation of guest accounts to manage. I’ve written quite a few tools to help, including a report of guest accounts and their membership of Microsoft 365 Groups and a comprehensive report of tenant and guest members in Groups and Teams. Management can even be a challenge for guests who want to renounce their membership of a tenant.
In any case, the details of some guest accounts change over their lifetime. On March 2, Microsoft issued documentation for Reset redemption status for a guest user. This doesn’t sound very exciting, but it’s really very interesting because the feature allows tenant administrators to adjust how a guest account is signed into without using the previous technique of removing and recreating an account. The downside of that approach is that access is lost to all the resources available to the guest account like Teams, SharePoint sites, shares to individual documents, and so on. After recreating the account, access must then be regranted for each resource. This process is tedious, especially when the guest features in multiple groups.
Microsoft anticipates that the reset feature will be used in scenarios such as:
- The user wants to sign in using a different email and identity provider. In other words, they now have a different account. For instance, the user might have moved companies and wishes to continue working with your company (a common scenario for professionals like IT consultants and lawyers).
- The account for the user in their home tenant has been deleted and recreated. Entra ID won’t recognize the link between the guest account and the user’s new account.
- The user’s responsibilities have been passed along to another user and they want to assign access to the resources which supported those responsibilities to that user.
Part of the change is performed using the Entra ID admin center. The rest is done with PowerShell cmdlets from the AzureAD Preview module, which you can download from the PowerShell Gallery.
Change the Email (Sign-in) Address for a Guest Account
Unlike tenant accounts, guest users don’t use their user principal name to sign in. Instead, they use their email address. To work, the reset feature changes the sign-in name for the guest account and nothing else. The mail user object created in Exchange Online to allow guest users to receive email is also updated.
In this example, I have a guest account for Jacko Winters. The original email address for this account is Flayosc@outlook.com. The guest is a member of multiple teams and shares some SharePoint documents. I want to reassign access to all these resources to another account called Flayosc@yandex.com. It’s an example of the first scenario described above.
The first step is to update the Mail attribute (Email address) for the guest account with the email address you want to use. Do this through the Entra ID admin center (Figure 1). The new email address cannot belong to any other mail-enabled object in the tenant, such as another guest account. If it does, Entra ID won’t allow you to update the account.

Moving to PowerShell, connect to AzureAD and get the Entra ID account identifier for the guest account you want to replace.
Connect-AzureAD $ObjectId = (Get-AzureADUser -SearchString “Jacko Winters”).ObjectId $ObjectId 558d8cbb-a5a2-4ea1-b950-0d0748ca5634
Now create a new User object and populate it with the object identifier for the account.
$OldUser = New-Object Microsoft.Open.MSGraph.Model.User -ArgumentList $ObjectId $OldUser Id OdataType -- --------- 558d8cbb-a5a2-4ea1-b950-0d0748ca5634
Issuing a New Invitation
The next thing to do is check that the values returned from the two commands match. If they do, use the New-AzureADMSInvitation cmdlet to reissue an invitation to the new email address. The identifier for the guest user account is passed in the InvitedUser parameter. The myapps.microsoft.com landing page is a default site showing apps available to a user. Here’s the command I ran:
New-AzureADMSInvitation -InvitedUserEmailAddress Flayosc@yandex.com -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com" -InvitedUser $OldUser -ResetRedemption $True
Update: Given the deprecation of the AzureAD module in March 2024 (and the disappearance of the ResetRedemption parameter from the New-AzureADMSInvitation cmdlet), you should switch to the Microsoft Graph PowerShell SDK. This code is the equivalent using the Get-MgInvitation cmdlet:
$User = Get-MgUser -Filter "startsWith(mail, 'Flayosc@yandex.com')" New-MgInvitation ` -InvitedUserEmailAddress 'Flayosc@yandex.com' ` -InviteRedirectUrl "http://myapps.microsoft.com" ` -ResetRedemption ` -SendInvitationMessage ` -InvitedUser $User
See this documentation for more information.
Entra ID creates a new invitation to access the resources currently available to the guest account and sends it to the new email address. You’ll see a response like this:
Id : 129c1c12-da99-4879-b258-d14b34601d46 InvitedUserDisplayName : InvitedUserEmailAddress : Flayosc@yandex.com SendInvitationMessage : True InviteRedeemUrl : https://login.microsoftonline.com/redeem?rd=https%3a%2f%2finvitations.microsoft.com%2fredeem% 2f%3ftenant%3db662313f-14fc-43a2-9a7a-d2e27f4f3478%26user%3d129c1c12-da99-4879-b258-d14b34601 d46%26ticket%3dLStZd8uAONAIbLNIZyfaUZ91VsRczLbzqbFOeHsonSE%253d%26ver%3d2.0 InviteRedirectUrl : http://myapps.microsoft.com/ InvitedUser : class User {Id: 558d8cbb-a5a2-4ea1-b950-0d0748ca5634 OdataType: } InvitedUserMessageInfo : class InvitedUserMessageInfo { CcRecipients: System.Collections.Generic.List`1[Microsoft.Open.MSGraph.Model.Recipient] CustomizedMessageBody: MessageLanguage: } InvitedUserType : Guest Status : PendingAcceptance ResetRedemption : True
Accepting the Reissued Invitation
The invitation arrives at the email address (Figure 2) and the user can accept the invitation to confirm their credentials (set a password) and create an OAuth consent to allow the tenant to read details of the user’s account (Figure 3).


