I'm following guidance here to reset the external identity for an Azure AD B2B guest account:
I've discovered, and it's reproducible, that the IDs may collide in this scenario:
- Invite a guest account from [email protected]; resulting OID is 11111 (guid)
- Reset redemption status for this account to [email protected]; OID is the same (before actually calling the invitation api with the ResetRedemption flag set true, I'm first patching the user object like this:
var user = new User
{
Id = graphUser.Id,
Mail = graphUser.Mail,
UserPrincipalName = GetAADExtUpnString(graphUser.Mail),
OtherMails = new[] { graphUser.Mail }
};
(I had to update OtherMails because the reset was failing if it didn't include the new email. I had to reset UPN because the 2nd invitation was trying to create a Live account rather than initiating an email token flow, and updating the UPN fixed that. I started resetting the other properties based on the issue I'm describing; the intent was to purge the account of any reference to the original email, for reasons you'll see.)
- Confirm that the account has the same ID but is linked to the new email address, and all other properties are updated as well.
- NOW, invite a new user with email [email protected].
- The resulting user object in the invitation response has id 11111 (guid). The object in Graph with that OID (the original object) wasn't updated in any way; the mail attribute, othermails, alias, and UPN all still indicate pointers to [email protected]. But the returned user object from the 2nd invitation is the same OID as the first guest object. There is now one object, with two invitations for two different emails, pointing to it. The object has no (visible) reference to the email from the 2nd invitation (which was yes, the email that was originally on the account).
Is this a bug or am I not holding my mouth right? :) It feels like a caching issue.