Microsoft Entra B2B collaboration invitation redemption

  • Article

This article describes the ways guest users can access your resources and the consent process they'll encounter. If you send an invitation email to the guest, the invitation includes a link the guest can redeem to get access to your app or portal. The invitation email is just one of the ways guests can get access to your resources. As an alternative, you can add guests to your directory and give them a direct link to the portal or app you want to share. Regardless of the method they use, guests are guided through a first-time consent process. This process ensures that your guests agree to privacy terms and accept any terms of use you've set up.

When you add a guest user to your directory, the guest user account has a consent status (viewable in PowerShell) that’s initially set to PendingAcceptance. This setting remains until the guest accepts your invitation and agrees to your privacy policy and terms of use. After that, the consent status changes to Accepted, and the consent pages are no longer presented to the guest.

Redemption process through the invitation email

When you add a guest user to your directory by using the Azure portal, an invitation email is sent to the guest in the process. You can also choose to send invitation emails when you’re using PowerShell to add guest users to your directory. Here’s a description of the guest’s experience when they redeem the link in the email.

  1. The guest receives an invitation email that's sent from Microsoft Invitations.
  2. The guest selects Accept invitation in the email.
  3. The guest is guided through the consent experience described below.

As an alternative to the invitation email or an application's common URL, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the Microsoft Entra admin center or PowerShell. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.

Note

A direct link is tenant-specific. In other words, it includes a tenant ID or verified domain so the guest can be authenticated in your tenant, where the shared app is located. Here are some examples of direct links with tenant context:

  • Microsoft Entra admin center: https://entra.microsoftonline.cn/<tenant id>

There are some cases where the invitation email is recommended over a direct link. If these special cases are important to your organization, we recommend that you invite users by using methods that still send the invitation email:

  • Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). In this case, the user must select the redemption URL in the invitation email.
  • The user may sign in with an alias of the email address that was invited. (An alias is another email address associated with an email account.) In this case, the user must select the redemption URL in the invitation email.

When a guest signs in to a resource in a partner organization for the first time, they're presented with the following consent experience. These consent pages are shown to the guest only after sign-in, and they aren't displayed at all if the user has already accepted them.

  1. The guest reviews the Review permissions page describing the inviting organization's privacy statement. A user must Accept the use of their information in accordance to the inviting organization's privacy policies to continue.

    Screenshot showing the Review permissions page.

    Note

    For information about how you as a tenant administrator can link to your organization's privacy statement, see How-to: Add your organization's privacy info in Microsoft Entra ID.

  2. If terms of use are configured, the guest opens and reviews the terms of use, and then selects Accept.

    Screenshot showing new terms of use.

    You can configure terms of use in External Identities > Terms of use.

  3. Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.

    Screenshot showing the Apps access panel.

In your directory, the guest's Invitation accepted value changes to Yes. For more information about guest user account properties, see Properties of a Microsoft Entra B2B collaboration user. If you see an error that requires admin consent while accessing an application, see how to grant admin consent to apps.

Next steps