Support guest user invitations

[manicminer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support Guest user invitations for AAD tenants.

New or Affected Resource(s)

• azuread_guest_user

References

• WIP : feat(guest-user) #297

[romainDavaze]

Hello, I'd like to add some comments on this.

Please note that the feature implemented in #401 only allows to create user resources with the user type as Guest. This is not considered as a user invitation.
In fact, when you look at your Azure AD users, you will see that the User Type value is Guest as expected but the Creation Type remains empty (we need it to be set at Invitation). This means that the API allows you to create guest users but they are not really considered as such because it does not trigger the invitation process.

It is problematic because some features aren't working with this approach. We originally implemented this feature because we needed to invite users in order to use the External Identities feature (it is a prerequisite for this to work).

For us the only way to create guest users properly is to use the /invitations graph's API endpoint but this needs to be implemented in the go sdk before we can use it here. See Azure/azure-sdk-for-go#4086

[manicminer]

Hi @romainDavaze, thanks for noting that. Supporting the /invitations API in MS Graph is on our roadmap (for context see #323) and will likely land in v2.0. I've reopened this issue to track it.

Can I ask which features don't work, apart from the invitation process itself? I'd like to figure out whether it's worth supporting setting the userType property versus only supporting guests via the invitations API.

[romainDavaze]

Thank you for your response, I'll keep an eye on this issue then.

I've only encountered the issue with external identities so far because I only use guest users for this. Because this feature needs you to invite users to your AAD prior to be able to use an external IDP, I guess that just by creating a user resource, we're not creating a guest user from Azure's point of view, or at least not completely. Maybe it has something to do with the Source property when you look at the user profile. When you do it via Terraform, it is empty whereas Invited User is mentioned when you do it from the portal.
So for me, any feature that requires a guest user will not work this way.

To be honest, I don't understand why the Azure API would allow the userType property of an existing user to be modified. You may need to read its value for some use cases but changing it seems a bit weird. For what I understand, it's a completely different process to register a Member compared to a Guest. That's why Azure provides two different endpoints to do it.

[manicminer]

Thanks, that makes sense. I agree WRT the API behavior - actually I believe that property used to be read-only - although this is just one of several issues related to API property translation that we should almost entirely sidestep once we move to MS Graph.

[manicminer]

@romainDavaze Appreciate your feedback on this. I've done some more testing and concur that adding guest users in this way is totally broken. We will likely revert support for setting user_type in the User resource and exclusively use the invitations API in MS Graph when we are able to.

[KoenR3]

Any idea on when this will be implemented? This is core to managing users through Terraform for almost all of our use cases...

[brunoscota]

Any idea on when this will be implemented? This is core to managing users through Terraform for almost all of our use cases...

Yes! same as my case!! please approve it!

[manicminer]

Per the milestone, in v2.1.0

[github-actions]

This functionality has been released in v2.1.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.