KnowledgeBase: Colleagues receive ‘We cannot create a self-service Azure AD account for you because domain.tld has disabled self-service account sign-up by email validation. Ask domain.tld's admin to enable EmailVerified users or create an account for you.’ when they try to redeem an Azure AD B2B invitation

Azure AD

Sometimes, error codes for Microsoft products and technologies are really straightforward. Especially in situations where you have limited to no troubleshooting options, like in Azure Active Directory (Azure AD), this might prove difficult to solve.

Today, let’s look at an error your colleagues might encounter with default Azure AD settings in the context of Azure AD B2B collaboration.

 

The situation

Your organization uses Azure AD and has chosen not to synchronize all user objects from Active Directory, or has chosen not to create Azure AD user objects for all colleagues.

Someone at a partner organization wants to collaborate with a colleague in your organization.

The colleague is not configured with a user object created for him/her/them in Azure AD, but with a mailbox configured with an email address for a DNS domain name that is configured as a custom domain name for your organization’s Azure AD tenant.

The person or an admin at the partner organization creates an invitation as part of Azure AD B2B. This results in an invitation message being sent to the aforementioned mailbox.

 

The error

When the colleague clicks the link in the invitation message, the colleague receives the following error in their browser:

We cannot create a self-service Azure AD account for you because domain.tld has disabled self-service account sign-up by email validation. Ask domain.tld's admin to enable EmailVerified users or create an account for you.

The colleague is unable to redeem the invitation. The colleague cannot collaborate with the people in the partner organization.

 

The cause

Your colleague receives the error because:

  1. There is no account in the Azure AD tenant for the person, and;
  2. The AllowEmailVerifiedUsers option is disabled in the Azure AD tenant (default)

In the context of Azure AD B2B collaboration, a guest object is created in the Azure AD tenant of the inviter (the partner organization) and a reference is added to the user object in the Azure AD tenant of the invitee (the home organization).

When the AllowEmailVerifiedUsers option is disabled in the Azure AD tenant of the invitee, the reference cannot be created as the user object doesn’t exist. The disabled state is the default state for this option.

When the AllowEmailVerifiedUsers option is enabled, the Azure AD tenant of the invitee, the reference is written to a newly created self-service user object.

This particular error is caused by Microsoft switching all Azure AD tenants to defaulting to use the Email one-time passcode for guests feature for Azure AD B2B collaboration. Previously, in the above cases colleagues would receive a different error message.

 

The solution

To allow your colleague to collaborate with people in the partner organization, enable the the AllowEmailVerifiedUsers option. Perform these steps as an admin to do so:

  1. On a Windows-based device, install the MSOnline PowerShell module, with the following line of PowerShell in an elevated Windows PowerShell window:

    Install-Module MSOnline

  2. Follow the prompts on the screen to install the PowerShell module.
  3. Kick off the sign-in process towards your Azure AD tenant with the following line of PowerShell:

    Connect-MsolService

  4. Sign in with an account that has the Global Administrator role assigned. Perform multi-factor authentication when prompted to do so.
  5. Get the current status of the AllowEmailVerifiedUsers option in the Azure AD tenant with the following line of PowerShell:

    Get-MsolCompanyInformation | Format-List AllowEmailVerifiedUsers

  6. This returns the state False.
  7. Enable the AllowEmailVerifiedUsers option in the Azure AD tenant with the following line of PowerShell:

    Set-MsolCompanySettings –AllowEmailVerifiedUsers $true

  8. Get the current status of the AllowEmailVerifiedUsers option in the
    Azure AD tenant with the following line of PowerShell:

    Get-MsolCompanyInformation | Format-List AllowEmailVerifiedUsers

  9. This returns the state True.
  10. Close the Windows PowerShell window.

Now, ask the colleague to redeem the invitation from the email message again. He/she/they will now be able to successfully redeem the invitation and collaborate with the people in the partner organization.

 

Further reading

Set-MsolCompanySettings (MSOnline)
Troubleshooting B2B collaboration – Azure Active Directory
Can not join to MS Teams – self-service account sign-up by email validation is disabled
Self-Service Azure AD Error
Enable EmailVerified Users
Self-service sign-up for email-verified users – Azure AD

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.