Background

An organisation wants to share their SharePoint Online site collection, documents and collaborate with external partners, vendors or customers. By default, the site collection is shared to internal users only. But this can be extended to authenticated external users or also with limited sharing to anonymous users. External users do not have a licence for Office 365 subscription and they are limited to basic collaboration tasks.

I recently enabled external access for site collection on the SPO tenant only to selected domains and authenticated external users. External sharing in SharePoint online works well in most scenarios but there are few issues which pop up while enabling access for external users and with limited error details it becomes a bit challenging to understand the cause.

Problem

Error: “User Not in directory”

Error message which users get as they try to login to external SharePoint site is quiet generic ”User not in directory” it is not that descriptive and did not point to the cause of the issue.

Solution

To troubleshoot the access for the user. Clear browser cache or open Incognito or Private session, then try below steps.

First, check to make sure the account which is used to accept the email invitation to the site is the same account which is being used to login later.

In Office 365 login screen if below screen is popping up prompting “Which account do you want to use?” when you sign in, it means that two different accounts have been configured with Microsoft using the same email address:

A “Work or school” account, which was probably created by your IT department.

A “personal” account, which was probably created later on by the user. 

Personal account can be renamed which means using a different email address to sign in to it. To fix it follow this KB article.

If external users accepted the invite using the personal account and later on try to connect by selecting the work account and are getting the error “User not in directory”. This is the most common cause for the error. Make sure the user is using the same account to accept the invite and log-on to the site.

Secondly if the account used for accepting the invite and login are same and still the error screen pops up, then the user account has to be set up again, but before we need to do the clean up on the existing references for user profile and remove the user from SharePoint and then send a fresh invite. To remove the user and all references follow the below steps.

External users are managed from a site-collection–by–site-collection basis. An external user account must be removed from each site collection that the user was granted access to.

Browse to each site collection that the user previously had access to, and then follow below steps:

  • In the site collection, edit the URL in the browser by appending the following string to the site address: _layouts/15/people.aspx/membershipGroupId=0

  • Select the user from the list and Click Delete. Then once user is removed next

  • Start the SharePoint Online Management Shell.
  • Type the following cmdlet:
    $cred = Get-Credential
    In the Windows PowerShell Credential required dialog box, type your site collection admin account and password, and then click OK.
  • Connect to SharePoint Online, and then type the following cmdlet:
    Connect-SPOService -Url https://tenant-admin.sharepoint.com -Credential $cred
  • Remove the user from each site collection by using the following cmdlet:
    $ExtUser = Get-SPOExternalUser -filter someone@example.com
  • Type the following cmdlet:
    Remove-SPOExternalUser -UniqueIDs @($ExtUser.UniqueId)

  • Then we can add back the user and resend the invite. It should fix up the issue

Last thing to check is that user has a proper role assigned to user account under user profile in the office portal:

  • To check the role assigned to the user, go to Office 365 admin centre.
  • Sign in with global administrator’s account.
  • Check the external user in Users>Active users, then, check the roles of the external user and change it to User (no admin access).