How to Convert External user to Internal user in Microsoft Entra ID

A guest is an external user in an organization that can share data from Microsoft Teams, Groups, and SharePoint. Sometimes you want to migrate the external user to a member of your organization and keep all their permissions and licenses. In this article, you will learn how to convert an external user to an internal user in the Microsoft Entra admin center and with PowerShell.

Table of contents

Internal user vs. external user

To understand the difference between an internal and external user in an organization:

  • Internal user: a user who authenticates with the local tenant, such as a member.
  • External user: a user who authenticates via a method not managed by the organization, such as a guest.

You can convert these external users to internal members and keep the original account, such as their object ID, group memberships, and Microsoft Teams chat history.

We will show you how to convert an external to an internal user in two methods:

  1. Microsoft Entra ID
  2. Microsoft Graph PowerShell

Convert external to internal user in Microsoft Entra ID

How to convert an external user to an internal user in Microsoft Entra ID:

  1. Sign into Microsoft Entra ID
  2. Click Identity > Users > All users
  3. Select Guest user type
Select guest user type in Microsoft Entra ID
  1. Click Convert to internal user
Convert external user to internal user in Microsoft Entra
  1. Type the New user principal name
  2. Click Convert
Convert external user to internal user in Microsoft Entra admin center
  1. It will automatically convert the guest to a member of the organization

Note: When the internal user signs into Microsoft Teams or another app, they need to use the new User principal name and Password from now on.

Convert guest to member in Microsoft Entra ID

Convert external to internal user with PowerShell

Before you start, you must Install the Microsoft Graph PowerShell module. Start Windows PowerShell as administrator and run the command below.

Install-Module Microsoft.Graph -Force

Important: Always install the latest Microsoft Graph PowerShell module version before you run a cmdlet or script to prevent errors and incorrect results.

Convert an external user to an internal user with a PowerShell script:

  1. Specify the ObjectID of the guest user in line 3
  2. Specify the new UserPrincipalName in line 4
  3. Type a Password in line 5
  4. Run the below PowerShell script
Connect-MgGraph -Scopes "User.ReadWrite.All"

$ObjectID = "025e73e1-934f-4a92-bfa9-053746aea641"
$UPN = "alexus.bardot@m365info.com"
$Password = "KeyBoard123!"

# Create a JSON body template for the API request
$body = @{
    userPrincipalName = "$UPN"
    passwordProfile   = @{
        password                      = "$Password"
        forceChangePasswordNextSignIn = "false"
    }
}

$uri = "https://graph.microsoft.com/beta/users/$($ObjectID)/convertExternalToInternalMemberUser"

# Send a POST request to convert external user to internal
Invoke-MgGraphRequest -uri $uri -Body $body -ContentType "application/json" -Method POST

The PowerShell output shows the below result.

The internal user should use the new UserPrincipalName (alexus.bardot@m365info.com) and the specified password in the above PowerShell script.

Name                           Value
----                           -----
@odata.context                 https://graph.microsoft.com/beta/$metadata#microsoft.graph.conversionUserDetails
mail                           alexus.bardot@m365info.com
convertedToInternalUserDateTi… 21/03/2024 10:12:01
userPrincipalName              alexus.bardot@m365info.com
displayName                    Alexus Bardot

Microsoft Teams app error when signing in

After you convert the user, the user must sign in with the new username (UPN) and password in the Microsoft 365 apps and services to avoid any errors.

If the user previously signed into the Microsoft Teams app as a guest, they will encounter the below error after the conversion.

We weren’t able to connect. Sign in and we’ll try again.

Even if the user clicks on Sign in on the below error, they can’t change the username.

Teams app error we weren't able to connect sign in and we'll try again

To solve this problem, the user must Clear Microsoft Teams cache. Then the user needs to sign in with the new username and password in Microsoft Teams.

Sign into Teams app as an internal user

That’s it!

Read more: How to hide users from Global Address List (GAL) »

Conclusion

You learned how to convert an external user to an internal user in Microsoft Entra admin center and with PowerShell. Once you convert the guest to a member, it will change the username and password of the internal user. If the internal user signs into Microsoft apps and services, they need to use the new username and password.

Did you enjoy this article? You may also like Convert user mailbox to shared mailbox. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

X Twitter

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *