OT - Office 365 - UPN authentication issue

  • 298 Views
  • Last Post 13 October 2015
nidhin_ck posted this 08 October 2015

Hi Experts,
We are facing authentication issues in SharePoint 365 when other companies tenant shares their resources with our tenant users. Currently our AD users UPN & email are not matching. The issue we have is when other companies share something in SharePoint to our company employees, they receive an email with the invitation link to  the shared resource, when our users click on the link,  they are authenticated first by our O365 tenant and then go to the shared link.  The problem here is that SharePoint tries to match the email used in the invitation with the UPN of our users, not the email and because our UPN des not match with the email then they are rejected.  
Is there any other option rather than changing the UPN of all users? anything we can do from our company side.. like in ADFS or etc. 

Regards,
Nidhin CK

Order By: Standard | Newest | Votes
ChuckRobinson posted this 13 October 2015

Alternate ID is not supported if using Exchange Hybrid. 












Sent from my Verizon Wireless 4G LTE smartphone





-------- Original message --------


show

nidhin_ck posted this 13 October 2015


Received an email from MS guys on this topic. They suggest to using Alternative ID in ADFS side. So users would auth using their email and NOT their UPN. Did anyone implemented this feature in your organisation ? will this affect any current Office365 authentication (sharepoint, yammer etc..). 
https://technet.microsoft.com/en-us/library/dn659436.aspx
Regards,
Nidhin CK

show

nidhin_ck posted this 09 October 2015

Hi Brian,
So is there any way we can do something from ADFS side? Currently our org email is like userfirstname.lastname@xxxxxxxxxxxxxxxx and UPN is like samaccountname@xxxxxxxxxxxxxxxx
Regards,
Nidhin CK

show

barkills posted this 08 October 2015

A couple things specific to this:

 

Some technical background on this topic is related to the RequireAcceptingAccountMatchInvitedAccount parameter:

This is mentioned here:



https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85, under Use Windows

PowerShell to control how external sharing invitations can be accepted. It’s a parameter for Set-SPOTenant, so also covered here:

http://go.microsoft.com/fwlink/?LinkId=617177

 

In other words, your partner has chosen to restrict their Sharepoint based invitations such that email must equal UPN. You might convince

them to not do that until the underlying risk has a holistic solution/mitigation. There currently is no way to restrict all AAD invitations such that email must equal UPN or that they correspond to some approved list--so the Sharepoint specific parameter still

leaves risk in terms of mitigation. The general risk here is that without this mitigation (i.e. the parameter) the invitation constitutes a single-use pass to create a guest/external user account in your tenant with any UPN, i.e. the person who gets the invitation

can forward it to someone else who can use it to get that external account. Of course, the UPN (and the underlying identity) must exist in another AAD or Microsoft account, but that’s not much consolation for a variety of scenarios.



 

Finally, I know this issue has been brought up with both the AAD product team (the B2B folks) and Sharepoint Online because we raised the issue with them last

month. I won’t speak on their behalf, but I heard this was in their backlog—I don’t really know what solution they’ll pursue or the timeline.

 

show

Close