Problem statement
Inviting a user from an Azure AD Enterprise connection to an Organization results in the following error when trying to accept the invitation:
{...
"type": "fi",
"description": "the specified account is not allowed to accept the current invitation",
"connection": "AzureAD",
...}
Symptoms
The user exists in Azure and the invitation is sent to the correct user, but fails once completed.
Steps to reproduce
- Setup a user in Azure that has its email configured as some value in their profile except email, such as UPN.
- With an AzureAD connection, invite this user to an Organization.
- Receive invitation and go ahead with the process until you reach the error.
Cause
This error is triggered when the email of the user invited does not match with the email of the user using the invitation link.
- The normalized profile coming from Azure does not map the user’s email to the email property, which is necessary for the invitation to work.
- If the user already exists in Auth0, check the raw profile for confirmation.
Solution
The user profile should have the email attribute on the Auth0 side for invitations to organization work. Check if the user has the email in the user profile. If this is missing, the recommendation is to send the email claim from Azure. This may require mapping the UPN claim on the Azure side.