Add a User as a Member from a different Azure AD Tenant

Azure Active Directory (Azure AD) can have two types of users: Member and Guest.

Microsoft states the following in their documentation:

The UserType has no relation to how the user signs in, the directory role of the user, and so on. This property simply indicates the user's relationship to the host organization and allows the organization to enforce policies that depend on this property.

The same documentation goes on to state:

There may be cases where you want to give your guest users higher privileges. You can add a guest user to any role and even remove the default guest user restrictions in the directory to give a user the same privileges as members.

It's possible to turn off the default limitations so that a guest user in the company directory has the same permissions as a member user.

So they actually are different…  What if you do not want to turn off the default limitations for all guest users, but one or more external user(s) need elevated access to manage your entire Azure Directory?  For example, you are working with a consulting firm like NetCorp, and you need their team to have administrative access into your Azure AD Tenant.

How about adding the External User as a Member instead of a Guest?

This is accomplished through PowerShell using the New-AzureADMSInvitation function.  This used to be possible to do through the Portal, though it appears the feature was taken away.

The following is an example of what the call would look like:

New-AzureADMSInvitation -InvitedUserEmailAddress "" -InviteRedirectUrl "" -SendInvitationMessage $false -InvitedUserType "Member"

It’s important to address some of the parameters used in the above example.

First, the InvitedUserType parameter is set to “Member” to override the default value of Guest.

Second, a user will have to accept the invitation by accessing a redemption URL while logged in as the invited user.  By default, this invitation will arrive via email.  An edge case caveat here would be if the invited user does not have a mailbox associated with the given Azure AD User’s login.  The SendInvitationMessage parameter controls whether an email invitation is sent.  In our example above, we are turning off this functionality.

Third, the InviteRedirectUrl parameter is required, but can be a ‘bum’ URL – so long as the invited user knows this.  Otherwise, it is best to redirect the user to your organization’s website homepage, or maybe the Azure Portal (e.g.

The resulting output is as follows.  Please note, if you set SendInvitationMessage to $false, you must take note of the value in the InviteRedeemUrl and provide it to the invited user.  Preferably, with instructions on how to access it (while logged in as themselves).

Id                      : ********-****-****-****-************
InvitedUserDisplayName  : John Doe
InvitedUserEmailAddress :
SendInvitationMessage   : False

InviteRedeemUrl         :********-****-****-****-************&user=**********-****-****-***********&ticket=Omgm11231YaPSYkw5Yz21jj1010mnzsd0wP25%2f23aqSQ9u%2bZfTRM%3d&ver=2.0

InviteRedirectUrl       :
InvitedUser             : class User {
                            Id: *********-****-****-****-**********
InvitedUserType         : Member
Status                  : PendingAcceptance

I hope this was as helpful to you as it was for the customer I was serving today.

Leave a Reply