Once the user consents to the permissions, the user account is updated to set the UserState property to Accepted and write the date of the redemption in UserStateChangedOn. We now have a fully functional guest account again. The important point is that the object identifier and user principal name for the account do not change. The only thing which changes is the mail address associated with the account.
The Entra ID audit log contains details of the issue (Figure 4) and redemption of the invitation. While the activity tab confirms the target address for the invitation, the target tab confirms the guest account.

Accessing Resources
In this instance, the guest account has access to several teams and some SharePoint documents. SharePoint access is immediate, including the sites used by Teams. Guest access to Planner also works properly.
After testing that access worked for SharePoint and Planner, I turned to Teams. I expected access to the Teams app to take longer because of the need to complete the process which synchronizes Entra ID with the membership roster used to control access to individual teams. Until this happens, the user is refused access to Teams (Figure 5) and the old email address assigned to the guest account remains visible in Teams (Figure 6). [Note that the display name of the guest account has reverted to Flayosc instead of Jacko Winters]


Unsurprisingly, because the account information in Teams is now outdated, any attempt to add the guest account as a new member of a team also generates an error (Figure 7).

To try to force synchronization, I updated the display name and several other attributes of the account. This had no effect, so I added a couple of new users to the group using Teams to force Teams to refresh its membership roster. The updates flowed through to Entra ID, but nothing happened in Teams.
Get-AzureADGroupMember -ObjectId b647d5ff-3bda-4333-b768-7990084569b6 ObjectId DisplayName UserPrincipalName -------- ----------- ----------------- cff4cd58-1bb8-4899-94de-795f656b4a18 Tony Redmond Tony.Redmond@office365itpros.com b3eeaea5-409f-4b89-b039-1bb68276e97d Ben Owens (Business Director) Ben.Owens@office365itpros.com a6bfb216-e88c-4f1f-86d7-04747e5fc686 Ben James Ben.James@Office365itpros.com 9ba20686-f869-46e8-85a2-00ec8a035e48 James Joyce James.Joyce@office365itpros.com acb778e8-f587-45de-ae3a-e76007e043b2 Paul Howett Paul.Howett@office365itpros.com 98dda855-5dc3-4fdc-8458-cbc494a5a774 Sean Landy Sean.Landy@office365itpros.com 6b52fba5-349e-4624-88cd-d790883fe4c4 Ken Bowers Ken.Bowers@office365itpros.com 558d8cbb-a5a2-4ea1-b950-0d0748ca5634 Jacko Winters flayosc_outlook.com#EXT#@office365itpro Get-AzureADuser -ObjectId 558d8cbb-a5a2-4ea1-b950-0d0748ca5634 | ft mail, displayname, objectid Mail DisplayName ObjectId ---- ----------- -------- flayosc@yandex.com Jacko Winters 558d8cbb-a5a2-4ea1-b950-0d0748ca5634
The Original email address can’t be used to sign into Teams either. Eventually, after a couple of days, Teams synchronized with Entra ID and the updated account details became visible in Teams. However, the updated account could not sign into Teams.
Come Home to Teams
Working with the Entra ID development group, the problem was diagnosed to due to the way Teams tries its best to bring a user to their home tenant. In the case of guest users, Teams uses the sign in address to locate the tenant and headed off to the wrong place. When using an explicit redirect to the tenant identifier, like https://teams.microsoft.com/?tenantId=c662313f-14fc-43a2-9a7a-d2e27f4f3478, the user can connect.
