One of the benefits of Cloud Services is the continual enhancements that vendors provide based on feedback from their customers. One such item of feedback that Microsoft has heard often is the request to know what state a Guest user in Azure AD is in. In the last couple of days Microsoft exposed two additional attributes on the User objectClass in Azure AD;

  • externalUserState
  • externalUserStateChangeDateTime

B2B State Tweet.PNG

This means we can now query the Microsoft Graph for B2B users and understand if they have Accepted or are PendingAcceptance, and the datetime of the last change.

My customers have been wanting such information and would like to report on it. Here is an example PowerShell script I’ve put together that queries Microsoft Graph to locate B2B Users in the Accepted and PendingAcceptance states and outputs summary information into two HTML Reports. One for Accepted and one for PendingAcceptance.

Update the following script;

  • Line 2 for a Microsoft Azure PowerShell Module such as AzureAD that has the Microsoft.IdentityModel.Clients.ActiveDirectory.dll library in it
  • Line 5 for your Tenant name
  • Lines 15 and 16 for a Username and Password
  • Line 19 for where you want the Reports written to

Running the Script will then generate the Accepted and Pending HTML Reports.

Output Reports.PNG

Here is an example of the AcceptedB2BUsers HTML Report.

Accepted Report.png

Summary

With the addition of these two additional attributes to the Microsoft Graph we can now query for B2B users based on their State and using PowerShell quickly report on them.

Category:
Identity and Access Management, PowerShell
Tags:
, ,

Join the conversation! 1 Comment

  1. Let me contribute on this topic.

    You can use the commands below for a quick “view” on Acceped or Pending Acceptance.

    Accepted:
    Get-AzureADUser -All $true | ? {$_.ExtensionProperty.userState -eq ‘Accepted’} | select  userprincipalname,@{Name=”B2B”;Expression={$_.ExtensionProperty.userState}}
     
     
    PendingAcceptance: 
    Get-AzureADUser -All $true | ? {$_.ExtensionProperty.userState -eq ‘PendingAcceptance’} | select  userprincipalname,@{Name=”B2B”;Expression={$_.ExtensionProperty.userState}}

Comments are closed.