Azure-docs: Invitation redemption failed - federated directory

Thanks for the feedback! We are currently investigating and will update you shortly.

@SEI-Billing Please post this as a feedback @ https://feedback.azure.com/forums/169401-azure-active-directory This will allow the community to upvote and for the product team to include into their plans. We also have the "Give Product Feedback" button in our documents now to take you directly to the appropriate feedback page.

@SEI-Billing We will now proceed to close this thread. If there are further questions regarding this matter, please open a new issue and we will gladly continue the discussion.

@SEI-Billing I'm experiencing the same issue. Did you find a resolution? @MohitGargMSFT I can create a new issue, but it will be a replica of this one.

was this issue resolved? what is the solution to it?

For me, no. I didn't get a response (to be fair @MohitGargMSFT explicitly asked to open a new ticket to continue the conversation, I understand that). I have been unable to resolve this issue for my user. They simply can't sign in and have had to go through the painful experience of creating a new temporary personal Microsoft account so they can sign in to our service. Their work account is the one that does not work - I'm working with this person's IT department to resolve the issue / figure out what is causing their Azure AD to be out of sync. Presumably, in their federated scenario, my particular user has access to their AD (i.e. they can access / sign in to their internal apps), but their user info is not synced to Azure AD. So when they receive this invite, Azure AD tries to create an account and fails to do so because the directory is federated. That's my current understanding. I'll post back when I resolve this issue with this customer's IT to hopefully help others encountering this error. Ideally, the graph API would know this ahead of time and give an error that the invite will not work.

@jasonavocette in case this adds more useful info for you / anyone else experiencing this problem: invitations suddenly started working for the user / organization we were having problems with. We had re-generated invitations ~20-30 days ago when I initially commented on this ticket, and got the same error every time. This time around, the user simply accepted their latest invite from 20 days ago, and the invite was seamless as usual. Unfortunately, I couldn't get in contact with their org's IT, so I am not sure if they changed configuration. I think it's most likely their organization's IT changed configuration, but I also considered the possibility that Microsoft's invitations/auth system had a bug fix that transparently resolved the issue for everyone.

This kind of behavior is still occurring, so it was the guest's organization that corrected the sync issue, thereby allowing the invitations to be accepted. What I have been able to understand is that the invitation acceptance process essentially does the following:

1. Checks the guest's domain to see if it is associated with an Azure tenant:
   A. If yes, domain is identified as being federated with an Azure AD directory, then
   A.1. Checks the email address to see if account is present in Azure AD in guest's tenant
   A.2. If yes, invitation is accepted, and user continues
   A.3. If user is not in the Azure AD directory, the error message displays, and process stops.
   B. If user domain is not associated with an Azure tenant, then
   B.1. User is redirected to "self-service Azure AD" , and is asked to give a password, and then the
   account is created in essentially, a single-user Azure AD directory for that email address
   B.2. User is then able to proceed, with the invitation accepted.
   So the key point of failure in this process is when a user's email address is in an on-premises AD that is federated with an Azure AD, but that user account (for whatever reason) is not synced to the Azure AD directory. Once you understand the process, the error message makes sense, except I would say "The Guest User's Tenant admin must create an account for you in their Azure AD.", for clarity's sake.

I'm not sure there is a means for addressing this as an issue, without having the guest user's email address somewhere in an Azure AD directory.

This kind of behavior is still occurring, so it was the guest's organization that corrected the sync issue, thereby allowing the invitations to be accepted. What I have been able to understand is that the invitation acceptance process essentially does the following:

1. Checks the guest's domain to see if it is associated with an Azure tenant:
   A. If yes, domain is identified as being federated with an Azure AD directory, then
   A.1. Checks the email address to see if account is present in Azure AD in guest's tenant
   A.2. If yes, invitation is accepted, and user continues
   A.3. If user is not in the Azure AD directory, the error message displays, and process stops.
   B. If user domain is not associated with an Azure tenant, then
   B.1. User is redirected to "self-service Azure AD" , and is asked to give a password, and then the
   account is created in essentially, a single-user Azure AD directory for that email address
   B.2. User is then able to proceed, with the invitation accepted.
   So the key point of failure in this process is when a user's email address is in an on-premises AD that is federated with an Azure AD, but that user account (for whatever reason) is not synced to the Azure AD directory. Once you understand the process, the error message makes sense, except I would say "The Guest User's Tenant admin must create an account for you in their Azure AD.", for clarity's sake.

I'm not sure there is a means for addressing this as an issue, without having the guest user's email address somewhere in an Azure AD directory.

Forgive me if I'm late to the party, but what is the process to sync the user's email address to the Azure AD? And to confirm, this is the customer/guest organization's Azure AD that the user's email address is not sunc up with?

I am facing the same issue.

Invitation redemption failed
AADB2B_0001 : We cannot create a self-service Azure AD account for you because the directory is federated. Tenant's admin must create an account for you.

Is there any solution available?

I was able to solve the similar problem today relatively quickly.
In our case, remote organization has it's own AAD tenant and federated domain (via ADFS). The error simply tells you, as soon domain is federated, you can't create accounts directly through Azure AD. Regardless, guest accounts in your tenant or directly in remote tenant of an organization you try to establish B2B.
This error actually doesn't happen that often. Simply because in many cases email you try to send invitation to is the same as UPN for an account in Azure AD. It's not the case in all cases.
So in our case I contacted remote party and asked if account names equal to their emails. It's not, so I asked them actual usernames. Then I proceed with creating manual invitation using PS and sent them link as described in https://docs.microsoft.com/en-us/azure/active-directory/b2b/b2b-quickstart-invite-powershell#send-an-invitation

• As -InviteRedirectURL parameter I specified https://portal.azure.com/, however, I don't know if it's necessary

• As -InvitedUserEmailAddress it should be real username, if it's not the same as email. That's why you need to send the code manually

I have posted the following AAD "suggestion" to deal with this problem:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/38748157-need-some-way-to-deal-with-aadb2b-0001-we-cann

Please up-vote.