Azure AD Guest User Type

You can retrieve this information using Powershell, AzureRm module and some hidden api that i couldn't find documentation anywhere :

Add-AzureRmAccount
$currentAzureContext = Get-AzureRmContext
$tokenCache = $currentAzureContext.TokenCache
$refreshToken = $tokenCache.ReadItems().RefreshToken
$tenantid = $currentAzureContext.Tenant.Id

$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$tokresponse = Invoke-RestMethod "https://login.windows.net/$tenantid/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'

$headers = @{"Authorization" = "Bearer $($tokresponse.access_token)"}
$objid = "<UserAccountObjId>"
$response = Invoke-RestMethod "https://main.iam.ad.ext.azure.com/api/UserDetails/$objid" -Headers $headers -Method GET

Work and School account is considered corporate account stored somewhere in your on-premises or or Microsoft cloud identity service (Azure Active Directory). While Microsoft account (aka MSA in the context) is previously called Windows Live ID. Now Microsoft combines several things into a centralized system including Outlook.com, XboxLive, Skype, Hotmail or so on.

But note that Microsoft Account is not only Live.com. It can be even created under a Work Account (see the image below, I masked the alias but they are the same). In this real case, the Work Account is managed by Office 365 while Personal account is created under the user principal name.

See image

The difference is if you chose Personal account (whether it is Live or even the same user principal name with your corporate account), you are redirected to http://login.live.com/, while the login URL of Work account is

• https://login.microsoftonline.com if the account is managed in Azure AD or Office 365
• federation sign-in URL (e.g adfs.corporate.com) if the account is not managed in Azure AD.

From Azure AD portal, you can only see which one is Guest or Member, but Guest does not mean whether it is Microsoft account or Work.

The users identity in your Azure AD stores the source.

• Azure AD
• External Azure AD
• Microsoft Account

From Azure AD in Azure Portal, click Users and groups > All users > . Click one user, then click Profile. Under Identity information, you then have the source of the indentity.

Actually, If you invited a guest user to your directory, you have been using Azure AD B2B collaboration.

It's simple to know whther the account is using which endpoint to authenticate:

If a guest user is a personal account, it means that the account has not been created in another Azure Active Directory and its email account doesn't end with .onmicosoft.com. It should be authenticated with Live.com, also called Microsoft Account (Personal Account).

If a guest user is already existing in another tenant , it also means that its accout email ends with .onmicrosoft.com, it is authenitcated with .microsoftonline.com, also called Organisational Account (Work or School Account).