Onboarding with a TAP using Entra Verified ID (Guest user onboarding)

Generated by Copilot

I covered employee onboarding here. Read that post first, as it has a lot of background that I am not going to repeat.

We need two Entra ID tenants; tenantA and tenantB.

Both have custom domains configured, so we can use the quick start to set up Verified ID in both tenants.

We will add a user from tenantB to tenantA as a guest user.

When you create your user in tenantB, ensure they have a display name and an email.

Both tenants need “Microsoft Authenticator” setup as an authentication method.

You may need to enable guest user signup.

You need to add the custom domain, NOT the tenant.onmicrosoft.com URL, to the trusted partner’s list.

You can do this in the portal:

or you can edit the trustedpartnerlist.txt file in the sample directly.

If you don’t do this correctly, you get the error:

Guest onboarding is not allowed for your company

As per the docs:

The user in tenantB:

• Opens https://myaccount.microsoft.com, signs in with their corporate tenantB credentials, and clicks Get Verified ID
• Opens the sample app. in the browser and navigates to Guest Onboarding
• Clicks I already have this card (or clicks on the step 1 button to launch MyAccount to get one), presents the VerifiedEmployee card and gets the guest user account created
• Clicks on the MyApps link and signs in using the host credentials to redeem the guest account invite

Screenshots:

which brings up:

In step 2. you scan the QR code and share the VC. This takes you to step 3, where you sign in:

Go to:

myapps.microsoft.com

You will now see the tenantB user as a guest account in tenantA.

No email is involved in this flow.

All good!