Obviously, there’s some work for Teams to do to cope when administrators assign new email addresses to guest accounts, but at least the problem is known, and Microsoft will no doubt fix the issue soon.
All this work for a few lines in Chapter 13 of the Office 365 for IT Pros eBook. It just goes to prove how much work and effort the writing team puts in to keeping content accurate, refreshed, and updated. Subscribe now to receive monthly updates of goodness.
Have MS fixed the teams issue yet? We have a guest user who has been given a new domain and not losing teams access is essential
I just tested and Teams works.
Hi,
1. Are the permissions for B2B limited/locked to just these 3 pieces of information no matter what? Is it possible for a vendor or tenant to request more permission then the following? Also do you know if we can prevent the “photo” from being sent to the “External Tenant”? That seems like possible PII information.
-Name
-Email
-Photo
2. Do you know if it is possible to create an allow-list so that users can only become apart of Organizations as Guests that the home tenant defines? Trying to reduce the wild-west.
You don’t have any control over the tenants someone can join as a guest. Tenants can create a whitelist of the tenants they’ll accept guests from (Azure AD admin center – external identities) but not the other way round. And once someone is a guest, they can update their photo (or the host tenant can update their photo).
Actually in the Azure portal you can define tenants your members are allowed to join. Outbound settings can be configured in https://portal.azure.com/#blade/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/CrossTenantAccessSettings. You can block all organizations, and then just allow certain ones if you want to.
Cross-tenant access settings (https://practical365.com/cross-tenant-access-policies/) are a relatively new construct. They didn’t exist when I wrote the original article!
Interesting read here, thanks.
Can you change the UPN for the Guest account to remove #EXT#@domainname or is that required for backend AAD purposes as i presume?
I encountered the following errors trying to use this method to change a guest account’s primary email address: New-AzureADMSInvitation : A parameter cannot be found that matches parameter name ‘ResetRedemption’.
It appears that the ResetRedemption parameter has been removed from New-AzureADMSInvitation. If I remove this parameter, I get a different error:
New-AzureADMSInvitation -InvitedUserEmailAddress -SendInvitationMessage $True -InviteRedirectUrl “http://myapps.microsoft.com” -InvitedUser $OldUser
New-AzureADMSInvitation : Error occurred while executing NewAzureADMSInvitation
Code: BadRequest
Message: This user has already been invited to the directory using . If you want to generate a new
invitation link for this user, please call invitation again without the user object.
It’s an old article at this point (and the Azure AD module is being deprecated by Microsoft). The approach to reset the redemption status for a guest account is now supported in the Azure AD admin center: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status
Also, the New-MgInvitation cmdlet supports a ResetRedemption parameter. I have updated the article to reference the new approach.
We have changed the UPN and mail of a user and guest account access to another Azure tenant continues to work (the guest account has the old UPN/email) – how does the link between the two continue to work?
No idea. I don’t have access to the tenants so I can’t say.