B2B collaboration invitation redemption

  • Article

Applies to: Green circle with a white check mark symbol. Workforce tenants White circle with a gray X symbol. External tenants (learn more)

This article describes the ways guest users can access your resources and the consent process they'll encounter. If you send an invitation email to the guest, the invitation includes a link the guest can redeem to get access to your app or portal. The invitation email is just one of the ways guests can get access to your resources. As an alternative, you can add guests to your directory and give them a direct link to the portal or app you want to share. Regardless of the method they use, guests are guided through a first-time consent process. This process ensures that your guests agree to privacy terms and accept any terms of use you've set up.

When you add a guest user to your directory, the guest user account has a consent status (viewable in PowerShell) that’s initially set to PendingAcceptance. This setting remains until the guest accepts your invitation and agrees to your privacy policy and terms of use. After that, the consent status changes to Accepted, and the consent pages are no longer presented to the guest.

As an alternative to the invitation email or an application's common URL, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the Microsoft Entra admin center or PowerShell. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.

Note

A direct link is tenant-specific. In other words, it includes a tenant ID or verified domain so the guest can be authenticated in your tenant, where the shared app is located. Here are some examples of direct links with tenant context:

  • Microsoft Entra admin center: https://entra.microsoftonline.cn/<tenant id>

Here are some things to note about using a direct link versus an invitation email:

  • Email aliases: Guests who use an alias of the email address that was invited will need an email invitation. (An alias is another email address associated with an email account.) The user must select the redemption URL in the invitation email.

  • Conflicting contact objects: The redemption process has been updated to prevent sign-in issues when a guest user object conflicts with a contact object in the directory. Whenever you add or invite a guest with an email that matches an existing contact, the proxyAddresses property on the guest user object is left empty. Previously, External ID searched only the proxyAddresses property, so direct link redemption failed when it couldn’t find a match. Now, External ID searches both the proxyAddresses and invited email properties.

Redemption process through the invitation email

When you add a guest user to your directory by using the Azure portal, an invitation email is sent to the guest in the process. You can also choose to send invitation emails when you’re using PowerShell to add guest users to your directory. Here’s a description of the guest’s experience when they redeem the link in the email.

  1. The guest receives an invitation email that's sent from Microsoft Invitations.
  2. The guest selects Accept invitation in the email.
  3. The guest is guided through the consent experience described below.

When a guest signs in to a resource in a partner organization for the first time, they're presented with the following consent experience. These consent pages are shown to the guest only after sign-in, and they aren't displayed at all if the user has already accepted them.

  1. The guest reviews the Review permissions page describing the inviting organization's privacy statement. A user must Accept the use of their information in accordance to the inviting organization's privacy policies to continue.

    By agreeing to this consent prompt, you acknowledge that certain elements of your account will be shared. These include your name, photo, and email address, as well as directory identifiers which may be used by the other organization to better manage your account, and to improve your cross-organization experience.

    Screenshot showing the Review permissions page.

    Note

    For information about how you as a tenant administrator can link to your organization's privacy statement, see How-to: Add your organization's privacy info in Microsoft Entra ID.

  2. If terms of use are configured, the guest opens and reviews the terms of use, and then selects Accept.

    Screenshot showing new terms of use.

    You can configure terms of use in External Identities > Terms of use.

  3. Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.

    Screenshot showing the Apps access panel.

In your directory, the guest's Invitation accepted value changes to Yes. For more information about guest user account properties, see Properties of a Microsoft Entra B2B collaboration user. If you see an error that requires admin consent while accessing an application, see how to grant admin consent to apps.

Next steps